Unknown/Unidentified trojan?

Bill Royds broyds at rogers.com
Wed Nov 19 03:15:05 GMT 2003

Use raw http to view that site.
It gives a disclaimer that it is installing adware on your machine and don't
sue them if you don't like it.
It also gives remove instructions:
11/18/03 22:07:00 Fetching http://www.realphx.com/project/manual.htm
Fetching http://www.realphx.com/project/manual.htm ...
GET /project/manual.htm HTTP/1.1 Host: www.realphx.com Connection: close
User-Agent: Sam Spade 1.14  HTTP/1.1 200 OK Date: Wed, 19 Nov 2003 03:07:00
GMT Server: Apache Last-Modified: Mon, 17 Nov 2003 18:28:59 GMT ETag:
"1ba42-395-c88b70c0" Accept-Ranges: bytes Content-Length: 917 Connection:
close Content-Type: text/html; charset=ISO-8859-1  <html>

<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Manual Remove Directions</title>


<p align="center"><b>Manual Remove Directions:</b></p>
<p align="center">&nbsp;</p>
<p align="center">1) Press Control+Alternate+Delete on your keyboard.</p>
<p align="center">2) Find the process labeled &quot;b.exe&quot; and press
end program.</p>
<p align="center">3) Press Start menu, followed by search, then click files
<p align="center">4) Type &quot;b.exe&quot; in the search.</p>
<p align="center">5) When found, delete the file named
<p align="center">6) Change your profile back to what you want.</p>
<p align="center">ALL DONE.</p>



This indicates that the adware is called b.exe
 so find that and delete it in registry and on disk.

Here is the disclaimer stuff

<p align="center"><b>RealPhx.com Disclaimer<br>

Updated: 9/24/03</b><br>

By entering the site,
<a href="http://www.realphx.com">http://www.realphx.com</a>, you agree that
authorize an automatic install of our adware which will create a link to 
RealPhx.com, in place of your current America Online Instant Messenger (AIM)

profile and change your internet start-page to http://www.RealPhx.com. The 
adware will automatically install a file called av.exe on your computer.
program IS NOT a virus, worm, nor trojan horse. It is simply adware. This
will not harm your computer nor will it delete your files. If you would like
uninstall our adware at any time, please read the directions at the bottom
this disclaimer page. If you do not agree with the above terms, please exit
website now, <br>
by <a href="http://www.google.com">clicking here</a>.</p>

<p align="center"><b><font face="Arial" color="#808080" size="2">Limitation
Liability. RealPhx.com shall not be liable for any damages suffered as a
of using, modifying, contributing, copying, distributing, or downloading the

materials on this website. In no event shall RealPhx.com be liable for any 
indirect, punitive, special, incidental, or consequential damage (including
of business, revenue, profits, use, data or other economic advantage)
however it 
arises, whether for breach or in tort, even if RealPhx.com has been
advised of the possibility of such damage. You have sole responsibility for 
adequate protection and backup of data and/or equipment used in connection
the website and will not make a claim against RealPhx.com for lost data,
time, inaccurate output, work delays or lost profits resulting from the use
the materials. You agree to hold RealPhx.com harmless from, and you covenant
to sue RealPhx.com for, any claims based on using the website. Furthermore,
agree to review the material before retrieving it and assure the operators
any material which I retrieve will not violate the federal, state, or local 
obscenity laws or community standards for the community into which I choose
bring the material. I will only use the files for informational purposes,
not to 
harm anyone. I will not use any of the files to destroy or hurt other
computers. I will not download any files unless I live in a country that
me to legally use them.</font></b></p>


-----Original Message-----
From: Phillip G Deneault [mailto:deneault at WPI.EDU] 
Sent: November 18, 2003 6:33 PM
To: intrusions at incidents.org
Cc: unisog at sans.org
Subject: Unknown/Unidentified trojan? 

I got this from a student today.  Anyone seen this before?

A site that this links to...
claims that its just adware.  Anyone want to take it apart to see if its 
anything else? :-)

This is the fourth time in two weeks I've heard of or had to clean viruses 
off of people's machines because they clicked on some program from a AOL 
profile link.


My parent's e-mailed me this morning to report that they have a virus on
their computer and they said my sister got it by clicking on a link in a
friend's profile in AOL Instant Messenger.  Apparently it created a ton of
porn links and other things on the desktop and installed some adware on 
system.  One of my roomate's got something similar a few days ago, but we
can't remember how we cleared it out, and I can't find the name of the 
anywhere based on the information I have.

I found the link that she used to get this, which points to this:
http://www.talkstocks.net  The site makes a continuous attempt to push a
program "b.exe" on to the user's system.  

Phil Deneault     "We work in the dark, We do what we can,
deneault at wpi.edu   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            madness of art." - Henry James

More information about the unisog mailing list