Thread: Alt.binz users beware! You have been comprimised

Alt.binz users beware! You have been comprimised

Newsflash for all those ppl that have started various "cracked" versions of Alt.Binz floating on the usenet: They are ALL trojan infected. All firefox, IE, IM, steam passwords are collected and uploaded to attackers site.

Zerosec staffers are responsible for the infected uploads, check sources because you already don't believe this probably??

However we are not that bright so we left our cpanel login data in our leet script so our server got pwned with all logins and some zerosec stuff.

[#altbin@EFNet]-[Full]-[Alt.Binz.v0.31.1.WinAll.Multilingual-CRD]-[0/8] - "crude.nfo" yEnc

[#altbin@EFNet]-[Full]-[Alt.Binz.v0.31.1.WinAll-iND]-[2/7] - "Alt.Binz.v0.31.1.WinAll-iND.par2" yEnc

[#altbin@EFNet]-[Full]-[Alt.Binz.0.31.1.WinALL.Cracked.REAL-CzW]-[2/7] - "czw.nfo" yEnc


So if this is you? Is it? Looks like Zerosec has some explaining to do?

Still don't believe? Check sources.

Source: Zerosedc staff are a bunch of MF stealers Homepage: alt.binZ

You mean Usenet? Newzbin is a indexing site

Originally Posted by srw985

This stuff seems to avoid virus scanners apparently.

I'm fairly sure I'm not using the compromised version, not the one from that post anyway, but how can I check and if needed, remove the trojan?
ESET doesn't see anything wrong with it.

ESET does too, I soon as I extracted it it detected trojan.

My firewall blocked the attempt, and asked for to connect to xxx.xxx and my firewall doesn't let anything out unless ok'd, and it's got a one of the best leak tests out there (Comodo). Plus it was a temp file asking for access not alt.binz because I truly wanted to see what was going on.

Here's a Virustotal analysis:

http://www.virustotal.com/analisis/0...ecf-1245784956

Code:

File altbinz.exe received on 2009.06.23 19:22:36 (UTC
Current status:  finished
Result: 22/41 (53.66%)

Antivirus  	Version  	Last Update  	Result
a-squared	4.5.0.18	2009.06.23	Riskware.PSWTool.Win32.Messen!IK
AhnLab-V3	5.0.0.2	2009.06.23	-
AntiVir	7.9.0.193	2009.06.23	DR/PSW.NetPass.FV.4
Antiy-AVL	2.0.3.1	2009.06.23	PSWTool/Win32.NetPass.gen
Authentium	5.1.2.4	2009.06.23	W32/Virut.AI!Generic
Avast	4.8.1335.0	2009.06.23	-
AVG	8.5.0.339	2009.06.23	Dropper.Small
BitDefender	7.2	2009.06.23	-
CAT-QuickHeal	10.00	2009.06.22	-
ClamAV	0.94.1	2009.06.23	-
Comodo	1401	2009.06.23	-
DrWeb	5.0.0.12182	2009.06.23	Tool.PassView.117
eSafe	7.0.17.0	2009.06.23	Win32.PSWTool.NetPas
eTrust-Vet	31.6.6575	2009.06.23	Win32/Inpect.10
F-Prot	4.4.4.56	2009.06.23	W32/Virut.AI!Generic
F-Secure	8.0.14470.0	2009.06.23	PSWTool.Win32.NetPass.fv
Fortinet	3.117.0.0	2009.06.23	HackerTool/Multidr
GData	19	2009.06.23	-
Ikarus	T3.1.1.59.0	2009.06.23	not-a-virus:PSWTool.Win32.Messen
Jiangmin	11.0.706	2009.06.23	-
K7AntiVirus	7.10.768	2009.06.19	-
Kaspersky	7.0.0.125	2009.06.23	not-a-virus:PSWTool.Win32.NetPass.fv
McAfee	5655	2009.06.23	MultiDropper-BU
McAfee+Artemis	5655	2009.06.23	MultiDropper-BU
McAfee-GW-Edition	6.7.6	2009.06.23	Trojan.Dropper.PSW.NetPass.FV.4
Microsoft	1.4803	2009.06.23	-
NOD32	4181	2009.06.23	probably unknown CRYPT.WIN32
Norman	6.01.09	2009.06.23	-
nProtect	2009.1.8.0	2009.06.23	-
Panda	10.0.0.16	2009.06.23	-
PCTools	4.4.2.0	2009.06.22	-
Prevx	3.0	2009.06.23	Medium Risk Malware Dropper
Rising	21.35.14.00	2009.06.23	-
Sophos	4.42.0	2009.06.23	Mal/Generic-A
Sunbelt	3.2.1858.2	2009.06.23	VIPRE.Suspicious
Symantec	1.4.4.12	2009.06.23	-
TheHacker	6.3.4.3.351	2009.06.22	-
TrendMicro	8.950.0.1094	2009.06.23	-
VBA32	3.12.10.7	2009.06.23	-
ViRobot	2009.6.23.1800	2009.06.23	Not_a_virus:PSWTool.Messen.2343936
VirusBuster	4.6.5.0	2009.06.23	Win32.Vundo.EX


Additional information

File size: 2343936 bytes
MD5...: ef8bc3ea83f3989c4b8c196f65c3a4bf
SHA1..: 753e0e7e77f9f1ebed85929f9099a669a88aee13
SHA256: 08d8af59c3c2ec6d2814be7eeb5f3037b1a8de9f6ae9c889a0a45feb8c758ecf
ssdeep: 49152:3zWSyrROgSo0R1OJgna0CAup3a2CFUlhnQycgI8y5AP0jveNU:3zWhRjCn
G3aIVQFJYg
PEiD..: -
TrID..: File type identification
Win32 EXE Yoda's Crypter (64.5%)
Win32 Executable Generic (20.7%)
Win16/32 Executable Delphi generic (5.0%)
Generic Win/DOS Executable (4.8%)
DOS Executable Generic (4.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4760bc
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x32c000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0x32d000 0x13b000 0x13a800 8.00 82dada95a1a5032c894e315af113d144
.rsrc 0x468000 0x102000 0x101800 7.99 1404b74b6b616af57b377b1b9bc5f7db

( 15 imports )
> KERNEL32.DLL: GetTempPathA, GetTempFileNameA, CreateFileA, WriteFile, CloseHandle, GetStartupInfoA, CreateProcessA, GetModuleHandleA, LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> advapi32.dll: RegFlushKey
> comctl32.dll: ImageList_Add
> comdlg32.dll: ChooseFontA
> crypt32.dll: CertFreeCertificateContext
> gdi32.dll: SaveDC
> imm32.dll: ImmGetContext
> ole32.dll: DoDragDrop
> oleaut32.dll: VariantCopy
> shell32.dll: DragFinish
> SHFolder.dll: SHGetFolderPathA
> user32.dll: GetDC
> version.dll: VerQueryValueA
> winmm.dll: PlaySoundA
> winspool.drv: OpenPrinterA

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): UPX, UPX, UPX, PE_Patch.UPX, UPX, UPX
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=4EAE4F40006F3399C4D023C86CF809001ADD86A1' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=4EAE4F40006F3399C4D023C86CF809001ADD86A1</a>

As you can see, only about half the anti-virus apps flagged it.