Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91679 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Everyones Internet, Inc. And Pws-webmoney.gen Troj


  • Please log in to reply
No replies to this topic

#1 jpivonka

jpivonka

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 07 July 2004 - 03:37 PM

What's up with "Everyones Internet, Inc." and the PWS-WebMoney.gen trojan?

"We also see that Webhelper4u - CoolWebSearch - CWS Hijackers All has mymaydayinc.com listed as a CWS hijacker, which ties this piece of financial criminality in with the CoolWebSearch network. That is no surprise either."

"Everyones Internet, Inc." is a Information Services Provider (ISP) with a presence in the web hosting market. That is, it hosts, through its Rackshack subsidiary, web sites for people holding World Wide Web domain names. Information on the company as of May, 2003 can be had <HERE>. Adam Eisner, theWHIR.com As it turns out a number of those sites are in the news lately. One wonders about the security of the hosting environment being managed by this outfit. CEO Robert Marsh seems to be an interesting fellow.

Item 1. The PWS-WebMoney.gen trojan

In the initial research and description of the PWS-WebMoney.gen trojan, alias PWSteal.Refest, Tom Liston of SANS found that "The first step in the sequence of events leading to the compromise is a request to [url="http://www4.yesadvertising.com:""]http://www4.yesadvertising.com:"[/url]. He found that www4.yesadvertising.com was assigned the IP address of 216.40.250.58 held by:
FQDN: www4.yesadvertising.com
Aliases:
Addresses: 216.40.250.58
OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Freeway
Address: Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US
NetRange: 216.40.192.0 - 216.40.255.255
CIDR: 216.40.192.0/18
Domain name: yesadvertising.com
Registrant Contact:
yesup ecommerce solutions Inc.
zhen zeng (yesupinc@yahoo.com)
+1.9057639724
Fax:
330 Highway 7 East, Suite 202
Richmond Hill, ON L4B3P8
CA

HTML (php & javascript) coding within that initial request results in the loading of additional HTML code (another web page) from www.eva.ee:
FQDN: eva.ee
Aliases: www.eva.ee
Addresses: 207.44.204.83
OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Freeway
Address: Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US
NetRange: 207.44.128.0 - 207.44.255.255
CIDR: 207.44.128.0/17

The EvaFrameset_eng.htm file downloaded from www.eva.ee then "uses an iframe to force the loading of a file using a URL of
[url="http://www.mymaydayinc.com/index2.php""]http://www.mymaydayinc.com/index2.php"[/url] and attempts both to execute a script in that file and to exploit a known, flaw in Internet Explorer to load and execute a .chm file. We are shocked to find that MYMAYDAYINC.COM is serviced by Everyone's Internet, with an IP address of 67.15.42.34:
Registrant: na
16 Cavendish Avenue
London, LO N33QN
UK
Domain name: MYMAYDAYINC.COM
Administrative Contact:
Misic, Borislav domain@eroute.net
1-112
Gowing Drive
MeadowBank
Auckland, NZ 1005
NZ
+64.21456886
Technical Contact:
Customer Service, EV1 Servers domains@ev1servers.net
2600 SW Freeway
Suite 500
Houston, Texas 77098
US
+1.7133337873 Fax: +1.7139429332

Registration Service Provider:
Everyones Internet, domains@ev1servers.net
http://www.ev1servers.net

Registrar of Record: TUCOWS, INC.
Record last updated on 23-Apr-2004.
Record expires on 23-Apr-2005.
Record created on 23-Apr-2004.

NSI record:

Domain Name: MYMAYDAYINC.COM
Registrar: TUCOWS INC.
Whois Server: whois.opensrs.net
Referral URL: http://domainhelp.tucows.com
Name Server: REMUS.EROUTE.NET
Name Server: MAXIMUS.EROUTE.NET
Status: ACTIVE
Updated Date: 23-apr-2004
Creation Date: 23-apr-2004
Expiration Date: 23-apr-2005

IP Address: 67.15.42.34 (ARIN & RIPE IP search)
IP Location: US(UNITED STATES)
Lock Status: ACTIVE
DMOZ no listings
Y! Directory: see listings
Data as of: 08-Jun-2004
ARIN Details:
MYMAYDAYINC.COM

67.15.42.34
Record Type: IP Address

OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Freeway
Address: Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US

NetRange: 67.15.0.0 - 67.15.111.255
CIDR: 67.15.0.0/18, 67.15.64.0/19, 67.15.96.0/20
NetName: EVRY-BLK-15
NetHandle: NET-67-15-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET


Links:
http://isc.sans.org/...ing_malware.pdf

http://isc.sans.org/...78963151b915a10
SANS Institute's Internet Storm Center Web site analysis

http://www.nwfusion....jatarge.html?nl
Trojan targets user's financial information

http://www.allasso.c...ge.phtml?a=1192
Finjan Software Proactively Protects Against WebMoney Worm (02/07/2004)

http://64.233.167.10...g1big.gif&hl=en

It must be emphatically noted that this exploit does not involve email attachments or files downloaded by user's from internet web sites. No misuse or carlessness about the use of executable files is required for this exploit, or others like it, to infect users' machines.

The exploit, and others like it, only requires that an Internet Explorer users visit a web site containing the initial request to an infected site like http://www4.yesadvertising.com to initiate the loading of bad code to the users' computers. If the computer is permitting script execution, and has not been updated with the patch for the .chm file execution vulnerability, the exploit has a high probability of succeeding. If users insist on using IE, or must do so to access essential web sites, scripting permission should be limited to those sites in the trusted zone, and security for the internet zone set to "high". Windows update must be run to ensure that patches for vulnerabilities like the .chm issue are installed. It must continue to be run frequently to ensure that machines are updated with patches for currently unpatched vulnerabilities which permit exploits of this type to succeed as soon as those are made available.

The following web sites utilized in the PWS-WebMoney.gen exploit should be added to users' "hosts" file:
www4.yesadvertising.com
paypopup.com
www.eva.ee
eva.ee
www.refestltd.com
www.mymaydayinc.com

Item 2. The "Al Queda Website revealed! (Johnson and Jacobs murderers)" freepers flap

18 June 2004, a post at Freepers ( FreeRepublic.com "A Conservative News Forum" ) asserted that "The website or mirrorsite apparently operated by the Saudi murderers of Paul Johnson and Robert Jacobs has been identified at URL: [url="http://www.hostinganime.com/neda3/sout/index.htm""]http://www.hostinganime.com/neda3/sout/index.htm"[/url] A comment to that posting noted that the Domain Name: HOSTINGANIME.COM 66.98.141.123 was listed as (hosted by):
OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Freeway
Address: Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US

NetRange: 66.98.128.0 - 66.98.255.255
CIDR: 66.98.128.0/17
NetName: EVRY-BLK-14
NetHandle: NET-66-98-128-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:
RegDate: 2003-07-02
Updated: 2004-02-06

A subsequent comment asserted that "They probably hijacked the site. In the SF area, they said another company's site was hijacked for the original announcement of the video of him being held. It was a surveying (land, not polling) company in the Silicon valey." (sic.)

Links:
http://209.157.64.20...s/1156132/posts
http://209.157.64.20...osts?page=45#45
http://209.157.64.20...osts?page=59#59


Item 3. The "ANOTHER "ARAB" WEB SITE TRACES BACK TO HOUSTON, TEXAS!" emotion flooding flap

This time it is the site "www.qal3ah.net", and another "fair and balanced" website reporting:

Al Jazeera reports,"'The new conservatives, and particularly the gang of (US President George W.) Bush, are enjoying the humiliation of the Muslims,' wrote Kuwaiti Islamist Sheikh Hamed Ben Abdallah Ali on www.qal3ah.net." (Original article)

Ah, but there is a problem! www.qal3ah.net is not in Kuwait. It is not even in the Mideast!

It's in Texes.

That's right, TEXAS!

http://www.qal3ah.net/vb/ is a URL.
Domain Dossier will continue with www.qal3ah.net.
Address lookup > canonical name > www.qal3ah.net.
aliases >www.qal3ah.net
addresses > 64.246.51.5
Network Whois record
Queried whois.arin.net with "64.246.51.5"...
OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Freeway
Address: Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US

NetRange: 64.246.0.0 - 64.246.63.255
CIDR: 64.246.0.0/18
NetName: EVRY-BLK-9
NetHandle: NET-64-246-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-10-05
Updated: 2003-03-31

;-) No wonder the righties think the lefties are a little, er... impulsive? LOL, it makes me blush...

Links:
http://newworldorder...x.log?ID=765500
http://www.whatreall...nyiraqsite.html

Search terms:
img1big.gif, 2600 Southwest Freeway, PWS-WebMoney.gen, PWSteal.Refest, WebMoney worm, Everyones Internet, Inc., Robert Marsh, .chm exploit, .chm vulnerability, mymaydayinc.com, hosts, hosts file, lmhosts, www.qal3ah.net, CERT, SANS, Internet Explorer, security, vulnerability, exploit, worm, trojan

    Advertisements

Register to Remove

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users