Thread: what is gsdfgt.exe mean in wordpress blog.

Hi,

Today i am checking my blog awstats and notice that i am got 38 visit by key phrase gsdfgt.exe.
then i did a search on google with "gsdfgt.exe mydomainname.com " and i got this text message

" 13 Apr 2010 ... C:\DOCUME~1\JKI\LOCALS~1\Temp\gsdfgt.exe. The NTVDM CPU has encountered an illegal instruction. CS:054a IP:018f OP:63 68 61 72 73 Choose ..."


and when i visit that url i got page not found error.

So can anyone explain me what is gsdfgt.ext

it is virus or any other headache ?

Netbuilders shows up first for the search term "gsdfgt.exe".

This usually happens in the Windows systems.

Originally Posted by jakki

Hi,

Today i am checking my blog awstats and notice that i am got 38 visit by key phrase gsdfgt.exe.
then i did a search on google with "gsdfgt.exe mydomainname.com " and i got this text message

" 13 Apr 2010 ... C:\DOCUME~1\JKI\LOCALS~1\Temp\gsdfgt.exe. The NTVDM CPU has encountered an illegal instruction. CS:054a IP:018f OP:63 68 61 72 73 Choose ..."


and when i visit that url i got page not found error.

So can anyone explain me what is gsdfgt.ext

it is virus or any other headache ?

probably a virus of some sort,http://www.virustotal.com upload the file here and see what it says

Hi Jakki. This file gsdfgt.exe is related to something very huge and very bad.

So can anyone explain me what is gsdfgt.ext

gsdfgt.exe seems to be one of the files created by a very nasty P2P Worm called Peerfrag [Nod32] also known as Palevo [Kaspersky].

Basically it copies itself to the recycler and auto runs from the recycle bin. It's a usb drive infector, backdoor trojan, msn messenger / p2p network worm.

It's also a spambot which can be controlled via IRC.

It creates scheduled tasks and checks for updates every hour and auto runs the exec every hr as well. It also makes connections to sites related to fake antivirus hijacks.

--------------
File analysis:
--------------
Virustotal. MD5: 4e84e8259340641f1f9930d0f4d677bd Infostealer.Banker.C Heuristic.LooksLike.Win32.Suspicious.B Worm.Generic.102961
Malware Fix: Win32/Peerfrag.FD
Worm/Palevo.rxq - Full description

--------------

" 13 Apr 2010 ... C:\DOCUME~1\JKI\LOCALS~1\Temp\gsdfgt.exe. The NTVDM CPU has encountered an illegal instruction. CS:054a IP:018f OP:63 68 61 72 73 Choose ..."

The NTVDM error part means the exe file was probably corrupt or it was run on an incompatible operating system.
-
What is worrying is that there are also zeus / zbot connections in the file analysis logs.

So a good question is why is this showing up in your Awstats logs.

As you can see from this analysis log -> Autovin � File Analyzer: 69edf4a9681fa97752d98b67b57f950efb03ce9e , the infection downloads more files from various sites and contacts a lot of different IP's, even loads ads, it's possible your server may be infected or there is a site on the server which has been infected.

By comparing the files and IP's from the log analysis for Peerfrag with other recent malvertising events we can say that this also looks to be connected to the recent Network solutions and Godaddy server hacks - http://stopmalvertising.com/malverti...blogs-affected , which has also been connected to Zbot - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: GoDaddy's Mass WordPress Blogs Compromise Serving Scareware

If you are running ad yieldmanager or xtendmedia ads on your site you may be directly infecting people or you are part of spreading the infection. There are ad rotators involved which usually combined with geotargeting makes things even harder to detect.

Last week it was rightmedia who were caught spreading malware though their ads.
http://stopmalvertising.com/malverti...xtreme-caution
http://stopmalvertising.com/malverti...inccom-payload

Take note, all these ad companies are owned by yahoo. They just don't check things properly, I think they see the $$$ just fine but that's about it.


Can you please send me the name of your site to check that it hasn't been hacked / compromised. Wordpress is the main target for these hacks.
This is especially important if you are using either Network Solutions, Dreamhost or Godaddy as your webhost.

Jakki because you are hosted at Godaddy you have probably been a victim of the recent mass server hacking.

Please scan your site with this tool to get a detailed report of any currently infected & hacked files:

Sucuri Web Integrity Monitoring

I found your site theme had files which appears to be infected:

wp-content/themes/GrooveGreen/menu/mootools-1.2.1-core-yc.js

The MenuMatic.js is also detected.

More info from a previous hack using the menumatic file:

the file /js/MenuMatic_0.68.3.js did load the infected script so look for onInit_begin: (function () {F65a045b3()})
- note: the name of the function will be different and match the function name in mootools-1.2.1-core-yc.js

code has been added under Class definition: in MenuMatic_0.68.3.js

Three other commonly infected files with this server hack are :

•/wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/style.css.php
•/wp-includes/functions.php
•/wp-includes/http.php

There could be other files and things could change as the infections are cleaned up and then the site is reinfected. Network solutions has been getting rehacked every weekend lately, so I don't think this problem is going away anytime soon.

Be prepared for the weekends, that's when the hackers strike because no one is usally able to respond to the problems and damages they cause until at least monday leaving them two full days to mass infect people.

--

Please check this for details about the hack and how to clean things up:
http://www.wpsecuritylock.com/cechri...dy-case-study/

The script used to infect people has been updated and changed since the hack was first described in the article above, so you may have different files affected.
Your site is still infected and the malicious files could be updated anytime.

WordPress blogs hosted on Go Daddy and other hosting companies were hacked by another malicious attack on April 24, 2010 at 6:54am.

A nasty little exploit has hit a large number of Go Daddy-hosted WordPress blogs this weekend. The best part is that the exploit only executes when the traffic is referred by Google, making it the sort of thing that site maintainers won't easily notice. Clever and devious.

--

Important: You should be very careful that you haven't been infected yourself. Do a full virus scan etc.

Hello mike,

Thanks you a lot for writing a great info post and thanks a lot for your time.

I am going to replace that file with default file and hope this will solve my problem..

It's unfortunate that Godaddy have placed the blame on everything and anything they can find and totally ignore the fact that their servers are insecure.

They simply do not seem to care about their customers enough to take things seriously. Once a large proportion of users leave Godaddy over these repeated hacks, maybe they will reconsider looking into where the real problems are.

It's amazing that one of Godaddy's own customers had to do the hard work to find out why his and everyone else's sites continue to be mass hacked.

While GoDaddy was busy blaming its users, one of our friends got tired of getting hacked and setup a cron script to monitor his site and alert him when new files were added.

I called GoDaddy and they insisted it was a problem in my code. Although I knew they were wrong, there was really nothing I could do.

Godaddy is aware of this, but they continue to try to deflect the blame onto others. They even lie. They deleted a file from my site that had "good" base 64 encoded code, then claimed they didn't do it.

-> Sucuri Security: Found code used to inject the malware at GoDaddy


Most people who have tried to deal with the ignorant Godaddy technical support are now recommending that everyone run as fast as you can away from Godaddy and find another host.

More info:
Hosting With GoDaddy? Might Want To Rethink That Decision. | Smackdown!

These hacks affect network solutions and dreamhost, maybe many other hosts too, but the hacks won't ever stop at Godaddy until they take responsibility for the insecurity of their own infrastructure.

I hope you aren't stuck with Godaddy hosting Jakki. As the other web hosts have already realised and admitted, this is not a wordpress vulnerability, or because of out of date scripts. These mass hackings are due to insecure shared server configurations and it's been proven now that nothing you can do to protect your site will have any effect to stop the hacks from continuing.