4
I have recently run into some malware on my computer that has gathered up my computer's make and hard drive make and serial number, along with probably many other things.
The malware installed itself along with I believe an application called WINZIPPER that replaced WinRAR. Its installation did the obvious things of changing the start-up page in all of my (common) browsers, and initially ran an executable from a temp folder, though this was once only. It then added its URL to the startup shortcuts for all of my common browsers, including a query string containing all of that information.
Upon starting any of the browsers, it would add this URL:
www.delta-homes.com/?type=<MyComputer'sMake>&ts=<ASerialNumber>&z=<AnotherLongRandomAlphanumericSerialNumber>&from=wpm<Number>&uid=<HardDriveMake+Serial>
From a whois
search, the delta-homes.com
domain is registered by
Beijing ELEX Technology Co., Ltd.
who appears to be a games maker in China.
Removing all of the above and all references to that URL in the registry, I believe I have found all the points of infection. Though I think one of these web requests was successfully sent, so partly I offer this information as a searchable reference for the common good, and partially to ask what further danger or vulnerability do I have now that information has been stolen.
- If this is a known infection, have I found all of the infection points?
- With the damage done, what further risk am I now at?
2The serial of your HDD is a way to identify you. Since no other HDD of the same model will have the serial number, combined with other information, it can be used as a GUID. We can't possibly know if you have removed all the infection points. Consider just removing that from your question. Even the second question "what benefit" comes from having this information we can only speculate. – Ramhound – 2015-05-28T12:23:27.647
@Ramhound I did wonder about that, though I was hoping this was a relatively standard infection where all of the infection points were known already. On the second question, your answer could be cast as, 'they benefit from identifying you', but I know what you mean. Maybe I could just rephrase it. – J Collins – 2015-05-28T12:34:32.460
If you have any doubt nuke from orbit. – Ramhound – 2015-05-28T12:43:48.203
Looks like MBAM can get you most the way. http://malwaretips.com/blogs/delta-homes-removal/
– Austin T French – 2015-05-28T13:07:25.797Its just a unique identifier, like your fingerprints. – Moab – 2015-05-29T02:17:19.067