Nexus Pro [1 week left] 19.16 - Valid until 20th Sept

Discussion in 'Archives' started by Unknown Guy, Sep 13, 2008.

Thread Status:
Not open for further replies.
Nexus Pro [1 week left] 19.16 - Valid until 20th Sept
  1. Unread #1 - Sep 13, 2008 at 7:57 AM
  2. Unknown Guy
    Referrals:
    0

    Unknown Guy Guest

    Nexus Pro [1 week left] 19.16 - Valid until 20th Sept

    Removed due to auth removal by rsca
     
  3. Unread #2 - Sep 13, 2008 at 10:29 AM
  4. mikeyboi
    Joined:
    Dec 28, 2007
    Posts:
    942
    Referrals:
    1
    Sythe Gold:
    0

    mikeyboi Apprentice
    Banned

    Nexus Pro [1 week left] 19.16 - Valid until 20th Sept

    can anyone verify it?
     
  5. Unread #3 - Sep 13, 2008 at 10:59 AM
  6. john dean
    Joined:
    Sep 1, 2008
    Posts:
    514
    Referrals:
    0
    Sythe Gold:
    0

    john dean Forum Addict
    Banned

    Nexus Pro [1 week left] 19.16 - Valid until 20th Sept

    i wouldn't
    its to good to be true
     
  7. Unread #4 - Sep 13, 2008 at 12:01 PM
  8. KaYn_idk
    Referrals:
    0

    KaYn_idk Guest

    Nexus Pro [1 week left] 19.16 - Valid until 20th Sept

    Em 17mb to download with a conection of 64 kbps rofl...
    Srry i'll pass
     
  9. Unread #5 - Sep 13, 2008 at 12:24 PM
  10. AntiH3r0
    Joined:
    Jun 10, 2005
    Posts:
    286
    Referrals:
    0
    Sythe Gold:
    0

    AntiH3r0 Forum Addict
    Banned

    Nexus Pro [1 week left] 19.16 - Valid until 20th Sept

    I downloaded it and scanned but nothing came up, but my Nod32 said something like couldn't scan .jar files? I'm not saying its safe but i didnt find anything nor did i run it...
     
  11. Unread #6 - Sep 13, 2008 at 12:57 PM
  12. tom jr
    Joined:
    Jun 28, 2008
    Posts:
    408
    Referrals:
    1
    Sythe Gold:
    0

    tom jr Forum Addict

    Nexus Pro [1 week left] 19.16 - Valid until 20th Sept

    MALWARE! Do not download.

    There's no reason to download the file in the first place. Ibot is licensed/authorized based on IP address, so even if this file was legitimate, the only people who can use the license are those at the IP address it was registered at.

    I downloaded it, extracted it, scanned it (no malware found, which doesn't mean none exists, and in fact, run.bat installs malware), and ran it.

    "Could not find the main class. Program will now exit."

    Four more attempts got the same result.

    The program opens Internet Explorer silently and connects to this site:

    iexplore.exe:1420 TCP home:1417 78-70-121-72-no170.tbcn.telia.com:6666 ESTABLISHED

    If the user kills Internet Explorer, it reopens within seconds and tries to connect to the site again.

    I disabled Internet Explorer's access to the internet, and I'm going to figure out what's going on here. Until then, don't download this.

    Here's what run.bat looks like:

    Code:
    @echo off
    echo *
    echo *
    echo "IF NOT WORKING, try running install.bat or install.sh!!!"
    echo *
    echo *
    start javaw -Xmx1000m -Xbootclasspath/p:"C:\Documents and Settings\Administratör\Skrivbord\Downloads\Nått annat\nex2\nexus\jars\bcel.jar";"C:\Documents and Settings\Administratör\Skrivbord\Downloads\Nått annat\nex2\nexus\jars\commons-net-1.4.1.jar";"C:\Documents and Settings\Administratör\Skrivbord\Downloads\Nått annat\nex2\nexus\jars\install.jar";"C:\Documents and Settings\Administratör\Skrivbord\Downloads\Nått annat\nex2\nexus\jars\jface.jar";"C:\Documents and Settings\Administratör\Skrivbord\Downloads\Nått annat\nex2\nexus\jars\sqlite.jar";"C:\Documents and Settings\Administratör\Skrivbord\Downloads\Nått annat\nex2\nexus\jars\sqlitejdbc.jar";"C:\Documents and Settings\Administratör\Skrivbord\Downloads\Nått annat\nex2\nexus\jars\tools.jar";"C:\Documents and Settings\Administratör\Skrivbord\Downloads\Nått annat\nex2\nexus\jars\swt-3.4M4-windows-Java32bit.jar";"C:\Documents and Settings\Administratör\Skrivbord\Downloads\Nått annat\nex2\nexus\jars\nexus1913pro.jar"; impsoft.nexus.installer.Main 
    
    
    start config\svnupdate
    pause
    
    run.bat apparently installs files called mpee32 and mpee32.exe in the windows\system32 folder. "HiJack This" found that entry, which wasn't there in the last scan (done yesterday).

    mpee32.exe runs (invisible to the Task Manager) under Windows Local Security Authority Subsystem Service (lsass.exe). It forces a copy of Internet Explorer to open silently (without the interface) and connect to the above internet address, where a file that appears to be programming code.

    If the user tries to close that Internet Explorer copy, mpee32.exe reopens it and connects to the address again.

    I'm not a programmer, so I have no idea what the programming code on the website is all about. Somebody else can take a look, or if the thread starter deletes it, I've got a copy of that (and mpee32 and mpee32.exe) saved if anybody wants to see it. My guess would be that it's some sort of trojan or keylogger; mpee32.exe would be the trojan server, and the trojan client (listener) would be located at the above internet address and port.

    What I DO know is that Nexus/IBot doesn't install mpee32.exe on computers (I checked with somebody who uses Nexus), nor would Nexus have any reason to constantly reopen Internet Explorer silently to connect to a private user---especially after I uninstalled the Nexus folder.

    I've forwarded all of these files to various antivirus companies, and I've sent an abuse report to Telia.

    Running Windows in Safe Mode and deleting/moving mpee32.exe and mpee, and having HiJack This delete the corresponding key fixed the problem.
     
  13. Unread #7 - Sep 13, 2008 at 2:49 PM
  14. Unknown Guy
    Referrals:
    0

    Unknown Guy Guest

    Nexus Pro [1 week left] 19.16 - Valid until 20th Sept

    It updates svn which allows the client to autoupdate.
    The infections is due to security problems in windows xp.
     
  15. Unread #8 - Sep 13, 2008 at 3:41 PM
  16. tom jr
    Joined:
    Jun 28, 2008
    Posts:
    408
    Referrals:
    1
    Sythe Gold:
    0

    tom jr Forum Addict

    Nexus Pro [1 week left] 19.16 - Valid until 20th Sept

    You're full of shit.

    The infection is due to the fact that I ran the thing to see what would happen---the computer it's on is locked down so that nothing critical can be altered without permission, there's nothing to steal on it, and I can monitor what it does and eventually fix it.

    I've updated my previous post to reflect exactly what your malware does.

    Mods/Admins: does the thread starter also come from: 78-70-121-72-no170.tbcn.telia.com ( 78.70.121.72 ), the site that the trojan connects to?

    The thread starter deleted the link. I have the original file saved, along with the malware that it installs. Anybody who would like to see it is welcome to PM me.
     
< selling lvl 69 range tank | Avianies? Pot Or Defence >

Users viewing this thread
1 guest
Thread Status:
Not open for further replies.


 
 
Adblock breaks this site