RE: Re: Virus

["Brian G. Reynolds" <brian.g.reynolds@xxxxxxx>]

Forgot to mention, I also TFTP asking but have disallowed it as I do not
know what it is!

Also can anyone tell me what the following are for in my firewall:-

NetBT Datagram
NetBT Session
Outgoing ICMP Echo Request
Trivial File Transfer Protocol App
MMC.EXE

All of these are blocked at the moment, I figure if nothing complains It
cannot be used?
The MMC.EXE was giving me a headache the other day as it would not stop! is
this to be trusted?

Is there a website that lists what should be allowed in/out of a system? I
know it will vary between PC's depending on what programs are installed but
I am not sure what most things "do"

B.

> -----Original Message-----
> From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx]
> Sent: 23 September 2001 12:04
> To: ukha_d@xxxxxxx
> Subject: RE: [ukha_d] Re: Virus
>
>
> It seems I have not got rid of this virus as my checker is still
reporting
> it's presence!
>
> It says there are more *.eml's but if I do a search I cannot find any!
>
> I would be grateful of any assistance please,
>
> TIA,
>
> B.
>
> > -----Original Message-----
> > From: John McManus [mailto:john.mcmanus@xxxxxxx]
> > Sent: 23 September 2001 11:27
> > To: ukha_d@xxxxxxx
> > Subject: Re: [ukha_d] Re: Virus
> >
> >
> > Having poked into things a bit more...
> >
> > Looked at the IIS log files on the server (w2k), I saw dodgy URLs
being
> > entered for my site.  These then invoked root.exe (which had been
> > left over
> > from a sadm virus that was not totally cleaned).  A couple of
> > seconds after
> > the external computer tried to fire up the IIS page, TFTP was
> > invoked to the
> > same address as the external browser (this was blocked by the
firewall).
> >
> > Went to the Microsoft site & downloaded the
'coderedcleanup.exe' which
> > removed the dodgy root.exe and tidied up a couple of other IIS
things.
> >
> > Everything seems to be fine... for the moment!
> >
> > Lessons learnt:
> > It is valuable to have defence in depth - firewalls, virus
> > guards, log files
> > for review.
> > Backups are useful... but can be tricky to use if you are not
sure when
> > exactly you were infected with the virus.
> > If you are running IIS, it pays to review your log files
regularly.
> > hotfixchecker from Microsoft is useful to ensure you have all the
> > appropriate patches.
> > The time lost to virus attacks / fixes is a real PITA in a
domestic
> > environment.
> >
> > ----- Original Message -----
> > From: <steve@xxxxxxx>
> > To: <ukha_d@xxxxxxx>
> > Sent: Sunday, September 23, 2001 10:43 AM
> > Subject: [ukha_d] Re: Virus
> >
> >
> > > If you are in win2k just look in taskman and see if
anythingunusual
> > > is running.
> > > if there is strange stuff happening, end task it, then find
it in you
> > > computer and delete  it.
> > >
> > > if your on win98/95 and i think ME.
> > > you cant see "all" running processes, so i have a
neat little utility
> > > somewhere i made in VB which alows you to list ALL running
processes
> > > and kill any of them, i think if i can find it, i will add,
a kill
> > > and delete button aswell, or a kill and move button.
> > >
> > > interested?
> > >
> > > HTH steve
> > > --- In ukha_d@y..., "John McManus"
<john.mcmanus@b...> wrote:
> > > > I am in a difficult position as my virus scanner
(NAV2001) does not
> > > show
> > > > that I am infected, but the Zone Alarm Pro firewall
suddenly
> > > (Wednesday)
> > > > started asking if I want to allow TFTP (trivial file
transfer
> > > protocol) to
> > > > connect to the internet.  I have also run a couple of
the 'cleaner'
> > > programs
> > > > for Nimda virus... they too say I am not infected.
> > > >
> > > > Since I am not aware of any apps on the server that
need to use
> > > TFTP (and
> > > > the addresses that it is going to are other BT Internet
ones), I
> > > guess I
> > > > need to assume that I am infected with something and
reformat /
> > > > re-install... a real PITA.
> > > >
> > > > Any thoughts would be appreciated.
> > > > ----- Original Message -----
> > > > From: "Brian G. Reynolds"
<brian.g.reynolds@n...>
> > > > To: <ukha_d@y...>
> > > > Sent: Saturday, September 22, 2001 7:42 PM
> > > > Subject: RE: [ukha_d] Virus
> > > >
> > > >
> > > > > Thanks Keith,
> > > > >
> > > > > I am using Norton AntiVirus 2001 recently bought,
I used its own
> > > virus
> > > > scan
> > > > > routine, is there a better way?
> > > > >
> > > > > All the infected files were deleted.
> > > > > I do use it's auto update and do it manually as
well.
> > > > >
> > > > > Thanks for the info.
> > > > >
> > > > > B.
> > > > > > -----Original Message-----
> > > > > > From: Keith Doxey [mailto:ukha@xxxxxxx...]
> > > > > > Sent: 22 September 2001 19:00
> > > > > > To: ukha_d@y...
> > > > > > Subject: RE: [ukha_d] Virus
> > > > > >
> > > > > >
> > > > > > Thats probably it.
> > > > > >
> > > > > > How did you run yor virus scan?
> > > > > > We ran it Windows "Find Files"
containing the text "whatever
> > > you care to
> > > > > > put" so that it was forced to open
everyfile on the machine, at
> > > which
> > > > time
> > > > > > the AV software should find the infected
files.
> > > > > >
> > > > > > Make sure you keep your anti virus software
upto date.
> > > > > >
> > > > > > At work we use VirusScan TC from McAfee.
> > > > > > The Dat file was at version 4158 at the
beginning of the week
> > > and by
> > > > > > yesterday had reached 4162.
> > > > > >
> > > > > > At home I use eTrust EZ Antivirus. Its Dat
file has gone from
> > > > > > 1491 on Monday
> > > > > > to 1512 yesterday.
> > > > > >
> > > > > > One of the worst things about Nimda is that
YOU dont have to do
> > > > > > anything to
> > > > > > catch it. I have no doubt that there will be
several more
> > > viruses
> > > > > > that mimic
> > > > > > the HTML method employed by Nimda, namely
using Javascript to
> > > Pop-Up a
> > > > > > window at coordinates that wont show on the
screen and then try
> > > to do
> > > > > > malicious things to your machine. Disabling
Javascript would
> > > stop that
> > > > but
> > > > > > would also stop many reputable web pages from
working and I
> > > > > > believe most, if
> > > > > > not all eCommerce sites would be less than
useless if you didnt
> > > support
> > > > > > Javascript.
> > > > > >
> > > > > > Once again a few idiots spoiling things for
the majority :-(
> > > > > >
> > > > > > Keith
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx...]
> > > > > > > Sent: 22 September 2001 15:33
> > > > > > > To: ukha_d@y...
> > > > > > > Subject: RE: [ukha_d] Virus
> > > > > > >
> > > > > > >
> > > > > > > Thanks Keith, I should have known that
:-(
> > > > > > >
> > > > > > > All .eml deleted.
> > > > > > >
> > > > > > > I have run the virus scan again and it
does not find any mere
> > > > > > > does that mean
> > > > > > > all is ok again?
> > > > > > > Never had a virus before not sure when
to trust it again!
> > > > > > >
> > > > > > > I have already read the threads, I have
re-SP2'd and another
> > > MS patch
> > > > > > > q301625_w2k_sp3_x86_en.exe
> > > > > > > Anything else or can I now breathe
again!!
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > B.
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: Keith Doxey [mailto:ukha@xxxxxxx...]
> > > > > > > > Sent: 22 September 2001 15:07
> > > > > > > > To: ukha_d@y...
> > > > > > > > Subject: RE: [ukha_d] Virus
> > > > > > > >
> > > > > > > >
> > > > > > > > *.eml are email messages but the
ones that hyou have found
> > > > > > will be loads
> > > > > > > > with the same file size and
datestamp.
> > > > > > > >
> > > > > > > > THEY ARE INFECTED WITH THE VIRUS
..... DELETE THEM.
> > > > > > > >
> > > > > > > > It also puts some codew in any HTML
or ASP files it finds
> > > that
> > > > > > > will infect
> > > > > > > > any other PC viewing the pages.
> > > > > > > >
> > > > > > > > Read the previous threads from when
Graham was battling to
> > > > > > remove Nimda.
> > > > > > > >
> > > > > > > > Keith
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx...]
> > > > > > > > > Sent: 22 September 2001 14:04
> > > > > > > > > To: UKHA Group
> > > > > > > > > Subject: [ukha_d] Virus
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > What are .eml files?
> > > > > > > > > I assume something to do with
the web/html/IE?
> > > > > > > > > It seems that these were the
most attacked, I have
> > > > > > > > "quarantined" them but
> > > > > > > > > not sure if I can delete them?
> > > > > > > > >
> > > > > > > > > Another PC has also been
infected but this time is seems
> > > mostly
> > > > > > > > > Psion files
> > > > > > > > > so I have deleted them!
subtle.
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > B.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > > > Post message: ukha_d@y...
> > > > > > > > > Subscribe: 
ukha_d-subscribe@y...
> > > > > > > > > Unsubscribe: 
ukha_d-unsubscribe@y...
> > > > > > > > > List owner:  ukha_d-owner@y...
> > > > > > > > >
> > > > > > > > > Your use of Yahoo! Groups is
subject to
> > > > > > > http://docs.yahoo.com/info/terms/
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > Post message: ukha_d@y...
> > > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > > > List owner:  ukha_d-owner@y...
> > > > > > >
> > > > > > > Your use of Yahoo! Groups is subject to
> > > > > http://docs.yahoo.com/info/terms/
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > Post message: ukha_d@y...
> > > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > > List owner:  ukha_d-owner@y...
> > > > > >
> > > > > > Your use of Yahoo! Groups is subject to
> > > > http://docs.yahoo.com/info/terms/
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > For more information: http://www.automatedhome.co.uk
> > > > > Post message: ukha_d@y...
> > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > List owner:  ukha_d-owner@y...
> > > > >
> > > > > Your use of Yahoo! Groups is subject to
> > > http://docs.yahoo.com/info/terms/
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > For more information: http://www.automatedhome.co.uk
> > > > > Post message: ukha_d@y...
> > > > > Subscribe:  ukha_d-subscribe@y...
> > > > > Unsubscribe:  ukha_d-unsubscribe@y...
> > > > > List owner:  ukha_d-owner@y...
> > > > >
> > > > > Your use of Yahoo! Groups is subject to
> > > http://docs.yahoo.com/info/terms/
> > > > >
> > > > >
> > >
> > >
> > >
> > > For more information: http://www.automatedhome.co.uk
> > > Post message: ukha_d@xxxxxxx
> > > Subscribe:  ukha_d-subscribe@xxxxxxx
> > > Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> > > List owner:  ukha_d-owner@xxxxxxx
> > >
> > > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
> >
> >
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>