Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Virus removal info
Yesterday's trojan attack was executed by a combination of 3 programs running in tandem; hopefully this information can help someone to clean their system. Disclaimer: I'm just someone who had to get rid of it, so I thought I could might as well share the info, but I'm not a security specialist or anything.
The initial attack was carried out using a new image file exploit; MMORPG.com was hacked and the intruders then planted image files such as "7517p[1].jpg" on the website. The image contained a cursor that caused an overflow error, thus enabling the attacker to execute malicious code:
http://vil.nai.com/vil/Content/v_141860.htm
The exploit is fairly new as you can see, discovery date 28/03/2007, so there isn't a patch out from Microsoft yet. It targets IE and is related to the ActiveX, but having every single setting in the ActiveX block "disabled" _does not_ prevent this exploit from working; there is a separate section with 3 options for "Active Scripting" which may well prevent the exploit but I mistook these to refer to JavaScript. And no I'm not saying this for certain, the virus might just have been removed by admin while I was tweaking with the settings. The safest bet is to use Firefox, since as far as I know, it doesn't even have support for ActiveX.
The exact version of the exploit was identified as "Troj/Animoo-L":
http://www.sophos.com/virusinfo/analyses/trojanimool.html
The ANI exploit (apparently) just downloads a file "<Temp>crasos.exe" and runs it, which binds it in the registry; this component is identified as the "Troj/PWS-AMA", and is responsible for re-installing the final component at system startup if it has been removed (although I have no idea where it gets it):
http://www.sophos.co.uk/security/analyses/trojpwsama.html
The final component is a dynamic link library that is copied under "<Temp>Msxo0.dll", and is presumably the actual keylogger that grabs Lineage 2 and Legends of Mir login information. My virus scanner (McAfee) apparently jumped in when this .dll was about to be loaded, I have no idea whether it stopped the keylogger from working, but better not to take any chances. McAfee identified this component as "PWS-Lineage" and promptly removed it. However, it was not able to detect "crasos.exe" or the associated registry keys, so the .dll kept coming back every time I re-started.
To get rid of the trojans, start the machine in safe mode (press F8 at startup) and delete:
- the image file (basically all temporary internet files)
- crasos.exe and Msxo0.dll
- any registry key that refers to either of the two files, open command prompt -> regedit
-> the most likely location is "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" but there may be others
In theory, even if you got the trojan, you should be safe if you don't have Lineage 2 or one of the other affected games in your machine, and even then the damage should be limited in-game. But in practice, you never know; that's the really sucky part. We did netstat -a and tracert to trace some unknown network connections, but at closer look these turned out to be legitimate, Skype, web update, etc...
Last but not least, get yourself a good anti-virus program, a firewall that also blocks out-going connections, and preferably Firefox... I was also told that the free trial anti-virus program at http://www.kaspersky.com/ has an exceptionally high rate of spyware detection, might be worth giving it a shot. I also ran the Sophos spyware detector just to be sure, although I guess unless you completely re-install the entire machine, it's never 100% certain. Luckily I got to keep my job, people weren't all that bothered really.
The initial attack was carried out using a new image file exploit; MMORPG.com was hacked and the intruders then planted image files such as "7517p[1].jpg" on the website. The image contained a cursor that caused an overflow error, thus enabling the attacker to execute malicious code:
http://vil.nai.com/vil/Content/v_141860.htm
The exploit is fairly new as you can see, discovery date 28/03/2007, so there isn't a patch out from Microsoft yet. It targets IE and is related to the ActiveX, but having every single setting in the ActiveX block "disabled" _does not_ prevent this exploit from working; there is a separate section with 3 options for "Active Scripting" which may well prevent the exploit but I mistook these to refer to JavaScript. And no I'm not saying this for certain, the virus might just have been removed by admin while I was tweaking with the settings. The safest bet is to use Firefox, since as far as I know, it doesn't even have support for ActiveX.
The exact version of the exploit was identified as "Troj/Animoo-L":
http://www.sophos.com/virusinfo/analyses/trojanimool.html
The ANI exploit (apparently) just downloads a file "<Temp>crasos.exe" and runs it, which binds it in the registry; this component is identified as the "Troj/PWS-AMA", and is responsible for re-installing the final component at system startup if it has been removed (although I have no idea where it gets it):
http://www.sophos.co.uk/security/analyses/trojpwsama.html
The final component is a dynamic link library that is copied under "<Temp>Msxo0.dll", and is presumably the actual keylogger that grabs Lineage 2 and Legends of Mir login information. My virus scanner (McAfee) apparently jumped in when this .dll was about to be loaded, I have no idea whether it stopped the keylogger from working, but better not to take any chances. McAfee identified this component as "PWS-Lineage" and promptly removed it. However, it was not able to detect "crasos.exe" or the associated registry keys, so the .dll kept coming back every time I re-started.
To get rid of the trojans, start the machine in safe mode (press F8 at startup) and delete:
- the image file (basically all temporary internet files)
- crasos.exe and Msxo0.dll
- any registry key that refers to either of the two files, open command prompt -> regedit
-> the most likely location is "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" but there may be others
In theory, even if you got the trojan, you should be safe if you don't have Lineage 2 or one of the other affected games in your machine, and even then the damage should be limited in-game. But in practice, you never know; that's the really sucky part. We did netstat -a and tracert to trace some unknown network connections, but at closer look these turned out to be legitimate, Skype, web update, etc...
Last but not least, get yourself a good anti-virus program, a firewall that also blocks out-going connections, and preferably Firefox... I was also told that the free trial anti-virus program at http://www.kaspersky.com/ has an exceptionally high rate of spyware detection, might be worth giving it a shot. I also ran the Sophos spyware detector just to be sure, although I guess unless you completely re-install the entire machine, it's never 100% certain. Luckily I got to keep my job, people weren't all that bothered really.
Comments
I logged on to my WoW account this morning and found that my characters had their goods auctioned or mailed off.
Upon scanning my hard drive, I found the abovementioned virus. I don't know of any other way my password would have gotten out - no one else has my account info, etc. It's not a certainty (I'm posting this here in case any one else has similar problems so we can get some data points) but I would suspect that it is likely that this version was modified to sniff WoW accout information instead of or in addition to L2/LoM.
Highly annoying.
-TheMentor
I was also attacked by the bastards with this same problem. I had to get Blizzard to email me a "NEW" password because my old one no longer worked. When I logged in, I only had 1 character available, it happened to be my main, all my other 9 alts had been deleted. My main had all the gear he was wearing oddly enough but all my other items in my inventory and in my bank had been sold or mailed or deleted or vendored. I was left with 61 COPPER. I had over 2400 gold on my main toon and well over 1000-1500 gold combined on the other nine alts, not including about 3-5000 gold worth of stuff in the banks, inventories and mailboxes of those characters.
I hope I one day get to meet whoever the wonderful person was that did this to me and the others of you out there. They will be able to write books about the things I do that poor bastard and the movies would be worse than any horror film ever produced. They stole over 4000 hours of my life and my enjoyment away from me. I have 3535 hours on my main toon alone. Yes I play alot, its cheap entertainment and I have a lot of friends that play so it stays fun. Yes I also have a social life for those of you that dont understand why we play so much, but im sure that most of you reading this lot to play also.
Now I am just waiting for Blizzard to "Investigate" the situation and replace all my toons and my stuff, but I wont be holding my breath for my gold to return.
For those of you out there that havent been hacked and violated, I hope it never happens to you, it really ruins one of the things in life that was enjoyable.
Chaosorchid - Undead Mage - Ursin
<Carebear Refugees>
I can see your back is turning, If I could i'd stick a knife in,
This is my love for you
Tool - Crawl Away
He posted instructions.
Why is this in the forum help desk where no one reads? I just happened to look at my msconfig today and saw that crasos file. I looked it up on Google and one of the first results was this thread. I'm betting a lot of MMORPG.com members have this and don't even know it.
Luckily I don't play any of those games, but I still changed all my passwords after I deleted the file and registry. I only had crasos.exe, Msxo0.dll wasn't found anywhere.
And by the way, I only run Firefox and had this stuff on my computer.