Re: OT: Urgent - Virus issue

["Simon Coates" <ecolume@xxxxxxx>]

Mark,

None of the the listed files are W98 files.

Regards

Simon

----- Original Message -----
From: Mark Hetherington <mark.egroups@xxxxxxx>
To: <ukha_d@xxxxxxx>
Sent: 19 November 2002 22:19
Subject: [ukha_d] OT: Urgent - Virus issue


> Sorry for the OT, but it will likely prove useful information to list
> members.
>
> I seem to have contracted a virus that no virus checker will find. It
was
a
> pretty stupid mistake that I made while trying out a new Usenet
program
but
> it is of concern that no virus software seems able to detect it and
there
> appears to be zero information on the web.
>
> Now, so far the symptoms are:
>
> - Delivery as somename.scr with a filesize of 3568 bytes
> - Disables firewall in background on activation
> - Detects the opening of regedit, sysedit and any firewall programs
and
> immediately causes them to exit.
> - detects the runing of netstat and removes all output so any
connection
it
> makes to the net is
> - On a reboot of Windows, the firewall will appare to start
successfully
but
> then exits in the background. Windows also page faults in a VXD and
this
may
> or may not be related to the firewall shutting down.
> - Seems to detect anti virus programs and effectively stealth and is
not
> detected by them
> - creates a number of entries in C:\WINDOWS and the Windows registry
for
> startup. Very clever names that match actual Windows tasks that must
be
run.
> - Installs a dodgy copy of MIRC into C:\WINDOWS\SYSTEM in a new
directory
> called SYSTEMY7 which includes various zombie tools which I assume
would
be
> used in DDOS attacks. It installs a standard IRC backdoor which virus
> checkers easily spot. It must therefore have some form of online
capability
> in order to download and install such things so will likely transmit
various
> other things in various other ways to propogate.
> - What else it does is anybody's guess at this stage.
>
> So far I have only stayed online long enough to download a new AV
program
> and to grab a utility I used to have years ago called stopit. By
killing
> various tasks (incluidng what appear to be valid ones), I can now use
the
> firewall, regedit and sysedit again. This is also the first time since
I
> suspected infection that I have run email so hopefully any email based
> attack will not have occured, but SMTP is a simple procedure so I
cannot
be
> sure. The loss of the firewall means I have no logs for that short
time.
>
> Any Windows 98 user who has a little spare time can probably help me
out
> tracking it down completely. If you fancy helping out please can you
check
> your C:\Windows directory and see if the following files exist:
>
> Sysrun32.exe
> Sysscfg.exe
> MTask32.exe
> rc4toolkit.dll
> nicks.tmp
>
> All of these appear to be dated around the time of activation but I
just
> want to ensure that there are no official files with these names in
this
> location. nicks.tmp is likely the DDOS nicks.
>
> I imagine the virus is merely a remake of one of the many other ones
that
> have done the rounds of late, but if not, I hereby name it
Win32.B**tard.
>
> I will also begin a boycott NewsRover campaign since that is the
program
> that made it so easy to accidentally trigger this bl**dy thing!
>
> Thanks,
>
> Mark.
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.419 / Virus Database: 235 - Release Date: 13/11/02
>
>
> http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> List of UKHA Groups here - http://groups.yahoo.com/group/UKHA_Grouplists/
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>