Trojans that make use of redir.exe

G

Guest

The results of my search thus far.

The offending IP

http://66.250.130.200/

aka, thesten.com, thesten.net, thestas.com, spyass.com, spyorg.com, etc.etc.

and making use of Windows/system32/redir.exe to change the URLs of webpages to their own by use of a test.html page containing the URL list which I have downloaded to my computer, so that I can verify this..

Found in jp_i.cache

VerifierBug.class

Dummy.class

VideoPullPlayer.jar

tradecontrol.jar

counter.jar

Found in windows media player folder.

Loader.exe

and another .exe which I forgot the name of, but I suspect they rename files so that the situation is always in flux.

The counter works in conjunction with redir.exe to tell it to "key" to certain words, then it then changes a URL on the page to one on the list.
 
G

Guest

Some further progress here. The last URL should be SpyOrgy.net, and their page uses an invisible i-frame as the test HTML page, and has language which downloads the actual trojans as java applets, two in number, one is a counter and the other is a version of the Byte.Verify bug. At least that appears to be what happens.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Installing Legit Win2000 Pro SP4, but getting 2 Trojans every time. 18
Questions about the contents of Windows XP SP3 2
IE, trojans, and anti-virus 4
Best way to cache a bunch of images on the client? Possible to "stream" image info for caching after 1
Use of the HOSTS File 1
Spurious URLs being inserted into IE "Back" list 10
Back button functionality in IE7 now different 1
Make copy of workbook based on selected criteria 3

Top