Exe file:
http://123back.com/1.EXE
Java drive by:
http://123back.com/
* The following Host Names were requested from a host database:
o sam.chatsmate.com
o ms.tvchatz.com
o chatsmate.com
o justchatz.com
o tvchatz.com
sam.chatsmate.com
ms.tvchatz.com
chatsmate.com
justchatz.com
UDP Connections
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3001 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman" = C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Reads HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman"
File Changes by all processes
New Files \Device\RasAcd
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Opened Files C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
\\.\PIPE\lsarpc
Deleted Files C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Chronological Order Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Set File Attributes: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Copy File: c:\1.EXE to C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Set File Attributes: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe (OPEN_EXISTING)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
hosting infos:
http://whois.domaintools.com/173.248.136.153
Hackforums.net Investigation
We are working to get Hackforums.net shut down. We feel strongly that it a website which has an undue influence on young people as well as promoting illegal computer activities such as hacking, virus spreading, manipulation of online financial services etc.
I'm not certain of what your criteria if for judging a site to be 'positive for malware'. I know that is not an easy threat to withstand and I don't blame this site for exercising caution and withdrawing the 'positive' for malware decision.
Hackforums.net - "Infecting one another with malware."
We are reporting this site for illegal activitie and it should be closed as soon as posible!
Legal internet law will clean all illegal activities and we will help realise it!
[IT Security Team]
We are working to get Hackforums.net shut down. We feel strongly that it a website which has an undue influence on young people as well as promoting illegal computer activities such as hacking, virus spreading, manipulation of online financial services etc.
I'm not certain of what your criteria if for judging a site to be 'positive for malware'. I know that is not an easy threat to withstand and I don't blame this site for exercising caution and withdrawing the 'positive' for malware decision.
Hackforums.net - "Infecting one another with malware."
We are reporting this site for illegal activitie and it should be closed as soon as posible!
Legal internet law will clean all illegal activities and we will help realise it!
[IT Security Team]
