OT: Urgent - Virus issue

["Mark Hetherington" <mark.egroups@xxxxxxx>]

Sorry for the OT, but it will likely prove useful information to list
members.

I seem to have contracted a virus that no virus checker will find. It was a
pretty stupid mistake that I made while trying out a new Usenet program but
it is of concern that no virus software seems able to detect it and there
appears to be zero information on the web.

Now, so far the symptoms are:

- Delivery as somename.scr with a filesize of 3568 bytes
- Disables firewall in background on activation
- Detects the opening of regedit, sysedit and any firewall programs and
immediately causes them to exit.
- detects the runing of netstat and removes all output so any connection it
makes to the net is
- On a reboot of Windows, the firewall will appare to start successfully
but
then exits in the background. Windows also page faults in a VXD and this
may
or may not be related to the firewall shutting down.
- Seems to detect anti virus programs and effectively stealth and is not
detected by them
- creates a number of entries in C:\WINDOWS and the Windows registry for
startup. Very clever names that match actual Windows tasks that must be
run.
- Installs a dodgy copy of MIRC into C:\WINDOWS\SYSTEM in a new directory
called SYSTEMY7 which includes various zombie tools which I assume would be
used in DDOS attacks. It installs a standard IRC backdoor which virus
checkers easily spot. It must therefore have some form of online capability
in order to download and install such things so will likely transmit
various
other things in various other ways to propogate.
- What else it does is anybody's guess at this stage.

So far I have only stayed online long enough to download a new AV program
and to grab a utility I used to have years ago called stopit. By killing
various tasks (incluidng what appear to be valid ones), I can now use the
firewall, regedit and sysedit again. This is also the first time since I
suspected infection that I have run email so hopefully any email based
attack will not have occured, but SMTP is a simple procedure so I cannot be
sure. The loss of the firewall means I have no logs for that short time.

Any Windows 98 user who has a little spare time can probably help me out
tracking it down completely. If you fancy helping out please can you check
your C:\Windows directory and see if the following files exist:

Sysrun32.exe
Sysscfg.exe
MTask32.exe
rc4toolkit.dll
nicks.tmp

All of these appear to be dated around the time of activation but I just
want to ensure that there are no official files with these names in this
location. nicks.tmp is likely the DDOS nicks.

I imagine the virus is merely a remake of one of the many other ones that
have done the rounds of late, but if not, I hereby name it Win32.B**tard.

I will also begin a boycott NewsRover campaign since that is the program
that made it so easy to accidentally trigger this bl**dy thing!

Thanks,

Mark.


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.419 / Virus Database: 235 - Release Date: 13/11/02


http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

List of UKHA Groups here - http://groups.yahoo.com/group/UKHA_Grouplists/

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/