Bandjammer Trojan installs Multiple Rogue Applications

| | Comments (0)

...and thats probably an understatement. Many of you are familiar with the BandJammer Trojan that has been making its way around the media. For those who have not been following the story: here you go.

If you are one of the unlucky fans of Jetking who accidentally clicked the hijacked link to the Trojan, then you are probably having one heck of a time trying to get your PC back to normal. The BandJammer Trojan originally links to a couple of Chinese sites in order to download a file called install_cn.exe. It then installs an older version of Smitfraud through command line.

http://blog.spywareguide.com/upload/2007/11/cmd-thumb.PNG
The 1 file runs another file that installs a dated version of Smitfraud.

Users can easily note this version of Smitfraud from the following entires:

MSVPS System - {93205C3F-1221-43F4-847F-007C6A4CE9A5} - C:\WINDOWS\advrepgpd.dll
The sdrmod - {BA79EE59-166F-4E9E-90A6-56489C45B48A} - C:\WINDOWS\sdrmod.dll

The files below are also added as ShellServiceObjectDelayLoad (these files automatically start with other services):
hupsrv - {33AEF198-6E36-4C80-9DB2-7EE99DB25122} - C:\WINDOWS\hupsrv.dll
bindmod - {3C82EBC1-C4BA-44EE-B21E-ACC91F46D2E8} - C:\WINDOWS\bindmod.dll

What is the purpose of this? Well why type when I can just show a screenshot.

http://blog.spywareguide.com/upload/2007/11/lol-thumb.PNG
This confused looking website shows us all the fabulous new Rogue Antispyware applications we are about to be bombarded with.

Here are just a few of the fake alerts users will see:

http://blog.spywareguide.com/upload/2007/11/contentsurf-thumb.PNG
ConfidentSurf!

http://blog.spywareguide.com/upload/2007/11/alert-thumb.PNG
http://blog.spywareguide.com/upload/2007/11/adwareremover-thumb.PNG
http://blog.spywareguide.com/upload/2007/11/REBOOT%20now-thumb.PNG
AdwareRemover2007!

http://blog.spywareguide.com/upload/2007/11/advancedcleaner-thumb.PNG
Advancedcleaner!

Do not bother trying to close any of these. Blatant fake alerts take you to their site tor you to install/buy the application in most cases, or they will just create non-closeable ads and force you to install them.

These kinds of attacks are becoming more and more frequent. Take the article that Paperghost wrote involving Skype worm spammers for example. Rogue antispyware applications are everywhere now and they show no sign of trending down. Your best defense against these attacks is to simply mind your clicks.

Leave a comment

About this Entry

This page contains a single entry by Chris Mannon published on November 15, 2007 1:32 PM.

Microsoft Roundup was the previous entry in this blog.

The Myspace Band Hacks: A Victim Speaks is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.