Recently the problems over at Myspace has got plenty of media attention. In short, some hacker has been able to add a background image covering the majority of many Myspace profile pages. If you click outside any of the clickable controls you will be taken to the hacker's web site where you are asked to install some fake codes, but more interestingly it also exploit a security hole in unpatched systems to automatically install software. The new software that apppeared on the system after running into the exploit are listed below in red:
FreeFixer v0.22 log http://www.freefixer.com/ Operating system: Windows NT 5.1 Log dated 2007-08-19 17:11 Browser Helper Objects {8018729F-3F80-4555-973B-EED3F3E8E4CD}, , C:\WINDOWS\System32\crtdl.dll (Remove) Basic Internet Explorer settings HKCU\..\Main, Start Page = http://www.google.com/ Registry Startups HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background Autostart shortcuts msn_0711_upd072301.exe, , C:\Documents and Settings\All Users\Start-meny\ProgramAutostart\msn_0711_upd072301.exe (Remove) Processes (13 whitelisted) C:\Program\Messenger\msmsgs.exe C:\WINDOWS\System32\NOTEPAD.EXE C:\Program\FreeFixer\freefixer.exe C:\Program\hjt\HijackThis.exe Drivers (26 whitelisted) tcgsozgq, , C:\WINDOWS\System32\drivers\kleutrqq.dat (Remove)
Suprisingly the majority of the anti-virus programs does not detect these malware files.
FreeFixer deletes crtdl.dll and msn_0711_upd072301.exe without any difficulties. However, I had to use the Windows XP recovery console to remove the kleutrqq.dat device driver.
ArthurT writes