window server 2003 machine infected with Trojan.Agent.BXGE
- user reports pop ups
- look at running apps - sdra64.exe, pp06.exe, pp05.exe, ld03.exe
- googling for sdra64 shows results - clicking results goes to different page = PROXY!
- check firefox proxy settings - set to use localhost port 7171 - disable
- kill process
- use msconfig - to check startup and services
- search registry for sdra64.exe and remove
- search drive for sdra64.exe and remove
- reboot
- read about virus - find out about dll32.dll - and try to delete it
found info here:
- http://www.k7computing.com/index.php/component/option,com_k7virus/Itemid,94/id,543/view,showvirus/
- http://www.threatexpert.com/report.aspx?md5=7e98c199e9790a392c2f27cf38b8a6c2
- http://www.wilderssecurity.com/showthread.php?t=236711
- http://insecureweb.com/javascript/secure-yourselffrom-the-recent-pdf-exploits-by-disabling-javascript/
confirmed:
user had received and clicked:
* The spammed messages are as follows:
o The Subject line may be the following:
DHL Tracking number #MR9NM82293G04TR
o The Message part may be the following:
Hello!
We were not able to deliver postal package you sent on the 14th of March in
time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our
office.
Your personal manager: xxxxxxx,
Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.
- user reports pop ups
- look at running apps - sdra64.exe, pp06.exe, pp05.exe, ld03.exe
- googling for sdra64 shows results - clicking results goes to different page = PROXY!
- check firefox proxy settings - set to use localhost port 7171 - disable
- kill process
- use msconfig - to check startup and services
- search registry for sdra64.exe and remove
- search drive for sdra64.exe and remove
- reboot
- read about virus - find out about dll32.dll - and try to delete it
found info here:
- http://www.k7computing.com/index.php/component/option,com_k7virus/Itemid,94/id,543/view,showvirus/
- http://www.threatexpert.com/report.aspx?md5=7e98c199e9790a392c2f27cf38b8a6c2
- http://www.wilderssecurity.com/showthread.php?t=236711
- http://insecureweb.com/javascript/secure-yourselffrom-the-recent-pdf-exploits-by-disabling-javascript/
confirmed:
user had received and clicked:
* The spammed messages are as follows:
o The Subject line may be the following:
DHL Tracking number #MR9NM82293G04TR
o The Message part may be the following:
Hello!
We were not able to deliver postal package you sent on the 14th of March in
time
because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our
office.
Your personal manager: xxxxxxx,
Customer Service: 1-800-CALL-DHL
Fax: 888-221-6211
DHL International, Ltd. All Rights Reserved.
Comments