On Aug 18, 5:29*am, cbgerry <cbge...@bluecollarpc.net> wrote:
> Manually identify/remove: Mystery web attack hijacks your clipboard
> August 18, 2008 by bluecollarpchttp://bluecollarpc.wordpress.com/2008/08/18/manually-identifyremove-...
>
> Manually identify/remove: Mystery web attack hijacks your clipboard
> ….. my first attempt at this:
>
> Posted: Mon Aug 18, 2008 2:36 am * *Post subject: Removals….http://www.thornsoft.com/phpBB2/view...?p=12642#12642
>
> bluecollarpc wrote:
>
> Hi… I have posted from this news article:
> Mystery web attack hijacks your clipboardhttp://www.theregister.co.uk/2008/08/15/webbased_clipboard_hijacking/
> ….at my forum here:http://bluecollarpc.net/smf/index.php/topic,740.0.html
> …..I am researching and cam across the possible way to backtrack this
> to origin perhaps in a rudimentary way that is not too hard. It is
> strange and is attracting the security news rooms. Hope this helps in
> the least as a starting place of a manual removal of a malware. Most
> likely, quality antivirus and antispyware will have it nailed within
> weeks tops.
>
> From the idea of like a browser hijacker always setting its own
> Homepage, this is like tracking to the source of the “ownership”….
>
> Apparently this may be an “in the wild threat” assuming these persons
> use quality antivirus and also have scanned with quality antispyware.
>
> Let’s try a manual clearing of the Clipboard…
>
> EmptyClipboard Functionhttp://msdn.microsoft.com/en-us/library/ms649037(VS.85).aspx
> The EmptyClipboard function empties the clipboard and frees handles to
> data in the clipboard. The function then assigns ownership of the
> clipboard to the window that currently has the clipboard open.
>
> Syntax
> BOOL EmptyClipboard( VOID
> );Parameters
> This function has no parameters.
>
> Return Value
> If the function succeeds, the return value is nonzero.
> If the function fails, the return value is zero. To get extended error
> information, call GetLastError.
>
> Remarks
> Before calling EmptyClipboard, an application must open the clipboard
> by using the OpenClipboard function. If the application specifies a
> NULL window handle when opening the clipboard, EmptyClipboard succeeds
> but sets the clipboard owner to NULL. Note that this causes
> SetClipboardData to fail.
>
> For an example, see Copying Information to the Clipboard.
>
> Function Information
> Minimum DLL Version user32.dll
> Header Declared in Winuser.h, include Windows.h
> Import library User32.lib
> Minimum operating systems Windows 95, Windows NT 3.1
>
> See Also
> Clipboard, OpenClipboard, SetClipboardData, WM_DESTROYCLIPBOARD
> ————NEXT:
>
> A clue here to back track to whatever is repeatedly entering the
> information to the clipboard may be here as the “Clipboard Ownership”
> …..
>
> Clipboard Ownershiphttp://msdn.microsoft.com/en-us/library/ms649014(VS.85).aspx#_win32_C...
>
> The clipboard owner is the window associated with the information on
> the clipboard. A window becomes the clipboard owner when it places
> data on the clipboard — specifically, when it calls the EmptyClipboard
> function. The window remains the clipboard owner until it is closed or
> another window empties the clipboard.
>
> When the clipboard is emptied, the clipboard owner receives a
> WM_DESTROYCLIPBOARD message. Following are some reasons why a window
> might process this message:
>
> The window delayed rendering of one or more clipboard formats. In
> response to the WM_DESTROYCLIPBOARD message, the window might free
> resources it had allocated in order to render data on request. For
> more information about the rendering of data, see Delayed Rendering.
>
> The window placed data on the clipboard in a private clipboard format.
> The data for private clipboard formats is not freed by the system when
> the clipboard is emptied. Therefore, the clipboard owner should free
> the data upon receiving the WM_DESTROYCLIPBOARD message. For more
> information about private clipboard formats, see Clipboard Formats….http://msdn.microsoft.com/en-us/libr...13(VS.85).aspx
>
> The window placed data on the clipboard using the CF_OWNERDISPLAY
> clipboard format. In response to the WM_DESTROYCLIPBOARD message, the
> window might free resources it had used to display information in the
> clipboard viewer window. For more information about this alternative
> format, see Owner Display Format.
> ————-NEXT:
>
> So you may try to discover the ownership by….
>
> Clipboard Sequence Number
> The clipboard for each window station has an associated clipboard
> sequence number. This number is incremented whenever the contents of
> the clipboard change. To obtain the clipboard sequence number, call
> the GetClipboardSequenceNumber function….http://msdn.microsoft.com/en-us/libr...42(VS.85).aspx
> —————–
>
> It would help if persons may try a HiJackThis Log and post it, may
> reveal a start up process involved. Grab that info at my alternatewww.BlueCollarPC.Orgsite here:
> Submit HiJackThis Logs (Information)http://www.bluecollarpc.org/_mgxroot/page_10736.html
>
> I am webmaster of bothwww.BlueCollarpC.Netandwww.BlueCollarPC.Org
>
> you can email here bluecollarpc at yahoo.com (my Yahoo ID)
> You’ll find my groups/lists linked at my sites. Hope this may help and
> this is the strangest occurrence in security world I have seen since
> year 2001 on my first PC. Very strange and has some dark possibilities
> of greater attacks obviously. Let’s hope the whole heads up gets the
> security software industry’s help and removal signatures if indeed
> even a new category “Clipboard Hijacker”. What a first… What next ?
> yuck !
>
> gerald philly pa usa
> (Administrators may contact my registration private address for sure)
>
> If anyone comes up with anything they can paste as the actual
> installation - do indeed enter that at CounterSpy, Webroot Spysweeper,
> Trend Micro, others. As well - here at this product site which has the
> largest definitions database probably in the world at over 1 Million
> Definitions currently. Industry leader Webroot is above 300,000 as
> comparison…. SCAN WITH THIS (most aggressive roto router ! ) :
>
> a-squared trojan remover (Free Working Version for life and Proactive
> Premium Version)http://www.emsisoft.com/en/software/free/
> a-squared (a-squared) is a complementary product to antivirus software
> and desktop firewalls on MS Windows computers. Antivirus software
> specializes in detecting classic viruses. Many available products have
> weaknesses in detecting other malicious software (Malware) like
> Trojans, Dialers, Worms and Spyware (Adware). a-squared fills the gap
> that malware writers exploit. Automatic updates: In a-squared Free the
> updater must be run manually. The auto-update feature of a-squared
> Personal checks hourly for new available updates and installs them
> automatically. a-squared Free is freeware! You can download and use it
> completely for free.
>
> …..If indeed it is detected in the Microsoft Free Malicious Software
> Removal Tool monthly through normal Windows Updates on ‘Patch
> Tuesday’ (second Tuesday each month) surely the removal definitions
> will be added to Windows Defender (antispyware) or One Care and should
> be worth the scan….
>
> Microsoft AntiSpyware is now Windows Defender
> [working-freeware from Microsoft]http://www.microsoft.com/athome/security/spyware/software/default.mspx
> Windows Defender is a free program that helps protect your computer
> against pop-ups, slow performance, and security threats caused by
> spyware and other unwanted software. It features Real-Time Protection,
> a monitoring system that recommends actions against spyware when it’s
> detected, and a new streamlined interface that minimizes interruptions
> and helps you stay productive.
>
> gerald philly pa usa
> _________________
> Webmasterwww.BlueCollarPC.Net
>
> Tags: Clip Board, clipboard
> Posted in BCPCNet WebLog, SpyLerts
More On The Clipboard-Jacking Attacks
PC Magazine - USA
The excellent coverage of this in the Spyware Sucks blog continues
with the news that the Firefox Noscript add-in doesn't mitigate the
issue (not surprising ...
http://blogs.pcmag.com/securitywatch...jacking_a..php
Reply With Quote