Log in

No account? Create an account
27 August 2007 @ 07:39 pm
Mailspectre update.  
Well, apparently I've located and killed all parts of mailspectre. If you want me to send you the infected files, leave a comment.

Here are the details:
mailspectre.exe lives in c:\windows\system32

Another bit is infected IEXPLORE.EXE, which lives in c:\windows\system32\dllcache AND in its usual place of C:\Program Files\Internet Explorer
Here is the netstat (relevant bit) -a -b of an infected computer:

Name Local address Remote address Status PID
TCP localhost:9062 localhost:0 LISTENING 1140

TCP localhost:1066 SYN_SENT 2144

TCP localhost:1067 SYN_SENT 1428

Some bits edited to protect the innocent. Guilty are exposed though. :>
After renaming iexplore.exe and mailspectre.exe, and creating directories with the same names and reboot (Cold one), infection apparently subsided, i.e. no listening or SYN_SENTing happening.

However, I am neither a programmer, nor know much to disassemble and reverse engineer viruses. So, I'd happily send bits on request. :> To those that I know can do that, at least. :>

Also. I was -UNABLE- to clean the registry and other things that lead to restoration of virus. I checked that if you reenable IEXPLORE.EXE it will reinfect your computer.
Hopefully this information will help you to stop this piece of malware from sending spam from your domains.

ALSO: Before I found more about this virus, I deleted partition C, recreated, reformatted, and reinstalled the OS. BUT. After reboot it returned to the previous OS installation, and all the data on that HDD was intact, so possibly the virus is more insidious then I think it is.

Update: Okay, windows re-install thingy is because windows is dumb, and drive configuration is weird.

On other hand, I deleted and re-created partitions in linux correctly, and wrote and whatnot. Strange, but most likely human mistake. :>
Current Location: at work
(Anonymous) on August 31st, 2007 12:25 am (UTC)
MailSpectre trouble
hi can you help me step by step with MailSpectre it's really bugging me and causing functions to be disabled and the internet to be down at many times.. please send me the infected files. my e-mail is littoxdede@yahoo.com many people are speaking of renaming files and creating directories or whatever but i'm quite confused on that stuff b/c i've only dealt with safe mode, command prompt, and regedit (registry). PLEASE HELP !!! thank you
Стихийный Эйсид и Пиченька Судьбыxnrrn on August 31st, 2007 05:43 am (UTC)
Re: MailSpectre trouble
I've renamed mailspectre.exe on live windows (you can do that in safe mode too).
Then create a directory named Mailspectre.exe
Viruses play by the rules set by Windows, and the virus can't be created in that directory if there is a directory or file in there with that name.

Reboot into normal mode, open console: Start->Run->cmd

type netstat -a -b
Wait for the output and look which files listen to the outside world or communicate (there will be particular ip addresses).

Go and rename those files, and create directories in their stead. If windows complains about its core files being changed ignore it.

I have no idea WHERE in the registry mailspectre is. However, I did search in registry and deleted all mentions of it.
(Anonymous) on September 1st, 2007 01:41 pm (UTC)
Re: MailSpectre trouble
when you say create a directory named Mailspectre.exe are you telling me to go to windows\system32 and create an application with the name 'Mailspectre' ??
Стихийный Эйсид и Пиченька Судьбыxnrrn on September 1st, 2007 09:52 pm (UTC)
Re: MailSpectre trouble
Yes. Right click. New->Folder-> "Mailspectre.exe"
(Anonymous) on August 31st, 2007 02:49 am (UTC)
mail spectre trouble
so......... i went into safemode nd deleted mailspectre. but from reading about Mailspectre i found that people had trouble preventing it from getting back onto their computer. so i suppose mailspectre will return onto windows\system32. please help!