InstantForum.NET v4.1.4Tweaks.com Forum http://forum.tweaks.com/forum/forum@tweaks.comThu, 20 Nov 2008 03:39:52 GMT20http://forum.tweaks.com/forum/Topic161369-59-1.aspxOne of Transponder's newer variants includes a <FONT color=#3333dd>replacement to their buddy.exe called</FONT> <FONT color=#3333dd><STRONG>Bolger.dll</STRONG></FONT> and <STRONG><FONT color=#3333dd>Aurora.exe</FONT></STRONG>. This is a nasty infection that has been up showing up everywhere in HijackThis logs around the security forum community. As such I have provided some information about this .dll and its related files to promote awareness and help avoid infection.<P><STRONG><FONT color=#3333dd>Aurora comes from Direct Revenue LLC: aka Offeroptimizer and Abetterinternet.com</FONT></STRONG>. </P><P>Variant: Bolger.dll <BR>File Name: Bolger.dll <BR>CLSID: {302A3240-4805-4a34-97D7-1645A0B08410} <BR>Size: 172032<BR>Version: 0.12.4.96<BR>CRC-32: C8D089EF<BR>MD5: 67DA1E869864F3B17DBD66E58A3D29C5<BR>File version: 0, 12, 4, 96<BR>Company name: Bolger<BR>Internal name: bolger</P><P><STRONG>Components include</STRONG>: <FONT color=#3333dd>Aurora.exe, <STRONG>svcproc.exe</STRONG>, Poller.exe, uacupg.exe, <STRONG>Nail.exe</STRONG>, DrPMon.dll, thnall1ac.html</FONT></P><P>- Svcproc.exe is the service which does not like to be stopped. </P><P>- Aurora.exe is their replacement to their buddy.exe that was created by the ceres.dll and speer.dll files.</P><P>- Thnall1ac.html is actually their thnall1ac.exe that does the registry registering of the bolger.dll when the thnall1ac.html is called.</P><P>- Nail.exe is the main reinfestational agent that generates a random named *.exe file around 74kb in the %windows% %system% folder. </P><P><A href="http://www.webhelper4u.com/index.html">Webhelper4U</A> has this posted on their site:</P><P>[quote]The Bolger.dll is foisted with exploits from the CWS loadcash.biz out of crackz.ws from the isearch bundled installer. Like the ceres.dll with the buddy.exe, some of their offeroptimizer ads are still peddling Spyspotter software that their own popup ads act like adware types. For Info on Spyspotter - see Eric Howes Rogue/Anti-spyware pages. </P><P>Below is the bolger.dll -Aurora.exe ad window: </P><P>"Spyware or Adware may be installed on your computer. If you are experiencing frequent computer crashes, unwanted or incessant pop-up ads or slower speeds your system may have been infected with Spyware or Adware. Click 'OK' to scan your PC."[/quote]</P><P>As stated on the Rogue/Anti-spyware list, false positives work as goad to purchase some anti-spyware software and others are installed via adware drive-by-downloads. </P><P><STRONG><FONT color=#3333dd>Rule of Thumb</FONT></STRONG>: Pay attention to pop ups and be careful of what you click. <FONT color=#dd3333><STRONG>Sometimes even clicking anywhere in the body of a message will redirect to a link or start a download without your knowledge - phishers use this a lot.</STRONG></FONT> </P><P><STRONG><FONT color=#3333dd>WHAT TO DO IF YOU GET INFECTED</FONT></STRONG>: </P><P>Please read and follow all instructions provided in the sticky at the top of the Hijack This Forum titled "<STRONG><FONT color=#3333dd>READ BEFORE POSTING HIJACK THIS LOGS</FONT></STRONG>" found <A href="http://forum.tweakxp.com/forum/Topic4303-29-1.aspx">here</A>. </P><P>When you have done that, follow the instructions for posting a log into the <A href="http://forum.tweakxp.com/forum/Forum29-1.aspx">Hijack This Forum </A>[not here] for evaluation.Fri, 13 May 2005 09:50:56 GMTquietman7