Net-Integration hacked --Beware of any emails

[AndyManchesta]

Net-Integration has been hacked and is sending out bogus
emails with this message :

Protect Your PC !!! Please download antivirus

protecti**Modified**rotection.pisem.net/avp.exe

If anyone receives these emails please delete them as it
contains a keylogger/Password Stealer

Net-Integration has been shut down for security reasons
and pisem.net traces to Russia so Its not going to be
easy to find who is behind this

Trojan-PSW.Win32.LdPinch.gen

When run, this trojan copies itself to
C:\Windows\csrss.exe and also drops the file
C:\Windows\dll.dll. Any found passwords are mailed to two
russian email addresses.

If an Internet connection is available, the trojan will
attempt to download and execute further files from a
Hungarian web site.


Andy

 

[AndyManchesta]

Bit more info The sites now online just the forums are
down untill they find out abit more about what happened.

Also it creates these reg entries :

HKEY_CURRENT_USER\Software\Mirabilis
HKEY_CURRENT_USER\Software\Mirabilis\ICQ
HKEY_CURRENT_USER\Software\Mirabilis\ICQ\DefaultPrefs
HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners
HKEY_CURRENT_USER\Software\RIT
HKEY_CURRENT_USER\Software\RIT\The Bat!

Symantec, AVG Antivirus & C.A (e-Trust) are not detecting
this but I believe the files have been submitted to them.

 

[Ron Chamberlin]

Hi Andy,
Probably the same bot from MS05-039 that is knocking down the unpatched
masses today.

Ron Chamberlin
MS-MVP

 

[AndyManchesta]

Hi Ron

Ive been reading about that worm its left its mark, I
cant believe ABC,CNN,NY Times and even San Francisco
Airport and all the rest have left themselves open to
attack and had to deal with the problem rather than keep
the critical patches up to date.

Net-Intergration is back up now and they say they are not
sure if they were hacked this is some of the email
header:

(e-mail address removed): Protect Your PC !!!
( From Net-Integration Forums )From: "Net-Integration
Forums" <[email protected]>X-Priority: 3X-
Mailer: IPB PHP MailerMessage-Id: <E1E5168-0007dh-
(e-mail address removed)>Sender:X-Source-Dir: net
integration.net:/public_html/forumsReturn-Path:
(e-mail address removed)

Protect Your PC !!! Please download antivirus

protect***********otection.pisem.net/avp.exe

Sure looks like a hack to me, peace.emfc.com is conected
to them but pisem.net isnt, I know they are doing
everything they can though and they even have a fixtool
available for anyone who's opened the emails so good on
them and hope they can trace the source, My forum at
Xsorbit has also gone down earlier today and they are
just saying they are doing maintenance which isnt like
them plus they posted that about 5 hours after it went
down so they are maybe having similar problems.

The Gremlins are out in force today !!

Andy

 

[Ron Chamberlin]

Hi Andy,
Actually I saw postings in a list about that a few hours before the woes of
ABC et al. I guess they may have been early targets of it.

Ron Chamberlin
MS-MVP