infection research

[jonlewi5]

first off, iv never been infected by this "program" but have repaired several pc's who have, so iv decided to infect my laptop, of course i am not stupid and will be doing it all through a virtual machine. Basicly what i aim to do is make sure that no other files are effected by this crap IE the program isnt hooking on to other programs, i pla on doing this by writing a collection of programs specificly for this purpose, the first being to check every file on the system and chek there size and md5 hash, then i will infect the machine and see what happens to the files and registry, with this information i intend to write a pretty simple program to automaticly remove all tracers of this shit and remove the reg entries

after all that, i ask, what urls can i go to to get infected??

[ForumFriend]

Try mysexworld and sexxxpassport for starters.  I have seen other names mentioned.  You could also google for membersmatters (or similar), which may provide some further links.

It would be very interesting to see a 'map' of what comes up to try to understand what is going on.  Like you, I've never been infected by MBS so I am at least as intrigued as you (but have absolutely no intention of seeking to be infected!).  If you're willing to share the outcomes of your explorations, could you post to that effect?

[jonlewi5]

i will most definatly post my finds sir, i have currently so far set up a test enviroment in an xp virtual machine and have written the first programs which i intend to use, this program moniters a chosen folder for any changes and displays the info in a small window, i also have another program which i wrote which will show the md5 hash of any file, i intend to install 5 different virual machines, become infected 5 times and then cross check the hash of the files dropped on my pc each time i get infected, this will assist me when i write the removal tool as ill be sure the program is deleteing the infecting files, it will also make sure that these execuables are ALWAYS the same.

find here a screenshot of my laptop running xp with xp with my first tool running

http://img353.imageshack.us/img353/255/vmxptestenval1.jpg

(i wont embed the image into the forum as it is 1200x800)

UPDATE
just wrote another program which will show the crc32 and the md5 hash of a selected file, if what im thinking is correct, then the hashes should be the same everytime i get infected, if they arent, then that is sumthing we should be worried about.

[jonlewi5]

ok, i have just infected my virtual machine and have got a log of what was changed and created, iv also taken screenshots along the way, here are my results so far

SCREENIES

sexxxpassport terms and condition (may include some xxx pics)

http://img254.imageshack.us/img254/6775/passporttandcgm1.jpg

After clicking that i agreed, i got this

http://img401.imageshack.us/img401/2031/mbsinstallqy7.jpg

as im using firefox, the downloaded files appear on my dekstop, it seems this isnt "auto-running" ie it has to be clicked to start.

http://img524.imageshack.us/img524/8766/desktopmd5.jpg

on my xp machine, im next asked if i do want to install the program

http://img401.imageshack.us/img401/9550/askbeforeinstalleq2.jpg

and finally, my desktop AFTER the install

http://img373.imageshack.us/img373/8860/screenafterinstallvh1.jpg



MY LOG

this log was created using my folder watcher tool, i set the program to watch my ENTIRE root directory (c:\) so some of the first few entries have nothing to do with MBS

File C:\WINDOWS\system32\mshtmler.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorie.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\plugin.ocx has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mydocs.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mydocs.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\explorer.exe has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\explorer.exe has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Media\Windows XP Error.wav has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Tasks has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\SECURITY.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\cryptnet.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\vgaoem.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\dosapp.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\ega40woa.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\cga80woa.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\cga40woa.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\olepro32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\Sexxxpassport.ico has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\Sexxxpassport.ico has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\181ECE0B.inf has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\181ECE0B.inf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\UBSauthenticateAXC.ocx has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\UBSauthenticateAXC.ocx has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\sserife.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\winiconmon.ico has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\winiconmon.ico has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mbssm32.exe has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mbssm32.exe has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mbsrm32.exe has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mbsrm32.exe has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File system32\winiconmon.ico has been renamed to C:\WINDOWS\system32\winiconmon.ico.bak0 by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\winiconmon.ico.bak0 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\winiconmon.ico has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\winiconmon.ico has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\INS6.TMP-0E074B7C.pf has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\INS6.TMP-0E074B7C.pf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\psapi.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\Sexxxpassport.ico has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\Sexxxpassport.ico has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\MBSAUTHENTICATE_39.EXE-11197F82.pf has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\MBSAUTHENTICATE_39.EXE-11197F82.pf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\shell32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\url.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\url.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mshtml.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mshtml.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mshtml.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mshtml.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udc has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udc has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udc has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udc has been deleted by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udcIISGCDKHBCYWJQTLCSMDS.udc has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udcIISGCDKHBCYWJQTLCSMDS.udc has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udcIISGCDKHBCYWJQTLCSMDS.udc has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udcIISGCDKHBCYWJQTLCSMDS.udc has been deleted by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\inetcpl.cpl has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\verdanai.ttf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\MBSSM32.EXE-0CF4F0DB.pf has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\MBSSM32.EXE-0CF4F0DB.pf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\MBSRM32.EXE-1B1BD55F.pf has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\MBSRM32.EXE-1B1BD55F.pf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\netcfgx.dll has been changed by jon from JON-2FAD10340D6

[jonlewi5]

i had to make another post for this as it originaly exceeded the max post size lol anyway


i find the following entries to particuly interesting

this is where i BELIEVE the installation starts.
ill be checking my registry tonight, but now have to go to work lol

File C:\WINDOWS\Fonts\vgaoem.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\dosapp.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\ega40woa.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\cga80woa.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\cga40woa.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\olepro32.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\Sexxxpassport.ico has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\Sexxxpassport.ico has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\181ECE0B.inf has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\181ECE0B.inf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\UBSauthenticateAXC.ocx has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\UBSauthenticateAXC.ocx has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\sserife.fon has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\winiconmon.ico has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\winiconmon.ico has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mbssm32.exe has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mbssm32.exe has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mbsrm32.exe has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mbsrm32.exe has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File system32\winiconmon.ico has been renamed to C:\WINDOWS\system32\winiconmon.ico.bak0 by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\winiconmon.ico.bak0 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\winiconmon.ico has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\winiconmon.ico has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\INS6.TMP-0E074B7C.pf has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\INS6.TMP-0E074B7C.pf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\config\software.LOG has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\psapi.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\Sexxxpassport.ico has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\Sexxxpassport.ico has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\MBSAUTHENTICATE_39.EXE-11197F82.pf has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\Prefetch\MBSAUTHENTICATE_39.EXE-11197F82.pf has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\url.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\url.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mshtml.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mshtml.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mshtml.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\mshtml.dll has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udc has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udc has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udc has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udc has been deleted by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udcIISGCDKHBCYWJQTLCSMDS.udc has been created by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udcIISGCDKHBCYWJQTLCSMDS.udc has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udcIISGCDKHBCYWJQTLCSMDS.udc has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\VIQYJRUKNGNWDJUDXPMTV.udcIISGCDKHBCYWJQTLCSMDS.udc has been deleted by jon from JON-2FAD10340D6
File C:\WINDOWS\system32 has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\system32\inetcpl.cpl has been changed by jon from JON-2FAD10340D6
File C:\WINDOWS\Fonts\verdanai.ttf has been changed by jon from JON-2FAD10340D6


i intend on invetigating this file, as it seems pretty weird to me that.
File C:\WINDOWS\system32\winiconmon.ico.bak0 has been changed by jon from JON-2FAD10340D6

after a quick google of the name "winiconmon" it seems this file is changed in the same way in many other trojans, iv noticed particualy Trojan.w32.Looksky does exactly the same as MBS and changes this file and gives it the extension .bak0

[ForumFriend]

Thanks, Jon, for posting that up.  Speaking for myself, I don't have the knowledge to interprete any of this, but I know there are forum users who may find this interesting and who can comment on what appears to be happening.

And, of course, it will be most interesting to hear what you think when you've had a chance to look at it further.

[jonlewi5]

no probs, am finding it pretty interesting tbh, but i think i need to do a bit of re-writing of that program to add a time stamp

anyway, there are a few things in there imo thatr jsut dnt seem right, ill be grabbing some md5 hashes, then installing another virtual machine to compare both the logs and md5 hashes tonight hopefully,

sadky though there may be a small halt in this as im going away on friday with parents to work on there house in bulgaria, obviously ill be taking my laptop but there will be a lack of internet out there, but ill continue working on this

[ForumFriend]

Thanks again, Jon, I think it will be very interesting not only for those who understand the links, but also to others (like me!) who will be interested in the interpretations!  I wish I had the capability to take this kind of approach, as there've been a number of things which have puzzled me.  For example, there have been a number of people who are adamant that they've not clicked any 'I agree' buttons, yet whose IE histories have apparently demonstrated that they DID agree, there are others who have been searching for completely different things (one of these was a rat breeder) who found the software downloaded onto their PCs and haven't the remotest idea where it has come from (and are the sole users of their PCs), so if you are able to contribute to an understanding of those anomalies, it would be great.

Looking forward to hearing further from you when you've time, and wishing you bon voyage meanwhile.

[ForumFriend]

Jon, a further thing:  I've just looked at the first image you posted on imageshack, and noticed that the 'I agree to the ts and cs' box is ticked.  Can you recall if that was 'preticked' when it appeared on your screen? 

[jonlewi5]

no it deffinatly wasnt ticked at first, i HAD to tick it, but one thing i cant remember was wether or not the button was disabled before i clicked on i agree, so that is something im going to look into tonight, thanks for that

[jonlewi5]

another thing i would like toask

to anyone reading this that has become infected, what operating system was you using??

if there is anyone using anything other than xp,then please tell me, ill install that os aswell and see what effect MBS had on the files there aswell.

if anyone would like to help with this, i have posted the tools on my website, but tonight ill upload them elsewhere as if MBS hear of this tool (when its eventually finished) i fear they may come after me (as they have stated they will be taking legal action on companies selling software which tries to remove there shit.)

EDIT
also sumthing else i have just noticed within the log, the windows error.wav has changed???
has anyone that has been infected noticed that there windows error sound has changed??

EDIT EDIT
iv been taking another look through the log, and another thought has come to mind, this "program" seems to be changeing a lot of files, which leads me to think that even though people who have physicly deleted the files related to MBS, perhaps there is still underlying files relating to this program on the computer. At the moment this is only speculation, but ill cross check the hashed of th efiles between an infected computer and a non infeced computer, they should be the same.

[jonlewi5]

here are the CRC32 and MD5 hashes from virtual machine number 1, note the last 2 entries where one file has been changed to a backup yet the file created by MBS has the EXACT same md5 AND crc32 hash, thats confused me a bit,anyway, my finds so far.


MBSAuthenticate_39

CRC32 Hash : C224F955

MD5 Hash : F254336414CFF5052ACE3A9C0128333

Sexxxpassport (desktop shortcut)

Now this is an odd one, the shortcut doesnt actually take you to a website,
it take you to a file hidden within your temporary internet files, here is the
path on my machine

C:\Documents and Settings\jon\Local Settings\Temporary Internet Files\Content.IE5\8JLJAAPA\mbs_enter[1].php

CRC32 Hash : DD4750A0
MD5 Hash : BB64D220FF174DEC13BC9D8DE8F4BE2

mbsrm32
(within the system32 folder)

CRC32 Hash : 570BD8D6
MD5 Hash : AFBD3F7AA39AD33095BBA3D6EEECBC74

mbssm32
(again within the system32 folder)

CRC32 Hash : 28A1D33B
MD5 Hash : F6BC488DF425D06FFB9FDAA4A96C3

Sexxxpassport.ico
(again within system32 folder)

CRC32 Hash : 6E9A3541
MD5 Hash : 16F88F3F918E8987F0A3179DEF95650

UBSauthenticateAXC.ocx
(again within the system32 folder)

CRC32 Hash : 3CA88EDE
MD5 Hash : 6C744FD7C7B6566570ED637DC2EF5127

winiconmon.ico
(again within the system32 folder, this is the oddest part, instead of MBS just
deleting or modifying the original winiconmon, it created a backup, see below)

CRC32 Hash : 4F624D99
MD5 Hash : 32AC102F77E98361599AE23274C1BDC

winiconmon.ico.bak0

CRC32 Hash : 4F624D99
MD5 Hash : 32AC102F77E98361599AE23274C1BDC




NOTE*iv changed the name of this thread to something more suitable lol

[helpplz]

jon what do you think of mbs ? Since you have been on their site will you pay them ?
Would you say NEVER to pay them because there scamming people ?

[jonlewi5]

no i would never pay them imo there business ethics are appaling, quite a coincedence really but i got a call about this today in work, you see i work for my local internet service provider on the technical support, it happens to be the second call about it this week, i pointed them to this site
and yes, i have to say, i believe it is a total scam

anyway, a bit more info, found this in the registry of virtual machine

http://img526.imageshack.us/img526/151/regveiwyk4.jpg

location
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\run

[jonlewi5]

Jon, a further thing:  I've just looked at the first image you posted on imageshack, and noticed that the 'I agree to the ts and cs' box is ticked.  Can you recall if that was 'preticked' when it appeared on your screen? 

your answer mate

http://img161.imageshack.us/img161/6431/youmustclickwb8.jpg

you have to tick the box before continueing