ASCII Doom

Shell City and/or Daily Rotation -- Got something to say?

ASCII Doom

Postby DocJon » 01/20/07, 12:06 pm

I'm new here, and I apologize if this is the wrong place to post this, but something's come up in regard to the Shell Extension City site I wanted to bring to ppl's attention.I've been reading Daily Rotation & visiting Shell Extension City for over a year now, and, as a daily reader, I enjoy it. However, something happened to me today I wanted to notify someone about.

I saw the entry for ASCII Doom, and it seemed like a fun little diversion, so I DL'ed it and ran it. BEFORE I had even selected an install directory and started installing (Just sitting at the first prompt after clicking on ASCIIdoom.exe), WinPatrol notified me of a something being added to my startup - the file "jkhhe.dll". I told it to NOT allow it, since I saw no good reason why a program such as ASCIIdoom should add anything to my startup.

Well, this file was persistent, and even though I terminated the process before BEGINNING the install, jkhhe.dll was constantly trying to add itself to my startup. Starting to worry, I did a Google search on jkhhe.dll, and found out it's related to the Vundo Trojan. It took me about an hour, but I used HijackThis, FixVundo.exe and VirtumundoBeGone.exe, and after running the latter 2 multiple times and rebooting multiple times, I appear to be clean.

A small excerpt from the VirtumundoBeGone.exe log file:

[01/20/2007, 4:07:32] - BHO 2: {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} ()
[01/20/2007, 4:07:32] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/20/2007, 4:07:32] - Checking for HKLM\...\Winlogon\Notify\jkhhe
[01/20/2007, 4:07:32] - Found: HKLM\...\Winlogon\Notify\jkhhe - This is probably Virtumundo.

I run Winpatrol, AVG 7.5 antivirus (updated daily), and Sygate firewall 5.5. I periodically run Spybot-search & destroy and Adaware. I'm not an IT expert, but I have access to a few, and I try to take precautions in my computer/internet use. I'm pretty sure my problem was directly related to the opening of the ASCIIdoom.exe file (the problem occurred immediately following, with no other unusual actvity/use/installing of programs immediately preceeding.)

I was hoping someone could look into this, or notify someone who is in a position to do so. I hope I haven't broken any rules or protocols by posting this.
Thank you.
DocJon
Member *
 
Posts: 7
Joined: 01/20/07, 11:42 am

Postby bob » 01/20/07, 6:32 pm

You are the only one to report such a problem.... If someone verifies the issue, I'll remove the site from Shell City.

From Softpedia "ASCII Doom 2.0 is 100% CLEAN, which means it does not contain any form of malware, including but not limited to: spyware, viruses"

http://games.softpedia.com/get/Freeware ... Doom.shtml

I downloaded it and scanned the exe with AVG, no problem found.
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby DocJon » 01/20/07, 9:37 pm

Ok. I could not think of ANY other way I could have got this, so I thought I'd report it. Sorry for the false alarm.
DocJon
Member *
 
Posts: 7
Joined: 01/20/07, 11:42 am

Postby DocJon » 01/20/07, 9:50 pm

Ok, I just went to DL and install it again. NOW it's trying to put a file called JKHFF.DLL into my startup. . .AND it's being JUST as insistant as the other, similarly-named program. I'm forced to believe there is something wrong with this file, unless someone has a better explanation for this happening every time i download and install this program.

I actually DL'ed it twice now, and 2 times it has tried to insist I install a file that is a known name variant of the Vundo trojan. TWO different names yet. What legit prg randomly names it's startup componant?

The only other explanation is that my system is infected from a different source, and that clicking and running the doom.exe is somehow activating this process and triggering something that Winpatrol is alerting me to. Seems unlikely, but I will continue to investigate. I will write more soon, as I work with this.
DocJon
Member *
 
Posts: 7
Joined: 01/20/07, 11:42 am

Postby DocJon » 01/21/07, 12:44 am

OK, I've had to eradicate the Vundo trojan since last post, which involves multiple reboots, 2 programs and multiple scans at ~30 minutes each. My machine should now be clear.

I've visited a couple sites since my last post, and DL & installed the A-Squared anti-malware 30-day trial. Installing this prg did not trigger my winpatrol. Running the FixVundo.exe and VirtumundoBeGone.exe did not trigger it. Nothing else I've done has triggered Winpatrol's warning me (with known bad files wanting to insert themselves in my startup) except running the ascii doom.exe pointed to on Shell Extension City, which I dl'ed twice, ran twice, and had problems immidiately following double-clicking on this file twice.

My experiments with this file are done.
DocJon
Member *
 
Posts: 7
Joined: 01/20/07, 11:42 am

Postby DocJon » 01/21/07, 1:05 am

More info from Google search:

(Same site, but I made the TinyURL in case the long link breaks. . .and the Tiny URL contains highlighted search terms from my Google search.)

http://tinyurl.com/2lty8j

http://groups.google.mw/group/alt.comp. ... 2b69c08ab8

This is the only reference I was able to find in Google. (I found 4 pages worth, actually, but the English ones all seem to relate to the link I posted) Admittedly, not an overwhelming arguement to support what I've experienced, but some other ppl HAVE found fault with that site and the file in question.

I've always been comfortable with Shell Extension City, particularly when I've seen questionable files removed (quickly) in the past. Given my experience in the past 24 hours, and that the file is STILL there, I no longer feel that way.
DocJon
Member *
 
Posts: 7
Joined: 01/20/07, 11:42 am

Postby bob » 01/21/07, 3:03 am

now you've given me sufficient verification that I'll remove the link....

As for Shell City and downloads--read the policy:

http://www.shellcity.net/policy.htm
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby Gerry » 01/21/07, 3:33 pm

Long link break... hah, not here. :D
Test:

http://209.85.165.104/search?q=cache:SN ... clnk&cd=15


Anyway, what was the link that you were pointing to Bob? I want to have a look see.

Cheers for the tip DocJon, but go easy on Bob, he's a saint who runs the site by himself and doesn't ask for anything in return.

P.S. It was less than 13 hours, not 24. Notice the am vs pm on the post times.
I answer rhetorical questions for my own enjoyment.
Gerry
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5727
Joined: 12/04/01, 12:00 am
Location: Perth, Western Australia

Postby bob » 01/21/07, 4:00 pm

WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby DocJon » 01/21/07, 10:00 pm

Gerry wrote:Cheers for the tip DocJon, but go easy on Bob, he's a saint who runs the site by himself and doesn't ask for anything in return.

P.S. It was less than 13 hours, not 24. Notice the am vs pm on the post times.


Sorry if I was a bit brusque, but all that scanning and Googling and rebooting and such got to be a bit much. I didn't know Bob ran it by himself. I've visited Shell Extension City for more than a year. . .I guess I thought of it as a fairly big deal, surely with several ppl running it and with rigid routines to test and ensure safety. . .and thinking this, I didn't know why I had to spend hours looking into this and putting my system futher at risk. It looks like softpedia dropped the ball on their verification. . .surely THEY'RE big enough to safely blame :)

Thanks for all the good work I've enjoyed in the year+ I've been visiting. . .and keep an eye out for the nasties! If things get much worse, I fear the internet will not be a safe place to visit.
DocJon
Member *
 
Posts: 7
Joined: 01/20/07, 11:42 am

Postby bob » 01/21/07, 10:55 pm

I guess I thought of it as a fairly big deal, surely with several ppl running it and with rigid routines to test and ensure safety. . .


Over a year and you've never once clicked on the "Know Your Software" link?

and thinking this, I didn't know why I had to spend hours looking into this and putting my system futher at risk. It looks like softpedia dropped the ball on their verification. . .surely THEY'RE big enough to safely blame


I'll tell you the truth, Doc... I took it down because you were able to point to one message board where another posted that he had the problem, so you verified it, but I have my doubts. Hundreds of others went over there and downloaded that file--yours is the only report of trouble. If everyone who installed it had the problem, I'd be overwhelmed with email. I know. It's happened before. Also I googled the prog -- normally this will turn up a big stack of posts if the program is malware...

http://www.google.com/search?as_q=&hl=e ... afe=images

And then there is Softpadea and my own scan....

And yes, Gerry is as usual, right... I am a saint. St. Bob.... He'll tell you though, a crabby saint...
WYSIWTF
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis

Postby SOD » 01/22/07, 3:54 am

You forgot the word 'old'. Old crabby saint :P

Seriously though Doc, you know who is accountable and responsible for the safety of your installation?

That would be you....
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby SOD » 01/22/07, 4:56 am

Ok this is cool installed doom and low and behold it installed a .dll called vtuts and the reg key mentioned by doc apparently this installer has a few ways of installing this trojan and different names for the offending .dll.
I opened the .dll and yup it does phone home bigtime
still playing i'll let you know what I find out. But in this case AVG and Softpedia missed the boat.

I love doing shit like this...thx for the project doc.

Don't blame anyone though, this is a tricky bastardo :shock:
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby SOD » 01/22/07, 5:52 am

Yeah this is Vundo as Doc said heh I have a text file of the compiled .dll it is well written going to eradicate it now.

Yeah Bob Doc was right the bastard even alters the
created time by a few minutes as to disassociate itself with the doom trojan loader. It's all there the clsid the shell hook and the Winlogon notify reg entries. The thing that pisses me off more than anything else is that this was so easy to accomplish and to breach Win XP security WTF is wrong with MS. Like I said XP is a PIECE-O-SHIT hell anyone could write these and install them it is very obvious. Since it is not a virus but an application extension!

This thing brings up a good point about MS. They still have not done nearly all they should to lock down critical aspects of the windows operating system. Shit this could be installed on 95/98/ME/NT/2k or in my case XP! You have got to be kidding!

It only goes to show that the tricky exploits are not being utilized but the obvious ones are. Enough with the beauty contests to find the most obscure faults
lets find and fix the obvious ones first. Like no one should have privilege to install at Winlogon/Notify
what crap.
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Postby SOD » 01/22/07, 6:17 am

further....The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
value is being rewritten by the .dll as I delete it! This is cool somebody did their homework.
It is better to be here than there - SOD
SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
 
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Next

Return to Site Stuff

Who is online

Users browsing this forum: No registered users and 2 guests

cron