Unknown/Unidentified trojan?

Bill Royds broyds at rogers.com
Wed Nov 19 03:15:05 GMT 2003


Use raw http to view that site.
It gives a disclaimer that it is installing adware on your machine and don't
sue them if you don't like it.
It also gives remove instructions:
============================================================================
======================================================
11/18/03 22:07:00 Fetching http://www.realphx.com/project/manual.htm
Fetching http://www.realphx.com/project/manual.htm ...
GET /project/manual.htm HTTP/1.1 Host: www.realphx.com Connection: close
User-Agent: Sam Spade 1.14  HTTP/1.1 200 OK Date: Wed, 19 Nov 2003 03:07:00
GMT Server: Apache Last-Modified: Mon, 17 Nov 2003 18:28:59 GMT ETag:
"1ba42-395-c88b70c0" Accept-Ranges: bytes Content-Length: 917 Connection:
close Content-Type: text/html; charset=ISO-8859-1  <html>

<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Manual Remove Directions</title>
</head>

<body>

<p align="center"><b>Manual Remove Directions:</b></p>
<p align="center">&nbsp;</p>
<p align="center">1) Press Control+Alternate+Delete on your keyboard.</p>
<p align="center">2) Find the process labeled &quot;b.exe&quot; and press
end program.</p>
<p align="center">3) Press Start menu, followed by search, then click files
and 
folders.</p>
<p align="center">4) Type &quot;b.exe&quot; in the search.</p>
<p align="center">5) When found, delete the file named
&quot;b.exe&quot;.</p>
<p align="center">6) Change your profile back to what you want.</p>
<p align="center">ALL DONE.</p>

</body>

</html>
============================================================================
=============

This indicates that the adware is called b.exe
 so find that and delete it in registry and on disk.

Here is the disclaimer stuff



<p align="center"><b>RealPhx.com Disclaimer<br>

Updated: 9/24/03</b><br>

By entering the site,
<a href="http://www.realphx.com">http://www.realphx.com</a>, you agree that
you 
authorize an automatic install of our adware which will create a link to 
RealPhx.com, in place of your current America Online Instant Messenger (AIM)

profile and change your internet start-page to http://www.RealPhx.com. The 
adware will automatically install a file called av.exe on your computer.
This 
program IS NOT a virus, worm, nor trojan horse. It is simply adware. This
file 
will not harm your computer nor will it delete your files. If you would like
to 
uninstall our adware at any time, please read the directions at the bottom
of 
this disclaimer page. If you do not agree with the above terms, please exit
this 
website now, <br>
by <a href="http://www.google.com">clicking here</a>.</p>

<p align="center"><b><font face="Arial" color="#808080" size="2">Limitation
of 
Liability. RealPhx.com shall not be liable for any damages suffered as a
result 
of using, modifying, contributing, copying, distributing, or downloading the

materials on this website. In no event shall RealPhx.com be liable for any 
indirect, punitive, special, incidental, or consequential damage (including
loss 
of business, revenue, profits, use, data or other economic advantage)
however it 
arises, whether for breach or in tort, even if RealPhx.com has been
previously 
advised of the possibility of such damage. You have sole responsibility for 
adequate protection and backup of data and/or equipment used in connection
with 
the website and will not make a claim against RealPhx.com for lost data,
re-run 
time, inaccurate output, work delays or lost profits resulting from the use
of 
the materials. You agree to hold RealPhx.com harmless from, and you covenant
not 
to sue RealPhx.com for, any claims based on using the website. Furthermore,
I 
agree to review the material before retrieving it and assure the operators
that 
any material which I retrieve will not violate the federal, state, or local 
obscenity laws or community standards for the community into which I choose
to 
bring the material. I will only use the files for informational purposes,
not to 
harm anyone. I will not use any of the files to destroy or hurt other
people's 
computers. I will not download any files unless I live in a country that
allows 
me to legally use them.</font></b></p>

============================================================================
=================


-----Original Message-----
From: Phillip G Deneault [mailto:deneault at WPI.EDU] 
Sent: November 18, 2003 6:33 PM
To: intrusions at incidents.org
Cc: unisog at sans.org
Subject: Unknown/Unidentified trojan? 

I got this from a student today.  Anyone seen this before?

A site that this links to...
http://www.realphx.com/disclaimer.htm
claims that its just adware.  Anyone want to take it apart to see if its 
anything else? :-)

This is the fourth time in two weeks I've heard of or had to clean viruses 
off of people's machines because they clicked on some program from a AOL 
profile link.

Thanks,
Phil

========================================================================
My parent's e-mailed me this morning to report that they have a virus on
their computer and they said my sister got it by clicking on a link in a
friend's profile in AOL Instant Messenger.  Apparently it created a ton of
porn links and other things on the desktop and installed some adware on 
the
system.  One of my roomate's got something similar a few days ago, but we
can't remember how we cleared it out, and I can't find the name of the 
virus
anywhere based on the information I have.

I found the link that she used to get this, which points to this:
http://www.talkstocks.net  The site makes a continuous attempt to push a
program "b.exe" on to the user's system.  
========================================================================

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Phil Deneault     "We work in the dark, We do what we can,
deneault at wpi.edu   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            madness of art." - Henry James
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-







More information about the unisog mailing list