PDA

View Full Version : WARNING: DO NOT download files from www.kiscan.net!

997TT
08-08-2007, 03:09 PM
Especially their program Smart Scan, apparently a modded Woron Scan version, is sending your IMSI, ICCID and Ki to a third party,
using the Lydra Trojan.

If you already installed software from them, check your Windows Dir and look for files like syswin.exe, lsassv.exe, regedit2.exe (the changed file regedit.exe is a trojan file).
Also in the directory: servicew.exe, calc.exe and calc2.exe (both trojan files),
If you don't have a software firewall, you'll in trouble since these programs connect to a certain IP address.

An easy way to find out if the files mentioned are trojans is to look for the string "johnhayward843@yahoo.co.uk" in it.
Caution: most antivirus/antitrojan programs DO NOT find this trojan once it is in place. Deleting the files doesn't work either,
even if you "unlock" and delete them. They're back as soon as you restart Windows.

Beware of TROJANS and MALWARE, DO NOT download from them, also DO NOT buy from them since some of the claims they make are false.

Don't say you haven't been warned!

Here is a "proof", how vicious this trojan is (only one scanner found it):

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2007.8.3.0 2007.08.08 -
AntiVir 7.4.0.57 2007.08.08 -
Authentium 4.93.8 2007.08.08 -
Avast 4.7.1029.0 2007.08.08 -
AVG 7.5.0.476 2007.08.08 -
BitDefender 7.2 2007.08.08 -
CAT-QuickHeal 9.00 2007.08.08 -
ClamAV 0.91 2007.08.08 -
DrWeb 4.33 2007.08.08 Trojan.LydraSpy.1205
eSafe 7.0.15.0 2007.07.31 -
eTrust-Vet 31.1.5043 2007.08.08 -
Ewido 4.0 2007.08.08 -
FileAdvisor 1 2007.08.08 -
Fortinet 2.91.0.0 2007.08.08 -
F-Prot 4.3.2.48 2007.08.08 -
F-Secure 6.70.13030.0 2007.08.08 -
Ikarus T3.1.1.12 2007.08.08 -
Kaspersky 4.0.2.24 2007.08.08 -
McAfee 5093 2007.08.08 -
Microsoft 1.2704 2007.08.08 -
NOD32v2 2444 2007.08.08 -
Norman 5.80.02 2007.08.08 -
Panda 9.0.0.4 2007.08.08 Suspicious file
Prevx1 V2 2007.08.08 -
Rising 19.35.22.00 2007.08.08 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.07 -
Symantec 10 2007.08.08 -
TheHacker 6.1.7.164 2007.08.08 -
VBA32 3.12.2.2 2007.08.07 -
VirusBuster 4.3.26:9 2007.08.08 -
Webwasher-Gateway 6.0.1 2007.08.08 -
situ
08-09-2007, 03:31 AM
Thank you for the information!!

How did you remove it?

Thank you for the appreciated advice
Shade.sh
08-09-2007, 11:59 AM
Thank you for the information!!

How did you remove it?

Thank you for the appreciated advice

Analysed trojan! Thanks for that notice 997TT !!

1. Download: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
2. Run it!
3. Open a "Run Application" and type in "msconfig"
4. Under "systemstart" delete the entry "lsassv.exe".
5. Wait until the scanner finished.
6. Reboot
7. scan agan and delete all files which infected.
997TT
08-09-2007, 06:13 PM
Try Max Spyware Detector, a very good detection/cleaning program.
The Detection engine is FREE, download it from their site: www.maxpcsecure.com .
Sometimes it gives false alarms but only sometimes.
If it finds the Trojan Lyra...well...

You can buy this program, you can buy others (Spysweeper from Webroot is very good too) or you can try to find freeware which works.

Only one hint: after a "removal process", double check if the trojan really has been removed. Another problem: it may "sense" that you're using a anti-spyware program, crashing your Windows installation. If you're lucky, you can restart, if not, you need the recovery console to repair your Windows installation.

I was lucky enought that I read about the www.kiscan.net website on another IT Security website and I used an old PC (my "honeypot" ;)) for testing www.kiscan.net and some of the programs offered there . It is definetely TRUE, this site should be AVOIDED!!!
situ
08-09-2007, 09:12 PM
Thank you guys! Removed perfectly!
Cartier
08-10-2007, 09:04 PM
i downloaded the program they had and saved it so that i can try it when i went to work ( where i have access on a wintel machine ) thank god im on a mac and thank god i never ran that program ! would have been screwed at work !
digamma
08-12-2007, 11:33 AM
Wow 997TT. How did you generate this huge list of antivirus programs and their failure to detect the trojan? You have them all installed on your PC?
Shade.sh
08-12-2007, 02:48 PM
Wow 997TT. How did you generate this huge list of antivirus programs and their failure to detect the trojan? You have them all installed on your PC?

In net we have some multiscanner systems, you can submit a file and its scanned by lot's of scanners. I do the same with the suspecting files. ;)
997TT
08-13-2007, 04:22 PM
In net we have some multiscanner systems, you can submit a file and its scanned by lot's of scanners. I do the same with the suspecting files. ;)
Precisely. :)
sam
08-14-2007, 01:31 AM
A little addition:

if you cracked your KI with that better watch out for abuse on your bill.
mostafa
08-14-2007, 10:03 AM
so is there an alternative software for comp2 KI reader?
997TT
08-15-2007, 02:38 PM
so is there an alternative software for comp2 KI reader?


You don't seem to understand: ONLY V1 cards (comp128) work with Woronscan.
You can't extract the Ki from V2/V3 SIM cards, not even using a brute force attack.

Offers trying to sell you a software/hardware for V2/V3 SIM cards should be considered SCAM.
demin8512
08-22-2007, 10:46 AM
what sofware should we use instead then?
i need this programme!!! lol
997TT
08-22-2007, 11:16 AM
what sofware should we use instead then?
i need this programme!!! lol

Woronscan is OK, you just need to get it from a source you trust, which apparently is getting harder and harder. :(
Ahmedmuh
08-23-2007, 07:42 AM
Your website is wrong, I have AVG Antivirus and it deticted it as soon as download was done.
cheerful
12-14-2007, 03:24 PM
your AVG could've been updated.
Paxy
06-30-2008, 11:58 AM
Celaned version has been udploaded to link :
http://rapidshare.com/files/126026125/smart_scan_eng___cleaned_by_Paxy.rar