YANDEX cookie

[Tom Leylan]

Something is up but after searching the Internet for the last couple of days
I can find nothing mentioning this specifically. Your may want to check
your computer to see if you have the same thing going on. And if anybody
can shed some light on the problem I'd be grateful.

For some reason IE won't hold on to cookies any longer even those I
need/want, giving me access to support sites and such. I cleared all the
cookies to see if I could spot something and sure enough one cookie remains.
It's named <myaccount>@yandex[1].txt (where <myaccount> is my computer
account) and no matter what I do (including deleting the cookie) that file
returns.

These are the contents:

yandexuid
330739451136519475
yandex.ru/
1024
685931392
30492323
1909715872
29758068
*

Note the reference to a Russian site (the .RU) and YANDEX is apparently a
large Russian ISP. Point is I don't go anywhere near them, I can delete all
the cookies and this one just keeps reappearing. I've scanned my system a
couple of times and found a couple of trojans but these have been removed
yet my cookie problem remains.

So I'm wondering if anybody else has this persistent cookie and/or knows
where it comes from and how to get rid of it. I also need to find whatever
it is that is stopping legitimate cookies from remaining on my machine.

Thanks,
Tom

 

[Tom Leylan]

I found out more. Now there is a cookie from narod.ru

nuid
1266285951136521138
narod.ru/
1536
136062208
30492327
1430156688
29758072
*

And I can tell the browser silently visited bs.yandex.ru and downloaded some
files. Mostly graphics and nothing special, small .GIF files mostly in
Russian. But there was also an .HTM file (v12[2].htm from narod.ru and the
contents aren't friendly at all. Nothing visible appears but there are
references to gallbio.com, biobondy.com, wstox.com and an ftp site at
209.66.124.221 which appears to be related to Plesk, Inc. and lo and behold
they sell antivirus software.

If this is old news I can find nothing posted about it and nothing seems to
detect it. If it's new more people are going to start reporting I would
guess.

Tom

 

[Malke]

I found out more. Now there is a cookie from narod.ru

And I can tell the browser silently visited bs.yandex.ru and
downloaded some
files. Mostly graphics and nothing special, small .GIF files mostly
in
Russian. But there was also an .HTM file (v12[2].htm from narod.ru
and the
contents aren't friendly at all. Nothing visible appears but there
are references to gallbio.com, biobondy.com, wstox.com and an ftp site
at 209.66.124.221 which appears to be related to Plesk, Inc. and lo
and behold they sell antivirus software.

For some reason IE won't hold on to cookies any longer even those I
need/want, giving me access to support sites and such. I cleared all
the cookies to see if I could spot something and sure enough one
cookie remains. It's named <myaccount>@yandex[1].txt (where
<myaccount> is my computer account) and no matter what I do
(including deleting the cookie) that file returns.

(various snippages)

You didn't say with what program(s) you scanned your computer. Your
computer is not clean. Go through these malware removal steps
systematically:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

Also make sure you have a current version (not earlier than 2004)
antivirus installed with an active subscription and updated
definitions.

Malke

 

[Tom Leylan]

You didn't say with what program(s) you scanned your computer. Your
computer is not clean. Go through these malware removal steps
systematically:

I appreciate your reply but I was looking for a clue as to what it was. I
can push a button but I'm trying to identify it. If I knew what the name of
the trojan was I could more easily choose a product that could elminate it.

I scanned with name-brand products but I still have it. I'd like to know
what it is.

 

[Kerry Brown]

I appreciate your reply but I was looking for a clue as to what it
was. I can push a button but I'm trying to identify it. If I knew
what the name of the trojan was I could more easily choose a product
that could elminate it.
I scanned with name-brand products but I still have it. I'd like to
know what it is.

If you follow the steps at Malke's link hopefully one of the steps outlined
there will identify it for you as well as remove it. Much current malware is
very limited release and only generically identified by anti-malware
programs as a variant of something else. A lot of it is released for a set
period of time and then recalled so to speak. This way they stay ahead of
the anti-malware apps. Russian gangs in particular are known to do this.
These types of malware are usually looking for information to sell or use. I
would not continue using the Internet with that pc. I would disconnect the
pc and use another one to download any needed programs. If you can't figure
it out it may be time to backup your data and do a clean install.

Kerry


Kerry

 

[Malke]

I appreciate your reply but I was looking for a clue as to what it
was. I
can push a button but I'm trying to identify it. If I knew what the
name of the trojan was I could more easily choose a product that could
elminate it.

I scanned with name-brand products but I still have it. I'd like to
know what it is.

Well, it doesn't matter what it is. If you want to clean up that box,
start with the steps I gave you. If you do a Google for "yandex",
you'll get tons of sites in Russian. Since I can't read Russian, I'm
sorry but I can't interpret it for you.

Malke

 

[Tom Leylan]

After trying a number of different anti-virus/malware removal tools part of
the problem seemingly remains. I've managed to block the yandex and narod
sites by adding them to my hosts file where any attempt to contact them is
directed to my local system. I believe something is still trying to do it
however.

In any case I've found no mention on any site or within product literature
that mentions these problems. It is a hijack of sorts but unlike the type
that redirect the user to a site when the browser starts up this simply
contacts the website silently, downloads a few files and everything looks
normal.

I'd suggest keeping an eye open for cookies (or files) from these sites (if
you don't visit them) because no scanning/cleaner tools I have used yet has
noticed a problem.

Tom

 

[Malke]

After trying a number of different anti-virus/malware removal tools
part of
the problem seemingly remains. I've managed to block the yandex and
narod sites by adding them to my hosts file where any attempt to
contact them is
directed to my local system. I believe something is still trying to
do it however.

In any case I've found no mention on any site or within product
literature
that mentions these problems. It is a hijack of sorts but unlike the
type that redirect the user to a site when the browser starts up this
simply contacts the website silently, downloads a few files and
everything looks normal.

I'd suggest keeping an eye open for cookies (or files) from these
sites (if you don't visit them) because no scanning/cleaner tools I
have used yet has noticed a problem.

I don't have to worry about files being installed on my computer from
Russian sites (or any other sites for that matter), but thanks anyway.

I suggest that you run HijackThis and post your log on one of these
forums (not here, please):

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

Malke

 

[Tom Leylan]

I don't have to worry about files being installed on my computer from
Russian sites (or any other sites for that matter), but thanks anyway.

I don't quite know how to explain it but I don't really care if you can't
translate Russian (see your other message) or that you don't care about
cookies from Russian sites. I didn't ask you to do either of them. I am
looking for information from anybody who "has information" not from those
with opinions.

I pointed out that people (not you obviously) might like to keep an eye open
for the cookies I mentioned. They appear without visiting the site that is
supposed to be placing them there. Don't reply to this message but (please)
think about the differences between what I write and what you keep replying
to.

Thank you.

 

[Fitz]

You don't have to visit the site for a cookie to be placed on your computer.
All that would need to be done is to visit a site that had a link, image,
code or some other means to place it there. For example, if you visited
google.com and they had an image hosted on the suspect site, it could cause
a cookie to be placed on your computer from the suspect site even though you
didn't visit the suspect site.

A cookie, in and by itself, is a text file and won't harm your computer
although they can be used to track your surfing habits..
***

 

[Tom Leylan]

You don't have to visit the site for a cookie to be placed on your
computer. All that would need to be done is to visit a site that had a
link, image, code or some other means to place it there. For example, if
you visited google.com and they had an image hosted on the suspect site,
it could cause a cookie to be placed on your computer from the suspect
site even though you didn't visit the suspect site.

A cookie, in and by itself, is a text file and won't harm your computer
although they can be used to track your surfing habits..

Thank Fritz good information. I'd have to comment my hosts file to test it
but I'm pretty sure the cookie appeared when I visited my company's site and
I don't have any link to yandex.ru much less narod.ru on it. I could be
mistaken about that since I was trying many different things.

I do know for a fact that that images (.GIF files) along with an html page
appeared in my cache from narod.ru and again I didn't go anywhere near the
site. And this html page contained nothing visible but did contain
javascript along with references to ftp ports and such. I traced one of the
addresses to a company that sells malware removal software. This would
happen as I started my browser and my home page is my company's site.

In any case I did use McAfee software and added entries to my hosts file for
yandex.ru and narod.ru and everything seems back to normal now. Thanks
again for the information.

Tom

 

[Andy]

In any case I did use McAfee software and added entries to my hosts file for
yandex.ru and narod.ru and everything seems back to normal now. Thanks
again for the information.

Tom

Hi Tom,
I came across this one today at work. It sure is a nasty one and
despite the posts that recommend updating your antivirus and
antispyware it will prob still remain. The files that it compiles are
very WELL hidden and the payload is nasty. Today's updates of Sophos,
CA-AV, Spybot and Adaware all failed to find it on a machine that I
knew was invected.

I would have emailed you this directly but you have hidden your email
address. Drop me a line at @[email protected] (the @ndy is andy) and let
me know your computer name eg: <myaccount>@yandex[1].txt and I'll be
able to tell you if your machine was infected.

I think this does belong in the xp security thread, its a pretty big
hole and a lot of users will be talking about it soon!

Cheers,

Andy.

 

[Kerry Brown]

In any case I did use McAfee software and added entries to my hosts
file for yandex.ru and narod.ru and everything seems back to normal
now. Thanks again for the information.

Tom

Hi Tom,
I came across this one today at work. It sure is a nasty one and
despite the posts that recommend updating your antivirus and
antispyware it will prob still remain. The files that it compiles are
very WELL hidden and the payload is nasty. Today's updates of Sophos,
CA-AV, Spybot and Adaware all failed to find it on a machine that I
knew was invected.

I would have emailed you this directly but you have hidden your email
address. Drop me a line at @[email protected] (the @ndy is andy) and let
me know your computer name eg: <myaccount>@yandex[1].txt and I'll be
able to tell you if your machine was infected.

I think this does belong in the xp security thread, its a pretty big
hole and a lot of users will be talking about it soon!

Cheers,

Andy.

So what is it and how did you get rid of it?

Kerry

 

[cquirke (MVP Windows shell/user)]

That should be true, but is not. By DESIGN, a cookie can contain HTML
and scripts, and these scripts can be run.

This came to light when a bug was found, whereby a script dropped by
an Internet web site could be run in local HD "My Computer" security
zone, rather than in Internet security zone.

The patch fixed the bug by either forcing Internet Zone context on
such cookies, or maintaining the actual zone the script-in-cookie was
dropped from. The difference is material, if (say) you allow
Restricted Zone to drop cookies but didn't intend to run scripts.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[Andy]

So what is it and how did you get rid of it?

Kerry

I dont know what it is or what its called but it is acvtivated (and
reactivated) by pulling those little gif images down from a handful of
sites including Yandex.ru and nix.ru. The gif is then executed (thanks
a lot MS!) and it appears to continue to pull updated info from those
sites (and a couple of others).

It creates smss.exe in the /windows dir also winlogon.exe in /windows
but deletes the later after its done its work. Explore process is
spawned by the dodgy smss so it can connect to web sites quietly.
Other processes are spawn and they look for all manner of files
including windows.exe in the "Program Files" dir... I could go on for
hours, it is nasty, it is hard to identify with "normal tools" and is
tricky to remove.

Every so often it will send screen captures and data to a remote
host.... bank passwords, email passwords, domain passwords.... you get
the idea.

I dont want to encourage script kiddies so I'll stop talking about it
now.... but if anyone has had the same symptoms and wants to know what
data of theirs is moving around the planet then let me know (your
infected machine name via email) and I'll check for it (if and/or when
I can).

Andy.

 

[Kerry Brown]

I dont know what it is or what its called but it is acvtivated (and
reactivated) by pulling those little gif images down from a handful of
sites including Yandex.ru and nix.ru. The gif is then executed
(thanks a lot MS!) and it appears to continue to pull updated info
from those sites (and a couple of others).

It creates smss.exe in the /windows dir also winlogon.exe in /windows
but deletes the later after its done its work. Explore process is
spawned by the dodgy smss so it can connect to web sites quietly.
Other processes are spawn and they look for all manner of files
including windows.exe in the "Program Files" dir... I could go on for
hours, it is nasty, it is hard to identify with "normal tools" and is
tricky to remove.

Every so often it will send screen captures and data to a remote
host.... bank passwords, email passwords, domain passwords.... you get
the idea.

I dont want to encourage script kiddies so I'll stop talking about it
now.... but if anyone has had the same symptoms and wants to know what
data of theirs is moving around the planet then let me know (your
infected machine name via email) and I'll check for it (if and/or when
I can).

Andy.

Thanks, I have seen similar. It can be a real pain to get rid of. The only
sure way is to kill the system and start again. It's impossible to be 100%
certain you got it all any other way.

Kerry

 

[Guest]

I am having the same exact problem. I can clear cookies and delete files
until I am blue in the face. Everytime I launch Explorer and then look in the
histroy folder, it tells me that I have gone to some Russian site
(c893.narod.ru) and then there is a subpage in Russian that I have supposedly
visited. I then look in cookies and the YANDEX cookie is there. I also have
scanned my ssytem with Symantec, Adaware, Microsoft Anti Spyware, Ewido and
SpyBot. Nothing kills this thing. Can you please tell me how you got rid of
it? You mention that you changed your hosts file but I do not know how to do
this. Help - this is driving me crazy.

 

[Tom Leylan]

I am having the same exact problem. I can clear cookies and delete files
until I am blue in the face. Everytime I launch Explorer and then look in
the
histroy folder, it tells me that I have gone to some Russian site
(c893.narod.ru) and then there is a subpage in Russian that I have
supposedly
visited. I then look in cookies and the YANDEX cookie is there. I also
have
scanned my ssytem with Symantec, Adaware, Microsoft Anti Spyware, Ewido
and
SpyBot. Nothing kills this thing. Can you please tell me how you got rid
of
it? You mention that you changed your hosts file but I do not know how to
do
this. Help - this is driving me crazy.

Oh good people are starting to notice Here is what I did and would
suggest you consider...

Locate your "hosts" file.
It should be at C:\Windows\System32\drivers\etc\hosts

Add the following entries:
127.0.0.1 bs.yandex.ru
127.0.0.1 c893.narod.ru

and while you are there you can add the following to block a bunch of stupid
ads
127.0.0.1 ad.doubleclick.net

At that point requests to those sites are redirected to your machine which
clearly will fail. Erase the crazy cookies and empty the temporary folder
to get rid of anything that came from those Russian sites.

I think that alone takes care of it but I also dl'd the McAfee software. I
can't tell who knows what, when or where these days but this software
reported a number of problems and it did appear to remove them. Since then
I've had no weird cookies, my browser behaves normally and I never have
files from those sites appear again.

Best of luck... in fact if it works perhaps you could post a follow-up.

HTH,
Tom