New virus: FFXIAtlas infected again

[Mizango]

I tend to stay away from both of them anyway as is. I'm with Kuno on the whole map upload thing to BG wiki. That would completely sever the need to go to atlas and potentially expose your information.

[Amele]

Not true until FFXIAH adds information on if/where I can buy items from NPCs, or allows you to do a search based on individual item stats (read: STR, MDB, MDT, etc).

try clicking the stat and/or using power search. If you want to know the more complex ways to search (like by stat descending, filtered by job, race, slot, etc) I can teach you how to do that via URL 'hacking' in PM.

and click through to a wiki link if you want npc data.

all that's missing from FFXIAH is craft rank on unknown subcrafts... which is what I use somepage for heh.

[Amele]

Also, FFXIAH now has an at least as good if not better search function which was the last reason that people still used somepage.

I will try to get all the maps up on the BGwiki but it may take a little while.

if you have one of the map pack plugins, you have alot of doctored maps already available via that dat set. I suggest unpacking them into images with graphics converter 3 or photoshop + nvidia dds tools rather than risking a run down to ffxi-atlas if you're not sure you're airtight.

[ringthree]

if you have one of the map pack plugins, you have alot of doctored maps already available via that dat set. I suggest unpacking them into images with graphics converter 3 or photoshop + nvidia dds tools rather than risking a run down to ffxi-atlas if you're not sure you're airtight.

Nah, I have most of the maps laying around, and I hate non-pristine stuff.

[Kuuhalee]

I posted some information on infection here :

forums.windower.net/index.php?showtopic=13230

More forthcoming as I fiddle around with it.

[octopus]

Can we make a big media fuss over this so SE can fix their policies on recovering hacked players? ;o

[Sonomaa]

if you could post that information here as well, Ive had some concerned PMs about the security of windower websites, people want to read but they worry

[ringthree]

Concerns over windower.net? I would think that would be one of the safer places. LOL

[Shuemue]

Concerns over windower.net? I would think that would be one of the safer places. LOL

Politics aside, windower.net would be extremely high on my list of targets were I looking to infect a website.

[Kuuhalee]

Infected myself via Virtual Machine (Windows XP SP3; Last Patches[July] )
Infection Method - Direct (Downloaded and Ran 'taizi.exe')



[ Virus Files and Names ]
• c:\windows\system32\<randomly-generated-name>.dll - Trojan.PcClient-1603
• c:\windows\system32\drivers\<randomly-generated-name>.sys - Trojan.Dropper-10666
• taizi.exe - Unknown Dropper (Scanned; AV Did Not Warn)



[ Trojan Abilities ]
• Injects a DLL into other Programs (keystroke logging)
--- • IMPORTANT : Keystroke logging works in any program (web browsers, email clients, pol, etc)
• Text Capture (of keystrokes; confirmed)
• Image Capture (of keystrokes?; unconfirmed, but loads files related to capturing images)
• Video Capture (of keystrokes?; gameplay?; unconfirmed, but loads files related to capturing video)
• Live Password Uploading (via web server)

• Does NOT appear to capture text when using built-in POL virtual keyboard (captures external virtual keyboard strokes)
• Does NOT appear to send POL files which contain saved passwords
• Does NOT appear to use ADS (Alternate Data Streams) to hide data
• Does NOT appear to gather POL ID data (after much testing it only seems to be after passwords and text, which is very confusing)



[ Installs Service(s) ]
• VSSC - (c:\windows\system32\<randomly-generated-name>.dll; ~93KBs size)
• yuctvyaf - (c:\windows\system32\drivers\<randomly-generated-name>.sys; ~5KBs size)
--- • NOTE : The DLL and SYS file appear to share the same randomly generated name.


[ Installs Other File(s) ]
• Text Log of Passwords - (c:\windows\system32\<randomly-generated-name>.key)
--- • NOTE : The KEY log appears to share the same randomly generated name as the DLL and SYS files.
• INI File [Unknown Usage] - (c:\windows\system32\<randomly-generated-string>.ini; 1KB size)
• Host Information from PC.TXT - (c:\windows\temp\<randomly-generated-number>.exe; 1KB size)



[ Creates Connection(s) ] :

Code:

www.crackwg.net/pcshare/pc.txt

NOTE : Connects and downloads PC.TXT every 30 seconds until connected to host specified in file

Code:

59.34.148.248:7866/20080826/063853/753874.jsp

NOTE : 59.34.148.248 is current host specified in pc.txt; Subject to change at any time
NOTE : Connection to 59.34.148.248:7866 seems persistent and does not terminate unless connection is lost to the host. If connection to the host is lost, the trojan will attempt to connect to crackwg.net every 30 seconds and attempt to connect to the specified host in the PC.TXT file. Once connected to the specified host, it will cease attempting to connect to crackwg.net. The path to the JSP and the JSP file itself is randomly generated based on the current date and time.



[ Other Data ]

Initial Data Received from 59.34.148.248\*\*.JSP :

Code:

Send: Return Code: 0x00000000
00000000  52 0D 12 12 8A 1A 12 12 12 D2 E5 19 F6 16 12 12    R...............
00000010  A7 13 12 12 12 12 12 12 10 12 12 12 13 12 12 12    ................
00000020  56 21 13 12 53 7B B9 14 8D 51 2F 58 A2 A5 F3 93    V!..S{...Q/X....
00000030  68 B7 D6 11 12 12 12 12 12 12 12 12 12 12 12 12    h...............
00000040  12 12 12 12 12 12 12 12 46 5B 55 57 40 59 24 12    ........F[UW@Y$.
00000050  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000060  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000070  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000080  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000090  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
000000A0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
000000B0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
000000C0  12 12 12 12 12 12 12 12 46 5B 55 57 40 59 24 12    ........F[UW@Y$.
000000D0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
000000E0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
000000F0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000100  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000110  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000120  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000130  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000140  12 12 12 12 12 12 12 12 D4 C7 DF BA AD DF A9 B5    ................
00000150  C5 FB 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000160  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000170  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
00000180  12 12 12 12 12 12 12 12 A9 F3 C6 A3 A2 F4 A3 AC    ................
00000190  49 20 22 22 25 23 23 20 27 4F 12 12 12 12 12 12    I ""%## 'O......
000001A0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
000001B0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................
000001C0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12    ................

Subsequent Data Received :

Code:

Receive: Return Code: 0x00000000
00000000  48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D    HTTP/1.1 200 OK.
00000010  0A 44 61 74 65 3A 20 54 20 47 4D 54 0D 0A 43 6F    .Date: T GMT..Co
00000020  6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 38 0D    ntent-Length: 8.
00000030  0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65    .Connection: Kee
00000040  70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43    p-Alive..Cache-C
00000050  6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65    ontrol: no-cache
00000060  0D 0A 0D 0A 4D 1F 00 00 00 00 00 00                ....M.......

[ Trojan Detection Methods ]
• Method I (Anti-Virus Protection) - ClamWin Anti-Virus quickly detected the DLL and SYS file, so I am certain that other Anti-Virus programs would detect them as well.

• Method II (Manual System Scan) - Should you not wish to put your account in the hands of your Anti-Virus, I would suggest downloading AutoRuns (http://technet.microsoft.com/en-us/s.../bb963902.aspx).

- When you initially run the program, it will begin a scan. Tap the Escape button once and it will cancel the scan. Make sure that 'Verify Code Signatures' and 'Hide Signed Microsoft Entries' are selected in the 'Options' menu of the program, then execute another scan by clicking the Refresh icon. If you find the items in the image below that are selected in the red, you are infected. Areas of text marked with blue means that the file name is randomly generated and may be different than what appears in the screen shot.

http://www.moofah.com/temp/media/ima...i-trojan-c.jpg

- You can also search for the KEY and INI files manually within Windows Explorer or through Search.

http://www.moofah.com/temp/media/ima...i-trojan-d.jpg

[Sonomaa]

there was a china based hacker forum that carried prepackaged virus scripts not long ago, I wonder if this is one of the new packages from them

I would assume putting a block on that website and that ip address from a firewall would protect you at least a little bit

and yes, because of windowers popularity it would be one of the first to be attacked, I know there are always attacks on BGs server, we pay for professional monitoring to make sure we stay safe from outside attack

[Hogie]

WARNER: i wouldn't clicking any of the Spoiler tags without Firefox with Noscript and adblock loaded

In the windower information it was referenced to where the TCPIP client of the virus is pointing to (I WOULDNT SUGGEST CLICKING, IM AT WORK SO I DONT CARE):

Spoiler: show

http://www.crackwg.net/pcshare/pc.txt

The address is pointing to a pc.txt file and on screen is displaying "59.34.148.248:7866" but this is not my work IP as i have a static IP on my domain with 172.XX.XX.XXX IP

I decided to take a look at the starting directory

Spoiler: show

http://www.crackwg.net/pcshare/

and got this bad boy.

I loled

[Shuemue]

Why is a Chinese 404 funny?

[Rocl]

Why is a Chinese 404 funny?

Definitely read that as "furry" and found it amusing, does this make me a bad person?

[Shuemue]

You sick fuck, what did 404 ever do to you?

[Rocl]

Coincidentally, this image appears if you google Chinese 404 furry:

http://www.dargate.com/225_auction/225_pics/404.jpg

This is related and on-topic.

[Callisto]

That is certainly not something I'd risk googling to find out.

[Shuemue]

That's obviously where 404 stores his fursuit and his collection of Falisa's bodily fluids.

[Callisto]

Ok that bit of mental imagery was certainly uncalled for, bad Shue.

[Norellicus]

If the virus is only uploading to that site, would it stand to reason that you could give crackwg.net a bogus IP in your HOSTS file and then be able to surf atlas worry-free (insofar as this particular bug is concerned)?