MSNList.com

[Mark Chandler]

I seem to have picked up a piece of spyware (or at least
I think its one) thats not detected.
Every so often I get a pop-up which has the
title "Windows Security Center".
The Text for the window is as follows:
"WARNING: Windows Firewall detected suspicious network
activity on your computer. Malicious software codes try
to steal your privacy information, such as credit card
numbers, electronic mail accounts, financial data or
passwords.
Do you want to download certified software and protect
your computer?"
Followed by a Yes No box.

Yes - opens IE to the url http://www.msnlist.com
No - closes the warning window (only for it to re-appear).

Firstly is this spyware? Secondly how do I remove it as
its not being detected by the MS Beta Spyware app.

Thanks in advance

 

[Bill Sanderson]

I agree with your assessment.

Can you attempt to submit a Tools, suspected spyware report from Microsoft
Antispyware--and describe what you see?

I'd love to see a picture of this dialog box or window, but it would be
better to post it to a web site and post the URL here, or, make sure that
you compress the image as well as you can manage, before posting it here.

I would also recommend scanning with a good antivirus product with updated
signatures--depending on what you have in place, you might want to try one
of a number of online scans--here are two that I can remember off the top of
my head:

http://security.symantec.com
http://housecall.antivirus.com

(the first is Symantec/Norton, the second Trend Micro)

 

[Steve Dodson [MSFT]]

Just so everyone knows - I filed a bug on this last week and we are
investigating. Mark, how did you receive this message. As I understand it
It is a pop-up message as well as a shield message in the system tray. Do
you believe it was related to a specific web site visited? Any other
details would be great.



-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
--------------------

 

[Mark Chandler]

Guys

As suggested I updated my IDE definitions from Sophos
(despite doing this a few days ago) and low and behold
I've picked up more than my fair share of Trojans.
Heres what I had:

Troj/Hidd-A (in C:\Windows\system32\hdih.dll) -
http://www.sophos.com/virusinfo/analyses/trojhidda.html
&
Troj/Clicker-L (in C:\Windows\system32\unlodctl.exe) -
http://www.sophos.com/virusinfo/analyses/trojclickerl.html

I think MSNlist.com is the latter as Sophos is now coming
up in place of the window.


I also discovered - Troj/Dloader-FQ (in
C:\Windows\system32\-
http://www.sophos.com/virusinfo/analyses/trojdloaderfq.htm
l
which for some reason Sophos isn't detecting - but it was
running as a process etc and the files were on the hard
drive.

I've still got the files (except Hidd-A) if you want them.

As to where I got it from - I can try to find out but it
may take me a while. I think I have the date/time that it
was installed but theres a bunch of websites I visited
last week. Are there any logs in IE which record where
I'm going at what time as I think it was over a week ago
and hence all of the history list has been merged into a
Week view. I always use the pop-upblocker that came with
SP2 so it must of somehow evaded that.

BTW - I did take a JPG of the fake window which if you're
interested I can upload or email direct (its only 20kb).

Many Thanks

Mark

 

[Bill Sanderson]

See if anything here looks familiar:

http://msmvps.com/harrywaldron/archive/2005/01/21/33466.aspx

 

[Kaspars]

Hi, All!
IMHO website mentioned in subject appears as part of
evolving phishing network (less informed people may
google for 'phishing').
I may suggest to anybody DON'T enter such sites and
DON'T play with them.
It can serve as good point for antispyware vendors to
upgrade their methods of protection,
signatures/definitions
etc. and maybe for brave beta-testers who courage
be infected themselves for testing.
(there were requests for it in some threads earlier)
Hint - add '/spyware.asp' to URL in subj and then go on.
Be warned - DON't play with it if you are not
sure what you are doing!
I intentionally doesn't list here other known
'neighbour' URLs of subj for a reason to minimize risk
for somebody to be really infected.
As this 'spyware network' (don't confuse with
Microsoft® SpyNet®) deals also with 'phished'
Antispyware you may take a look at:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Be careful and don't be strong for my English
Regards - Kaspars

-----Original Message-----

I seem to have picked up a piece of spyware (or at least
I think its one) thats not detected.
Every so often I get a pop-up which has the
title "Windows Security Center".
The Text for the window is as follows:
"WARNING: Windows Firewall detected suspicious network
activity on your computer. Malicious software codes try
to steal your privacy information, such as credit card
numbers, electronic mail accounts, financial data or
passwords.
Do you want to download certified software and protect
your computer?"
Followed by a Yes No box.

Yes - opens IE to the url http://www.msnlist.com
No - closes the warning window (only for it to re-appear).

Firstly is this spyware? Secondly how do I remove it as
its not being detected by the MS Beta Spyware app.

Thanks in advance

 

[Mark Chandler]

No, its neither of those. In fact I forgot to add to my
last post it doesn't alert in the system tray - only a
popup window with the message.

I've come back to my PC this morning and I'm 99% sure now
its Clicker-L as I had about 10 Sophos windows alerting
me to its presence (and as this thing tries to pop-up at
least every hour - its a fair assumption).

I've added the screenshot of the pop up windows to a URL
which you should be able to view.

http://www.mpc51.pwp.blueyonder.co.uk/3.html

Hope this helps.

Regards

Mark

 

[Bill Sanderson]

Thanks--yes that is different--these folks are learning some GUI skills
fast, unfortunately. The usual grammar issues are somehow not
comforting--those are easily corrected.

 

[Bill Sanderson]

Thanls Kaspars--Excellent advice--and clearly worded!
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

Hi, All!
IMHO website mentioned in subject appears as part of
evolving phishing network (less informed people may
google for 'phishing').
I may suggest to anybody DON'T enter such sites and
DON'T play with them.
It can serve as good point for antispyware vendors to
upgrade their methods of protection,
signatures/definitions
etc. and maybe for brave beta-testers who courage
be infected themselves for testing.
(there were requests for it in some threads earlier)
Hint - add '/spyware.asp' to URL in subj and then go on.
Be warned - DON't play with it if you are not
sure what you are doing!
I intentionally doesn't list here other known
'neighbour' URLs of subj for a reason to minimize risk
for somebody to be really infected.
As this 'spyware network' (don't confuse with
Microsoft® SpyNet®) deals also with 'phished'
Antispyware you may take a look at:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Be careful and don't be strong for my English
Regards - Kaspars

-----Original Message-----

I seem to have picked up a piece of spyware (or at least
I think its one) thats not detected.
Every so often I get a pop-up which has the
title "Windows Security Center".
The Text for the window is as follows:
"WARNING: Windows Firewall detected suspicious network
activity on your computer. Malicious software codes try
to steal your privacy information, such as credit card
numbers, electronic mail accounts, financial data or
passwords.
Do you want to download certified software and protect
your computer?"
Followed by a Yes No box.

Yes - opens IE to the url http://www.msnlist.com
No - closes the warning window (only for it to re-appear).

Firstly is this spyware? Secondly how do I remove it as
its not being detected by the MS Beta Spyware app.

Thanks in advance