Thread: MS-DOS help
View Single Post
Old 10-15-2006, 10:11 PM   #7
Felix The Assassin
The Dreadnoks
 

Join Date: September 27, 2001
Location: Orlando, FL
Age: 62
Posts: 3,608
Quote:
Originally posted by Lord:
I can get to safe mode. SR does not work from there either.

No, Norton only identifies it as a Trojan. If I click on the link in the activity log that says "learn more about this trojan," then my computer freezes. The scan detects no trojan, but it is definitely still there. Whenever I start my computer, a hundred systemac (Norton) windows open up and it says "scanning." I have to close them with task manager.

edit: It's called the Bookmarker Trojan. I'll see if I can delete it manually from the registry.
Are you sure it's "Bookmarker"? That is ancient history type stuff as far as modern attacks are concerned.

If it is, here is your technical data:

Discovered: December 20, 2003
Updated: February 8, 2006 05:17:55 PM ZW3
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

Trojan.Bookmarker is distributed as an executable installer through Web browser exploits or downloaders.

When the installer program is executed, it does the following:

1. Creates the file, %System%\Msconfd.dll. This file has the hidden attribute.

Note: %System% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Invokes the Msconfd.dll file by executing this command:

rundll32.exe msconfd,Restore


When the Msconfd.dll file is loaded, it does the following:

1. Adds the value:

"AppInit_DLLs"="msconfd.dll"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

so that the .dll file is loaded each time you start Windows NT/2000/XP.

2. Adds the value:

"Desktop" = "rundll32.exe %System%\msconfd.dll,Restore ControlPanel"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

so that the dll is loaded every time you start Windows.

3. Adds the value:

"Desktop" = ""

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer

Note: is generated from the system time.
4. Creates or overwrites the file, %System%\drivers\etc\hosts, with the text:

127.0.0.1 localhost

5. Adds the values:

"Start Page"="http:/ /webcoolsearch.com"
"Search Page"="http:/ /webcoolsearch.com"
"Search Bar"="http:/ /webcoolsearch.com"

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

6. Adds the value:

"SearchURL"="http:/ /webcoolsearch.com"

to the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

7. Adds the value:

"SearchAssistant"="http:/ /webcoolsearch.com"

to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search

8. Creates several links to pornographic Web sites in the Favorites folder, and in the Links folder within the Favorites folder.

9. If the Msconfd.dll is launched using the command:

"rundll32.exe ...\msconfd,Restore..."

the Trojan will return an error number, and Windows will display an error message indicating that the .dll initialization routine failed.


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
__________________
The Lizzie Palmer Tribute



Let every nation know, whether it wishes us well or ill, that we shall pay any price, bear any burden, meet any hardship, support any friend, oppose any foe to assure the survival and the success of liberty.

John F. Kennedy
35th President of The United States

The Last Shot

Honor The Fallen

Jesus died for our sins, and American Soldiers died for our freedom.



If you don't stand behind our Soldiers, please feel free to stand in front of them.
Felix The Assassin is offline   Reply With Quote