ExtraTorrent.cc - The Largest Bittorent SystemLogin   |   Register
Latest Articles
Most searched
Hot torrents
First Cams
View Torrent Info: Allied 2016 HDCAM x264 AC3 HQMic-CPG
View Torrent Info: Underworld Blood Wars 2016 HDCAM NAKRO
View Torrent Info: Moana 2016 HD-TS XviD AC3-CPG
View Torrent Info: Shut.In.2016.HDCAM.x264 - Lesnar
Hot torrents
XVID DIVX
View Torrent Info: SiREN.2016.DVDRip.XViD-ETRG
View Torrent Info: Evans.Crime.2015.HDRip.XViD-ETRG
View Torrent Info: 31.2016.BRRip.XViD.AC3-ETRG
View Torrent Info: A Girl Like Grace.2016.HDRip.XviD.AC3-EVO
Hot torrents
H264 X264
View Torrent Info: Ordinary.World.2016.720p.BRRip.x264.AAC-ETRG
View Torrent Info: Miss.Peregrines.Home.for.Peculiar.Children.2016.720p.BRRip.x264.AAC-ETRG
View Torrent Info: The.Hollars.2016.720p.BluRay.x264.AAC-ETRG
View Torrent Info: 31.2016.720p.BRRip.x264.AAC-ETRG
Hot torrents
Television
View Torrent Info: The.Flash.2014.S03E09.HDTV.x264-LOL[ettv]
View Torrent Info: Marvels.Agents.of.S.H.I.E.L.D.S04E08.HDTV.x264-LOL[ettv]
View Torrent Info: NCIS.S14E09.HDTV.x264-LOL[ettv]
View Torrent Info: Bull.2016.S01E08.HDTV.x264-LOL[ettv]
View Torrent Info: Train.To.Busan.2016.720p.WEBRip.x264.Korean.AAC-ETRG
View Torrent Info: YZ.2016.Marathi.1080p.WEB-DL.H264.ESub.AAC2.0-DDR
View Torrent Info: The.Dark.Knight.Trilogy.IMAX.EDITION.HQ.BluRay.1080p.x264.AC3.Hindi.Eng.ETRG
View Torrent Info: The.Terminal.2004.HQ.Bluray.1080p.x264.Hindi.Eng.AC3-ETRG
30s
Chat
To add new messages please Login or Register for FREE
Warning! Protect Yourself from Lawsuits and Fines!
Your IP Address is 54.167.129.169.   Location is United States
Your IP Address is visible to EVERYONE. Hide your IP ADDRESS with a VPN while torrenting!
ExtraTorrent strongly recommends using Trust.Zone VPN to anonymize your torrenting. It's FREE!

ExtraTorrent.cc > Articles > Attention: New Trojan Infecting P2P Networks

Attention: New Trojan Infecting P2P Networks

Attention: New Trojan Infecting P2P Networks

Added: Friday, April 16th, 2010
Category: Recent Headlines Involving File Sharing > Current Events
Tags:ET, p2p, Torrent, Piracy, Peer To Peer, Network, Hackers, Internet, BitTorrent, Google, utorrent, bitcomet, extratorrent, 2010, www.extrattorrent.com
If launched, the trojan installs the copy of itself in the WINDOWS directory together with a registry key enabling it to load on startup.

trojan-horse.jpg

Arbor Networks Security researchers have found an unknown botnet activated by Heloag Trojan, jeopardizing computers infected with it. Its purpose is to facilitate downloading and installation of numerous additional malicious applications.

The researches discovered after the detailed inspection that trojan does not have DDoS capabilities built-in, but only work upon managing downloads on the exposed machine.

How does it work?

Trojan can be downloaded from elwm.net or 7zsm.com. After getting stored on the exposed computer, it installs the copy of itself in the WINDOWS directory under the following names:

C:\WINDOWS\conme.exe
C:\WINDOWS\ThunderUpdate.exe
C:\WINDOWS\csrse.exe

After that malware mounts the above registry key enabling it to load on startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon = [one of the filenames above]

What it’s doing next is establishing a connection to the server C&C to provide the access for the botnet, usually on 8090 TCP port, in order to get registered and wait for further commands. Traffic is often preceded by a single byte indicating the aim of a message:

1 – hello
2 – staying alive
3 – downloading the above mentioned file
4 – connecting to other peers
5 – sending the host name to the server
6 – clearing
7 – shutting down the connection

Those hosts which are infected with Trojan.Heloag usually download some different malcode via HTTP from the central server, after which they are able to get connected to other bots via TCP ports 7000-7010 and therefore to other infected PCs. The researchers are not sure about the purpose of this yet, but it’s definitely some form of P2P. Be careful.


By:
SaM
April 16th, 2010

Posted by: 
SaM

Date:  Friday, April 16th, 2010



Comments (58) (please add your comment »)

1
posted by (2010-04-16 13:03:33)
No avatarThanks for the warning.

2
posted by (2010-04-16 13:21:11)
numberone avatarThanks sam

3
posted by Site Friend (2010-04-16 13:25:28)
magiccrack avatarthanx - place to be

4
posted by Blocked (2010-04-16 13:44:06)
iamezaz avatarValuable information and useful thanks SaM

5
posted by (2010-04-16 14:04:10)
SnakeyB avatarThanks, SaM. Nice to be informed.

6
posted by (2010-04-16 14:04:55)
POPE305MIKE avatarwith an anti virus and a little common sence this can be avoided , glad et scans there files even though i have seen a few instances where its not happining , good read , useful information .

7
posted by (2010-04-16 14:26:08)
MRclassictorrent avatarThanks for the info.

8
posted by (2010-04-16 14:35:44)
maxpayne1 avatarAppreciate the heads up buddy,thanx.

9
posted by (2010-04-16 14:58:14)
sobofawn07 avatarkeep your antivirus on...and pay attetion

10
posted by Blocked (2010-04-16 15:14:19)
2die4 avatarwouldnt a firewall tell me before this tries to connect ???

11
posted by (2010-04-16 15:47:53)
bmbgmusik avatarThanks for the info.

12
posted by (2010-04-16 16:32:33)
sasuke_654 avatarthanks man . I owe u one.

13
posted by (2010-04-16 16:32:37)
sasuke_654 avatarthanks man . I owe u one.

14
posted by (2010-04-16 16:40:51)
4JIMi2sTEXAS0 avatarthanks for the heads up ...

15
posted by ET junkieET lover (2010-04-16 16:43:14)
bodthepimp avatarthx SaM GREAT INFO

16
posted by (2010-04-16 16:50:35)
arrimmapirate avatarThank you SaM

17
posted by (2010-04-16 16:53:03)
tiboy avatartnx for d heads-up sam...ET "the" place to be!!

18
posted by (2010-04-16 17:46:34)
kingtiger01 avatarAntivirus, and Spybot S&D, even if it is a trojan, as long is it rely's on the Registry for winlogin startup.

Spybot's "Tea-Timer" monitors Registry writes, and possible Trojan's, and allows you to decide to write the registry entry or not. it also allows you to unload the app and prevent it from ever running again based on its file signature NOT file name.

Eventually, since its now been identified, a good anti-virus, will contain Definitions to remove it while its being written to the HDD. preventing this problem all together.

19
posted by Site Friend (2010-04-16 18:27:19)
magiccrack avatarGood advice ppls. keep your anti-virus and malware protection updated, the software really is as good as the definitions it knows, so be sure to keep your software updated as well as switched on.

Technically firewalls should say whats going in and out but it might slip through depending the port used as stated in article above.

Nice advice from ET community, place to be

20
posted by men (2010-04-16 19:22:20)
IROTAKU avatarthanks for the info

21
posted by (2010-04-16 19:46:37)
deicide avatarThanks SaM

22
posted by (2010-04-16 20:06:50)
Stayingtrue avatarthanks good read as always

23
posted by Trusted UploaderSite FriendET loverKittyGirl (2010-04-16 20:31:33)
wallpapersxplore avatarthanks

24
posted by (2010-04-16 20:46:23)
BooHoo avatarI think this kind of articles/alerts/uploader-blacklists are very much needed on ET
Thanks SaM
Well, 2 b honest, since recently I'm having some problems and strange behaviour on my PC
Won't bet my life on this, but I think I got it from 1 of torrents here (& I do my check-ups regularly with more than 1 tool...), something like strange & immortal 3e4s128c.exe in my C:Program files
anyway, truly much needed topic here and I hope you more experienced guys can help us stay safe while sharing goods
aren't we all good friends? ;)
stay safe, stay online

25
posted by Site Friend (2010-04-16 20:57:56)
Grind3r avatarthanks SaM :))

26
posted by (2010-04-16 22:27:07)
trauts avatarThanks SaM for the info :)

27
posted by (2010-04-16 23:34:40)
thrcnonlyb1 avatarthanx for the heads up!!...

28
posted by (2010-04-16 23:55:44)
No avatarThank you for the warning

29
posted by (2010-04-17 00:55:46)
blackwolf411 avatarThanks Sam for the warning.

30
posted by (2010-04-17 01:09:44)
jessiluv27 avatari have a mac does that mean that i'm safe?

31
posted by (2010-04-17 01:16:03)
Respect4Uploaders avatarValuable Information
Thanks
Much appreciated

32
posted by Site Friend (2010-04-17 02:03:27)
manofkent avatarthx 4 the warning

33
posted by (2010-04-17 02:18:17)
SilentReaper avatarThanks Sam for the info and waning. Be careful all Eters.

34
posted by (2010-04-17 02:57:00)
No avatarhope i can help on this one,
for those that arnt comfertable removing files from the windows folder and deleting registry keys, i have made a couple of files.
first one, (well 2) are to remove the files, if they exist in your windows folder.

http://www.storage.to/get/dGyBAX3y/remove+files.bat
or
http://www.storage.to/get/SCBPt74W/remove+files.exe

you should only need to run one of these, reason i made 2 are some computers dont like running .bat files by double clicking them.
If you get the error, file not found on all 3, its great, as its not any of the above files.

the second file will remove the registry entries.
right click on it and click install.

http://www.storage.to/get/UEEHSFas/remove+keys.inf

hope that helps!

35
posted by (2010-04-17 03:38:03)
No avatarMan i love my Mac.

36
posted by (2010-04-17 03:39:00)
No avataryour safe jessiluv27

37
posted by SuperAdmin (2010-04-17 04:01:16)
ozi avatarthis happened to me a couple of months back don't know if it the same virus
i called my isp provider to check my connection and they said there nothing wrong with it
but what ever it was it disable my connection the only fix for it was to reformat pc
and disable csrse.exe and Issas
and another thing happen to me 2 weeks ago isp company phones me and says
"we have added more security to your service because you ip was being compromised"
one of the best things you can do is give your isp company that 5 extra bucks a month and get them to hide you ip for you

38
posted by (2010-04-17 04:08:22)
bigbsgfan74 avatarAwesome Info SAM, Thanks for the letting us all know this, will be passing it on to those i know. :-)

39
posted by Blocked (2010-04-17 05:43:12)
menahunie avatarLooks like the Chinese are at it again; we no hacky we only sukee no hacky why picky on us...So all the infected computers are bots for the a$$holes in China...
What is really needed is these IP's get Black listed period. So pretty soon China would be by its self and the outbound and inbound connections would refused due to all this crap coming from that country.
There is also a very very large threat from That country's Government sponsored Hackers is a software called Gray Pigeon; it is widely used for allot of things.

EVERYONE HAS TO HAVE THE ATTITUDE ANYTHING YOU DOWNLOAD IS MALWARE UNTIL YOU SCAN IT MULTIPLE TIMES WITH DIFFERENT SOFTWARE....

One popular OS I tested was full of malware - trojans; viri, rootkits - no one talks much about rootkits??? I wonder why? IT came from an uploader in RUMAINIA... Another Hacker Haven...

SO you have to miss trust anything you download THAT IS A FACT OF LIFE - there are not nice people in this world and they just get off screwing people over...
SO USE COMMON SENSE...

ELWN.net resolves to:
Domain Name : elwm.net
PunnyCode : ELWM.NET
Creation Date : 2009-12-14 14:09:15
Updated Date : 2009-12-14 14:09:15
Expiration Date : 2010-12-14 14:09:12


Registrant:
Organization : ???
Name : ???
Address : ???
City : ???
Province/State : Heilongjiang
Country : CN
Postal Code : 158100

Administrative Contact:
Name : ???
Organization : ???
Address : ???
City : ???
Province/State : Heilongjiang
Country : CN
Postal Code : 158100
Phone Number : 86--13804535619
Fax : 86--13804535619
Email : [email protected]

Technical Contact:
Name : ???
Organization : ???
Address : ???
City : ???
Province/State : Heilongjiang
Country : CN
Postal Code : 158100
Phone Number : 86--13804535619
Fax : 86--13804535619
Email : [email protected]

Billing Contact:
Name : ???
Organization : ???
Address : ???
City : ???
Province/State : Heilongjiang
Country : CN
Postal Code : 158100
Phone Number : 86--13804535619
Fax : 86--13804535619
Email : [email protected]
Current Registrar: XIN NET TECHNOLOGY CORPORATION
IP Address: 218.60.130.167 (ARIN & RIPE IP search)
IP Location: CN(CHINA)-BEIJING-BEIJING
Lock Status: ok
DMOZ no listings
Y! Directory: see listings
Data as of: 23-Apr-2008

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

7zsm.com resolves to:
Domain Name : 7zsm.com
PunnyCode : 7ZSM.COM
Creation Date : 2009-03-06 17:28:03
Updated Date : 2010-03-02 23:28:52
Expiration Date : 2011-03-06 17:27:59


Registrant:
Organization : feng guo
Name : feng guo
Address : hei long jiang sheng ha er bin shi dao li qu fu shun jie 14 hao ( men
shi )
City : haerbin
Province/State : heilongjiang
Country : CN
Postal Code : 150000

Administrative Contact:
Name : feng guo
Organization : feng guo
Address : hei long jiang sheng ha er bin shi dao li qu fu shun jie 14 hao ( men
shi )
City : haerbin
Province/State : heilongjiang
Country : CN
Postal Code : 150000
Phone Number : 86-0451-86438222
Fax : 86-0451-86438222
Email : [email protected]

Technical Contact:
Name : feng guo
Organization : feng guo
Address : hei long jiang sheng ha er bin shi dao li qu fu shun jie 14 hao ( men
shi )
City : haerbin
Province/State : heilongjiang
Country : CN
Postal Code : 150000
Phone Number : 86-0451-86438222
Fax : 86-0451-86438222
Email : [email protected]

Billing Contact:
Name : feng guo
Organization : feng guo
Address : hei long jiang sheng ha er bin shi dao li qu fu shun jie 14 hao ( men
shi )
City : haerbin
Province/State : heilongjiang
Country : CN
Postal Code : 150000
Phone Number : 86-0451-86438222
Fax : 86-0451-86438222
Email : [email protected]
Current Registrar: XIN NET TECHNOLOGY CORPORATION
IP Address: 218.60.130.119 (ARIN & RIPE IP search)
IP Location: CN(CHINA)-BEIJING-BEIJING
Lock Status: ok
DMOZ no listings
Y! Directory: see listings
Data as of: 23-Apr-2008

40
posted by (2010-04-17 06:50:05)
cyberartist avatarThanks SaM

41
posted by (2010-04-17 08:32:37)
phoenixcm avatarthanx sam!

42
posted by (2010-04-17 10:08:11)
Bigmoe avatarThanx.

43
posted by Blocked (2010-04-17 10:16:05)
micaxxa avatarI will scan my computer pronto, thankyou for the info :)

44
posted by (2010-04-17 13:48:31)
No avatarwell done well said..thanks for the heads up.....

45
posted by (2010-04-17 14:10:25)
bigwimpie avatarThanks for the info Sam,!

46
posted by (2010-04-17 18:45:37)
neurosis avatarfew days ago AV detected rootkit, Hope im not infected wit this Trojan. Many many thanks for the infos

47
posted by ET lover (2010-04-18 01:52:48)
nataswobbledog avatarthank for the heads up

48
posted by (2010-04-18 01:56:26)
No avatari been hit by multi-trojan horse virse which disable mostly everything from torrent site called...ahashard.com..which gone throgh the wall fire & the registerd avg anti virse & desable them both...so the only thing i did is formating my pc....

49
posted by Blocked (2010-04-19 00:07:21)
menahunie avatarahashard.com NO such domain ??

50
posted by (2010-04-19 05:06:18)
tigerShark avatargood info. many thx @SaM

51
posted by (2010-04-19 06:56:36)
No avatarAfter I downloaded the Command & Conquer 4 Tiberium Twilight and run it.
utorrent it become slow in downloading .. i Tried many Antispyware,AntiTrojan,antivirus,and did not solve the problem.
The only program solved the problem is "RemoveIT_Pro_8.2.2010_Portable" the utorrent is infected with Win32.Unknown.Random.X
and it's Spreading itself in p2p programs. let the the antivirus program blocking bittorrent from the incoming internet
connection because it's the Trojan from the Infected programs in P2P Networks.

8:41:35 PM: Scanning, please wait...
8:41:40 PM: Infected file (Win32.Unknown.Random.X) c:\program files\utorrent\utorrent.exe
8:42:25 PM: Infected file (Sys32.bassmod) C:\DOCUME~1\ADMINM~1.000\LOCALS~1\Temp\bassmod.dll
8:44:12 PM: Infected file (Sys32.ssupdate) C:\Documents and Settings\Admin.MAIN.000\local settings\temp\ssupdate.exe
8:44:12 PM: Infected file (Sys32.ssupdate) C:\DOCUME~1\ADMINM~1.000\LOCALS~1\Temp\ssupdate.exe
8:45:23 PM: Infected file (Sys32.deltree) C:\WINDOWS.1\system32\deltree.exe
8:46:19 PM: Infected file (Sys32.pssuspend) C:\WINDOWS.1\system32\pssuspend.exe
8:46:27 PM: Infected file (Sys32.reboot) C:\WINDOWS.1\system32\reboot.exe
8:46:30 PM: Infected file (Sys32.sasnative32) C:\WINDOWS.1\system32\sasnative32.exe
8:48:28 PM: Infected file (Sys32.googletoolbar1) C:\Program Files\google\googletoolbar1.dll
8:48:29 PM: Infected file (Sys32.msnsusii) C:\Program Files\msn\msncorefiles\install\msnsusii.exe
8:48:31 PM: 10 Dangerous files have been found on your computer.
Click on "Fix" button to fix selected tasks.
8:48:54 PM: Scanning, please wait...
8:49:53 PM: Infected file (Sys32.bassmod) C:\Documents and Settings\Admin.MAIN.000\Local Settings\Temp\bassmod.dll
8:52:23 PM: Infected file (Sys32.ssupdate) C:\Program Files\SUPERAntiSpyware\SSUpdate.exe
8:53:20 PM: Infected file (Sys32.msnsusii) C:\WINDOWS.0\ServicePackFiles\i386\msnsusii.exe
8:53:35 PM: Infected file (Sys32.deltree) C:\WINDOWS.0\system32\DELTREE.EXE
8:53:35 PM: Infected file (Sys32.pssuspend) C:\WINDOWS.0\system32\pssuspend.exe
8:53:35 PM: Infected file (Sys32.reboot) C:\WINDOWS.0\system32\reboot.exe
8:55:10 PM: Infected file (Sys32.msnsusii) C:\WINDOWS.1\SoftwareDistribution\Download\fa06e29c141c84f43a95ba02f93d3774\msnsusii.exe
9:00:13 PM: Infected file (Sys32.msnsusii) D:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
9:02:32 PM: Infected file (Sys32.msnsusii) D:\WINDOWS\ServicePackFiles\i386\msnsusii.exe
9:02:48 PM: Infected file (Sys32.deltree) D:\WINDOWS\system32\DELTREE.EXE
9:02:48 PM: Infected file (Sys32.pssuspend) D:\WINDOWS\system32\pssuspend.exe
8:48:54 PM: 21 Dangerous files have been found on your computer.
Click on "Fix" button to fix selected tasks.

52
posted by (2010-04-19 13:12:02)
JG420 avatarok....so ive looked around the net...and i can not find ANY information on how to properly remove this WITHOUT doing a complete reformat....i know a friend of mines pc is infected with this trojan and i cant even get it to boot into safe mode! if some one could send me a msg to my inbox as i dont check forums too often i would appreciate any removal info i could get on this....thanks in advance! and big thanks to sAm for posting this!!!

KEEP SAFE! & SEED TIL U BLEED!

53
posted by (2010-04-19 14:31:54)
No avatarhi SaM

nice info

54
posted by (2010-04-20 04:38:28)
pro2kon avatarWhats up guys I was recently infected with this virus the only way that u can get rid of it is my reinstalling ur windows OS I had to reinstall mine after dling spartacus from a trusted uploader be very careful guys this shyt is spreading real fast

55
posted by (2010-04-20 06:26:55)
griffinshead avatarThanks for the info, keep scanning all DL files , no matter who they are from

56
posted by (2010-04-20 11:54:28)
No avatarim gonna try and clear something up.
AVG antivirus isnt much use against a lot of the newer trojans and rootkits, so if you use this, start looking at getting something a bit more secure.
personally i use eset nod32, but have also used trustport in the past. Norton/symantec, kaspersky and mcaffee all work but slow the pc down.
A couple of programs you should always have downloaded and ina folder somewhere just in case of infection now.
Malware bytes anti malware - brilliant program, free for 30 days.
superantispywarepro - free program, hunts nastys nicely
winsockfix - free program, puts the winsock back, which is the cause of the browser running a virus when u open it
smitfraudfix - free program, helps kill the nastier virus and trojan.

57
posted by (2010-04-21 10:26:21)
malestom avatarthanks sam

58
posted by (2010-04-22 04:22:53)
No avatarif you have comcast you get free anti-virus. norton antivirus, just go to there website, log in and read through to find it.



Articles Search
Most Popular Stories
Articles Categories
Articles Tags


Home - Browse Torrents - Upload Torrent - Stat - Forum - FAQ - Login
ExtraTorrent.cc is in compliance with copyrights
BitCoin: 12DiyqsWhENahDzdhdYsRrCw8FPQVcCkcm
Can't load ExtraTorrent? Try our official mirrors: etmirror.com - etproxy.com - extratorrentonline.com - extratorrentlive.com
2006-2016 ExtraTorrent.cc3