|
The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024
|
|
[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
RE: OT: Urgent - Virus issue
- To: <ukha_d@xxxxxxx>
- Subject: RE: OT: Urgent - Virus issue
- From: "Phillip Harris" <phil@xxxxxxx>
- Date: Tue, 19 Nov 2002 22:53:04 -0000
- Mailing-list: list ukha_d@xxxxxxx; contact
ukha_d-owner@xxxxxxx
- Reply-to: ukha_d@xxxxxxx
That's the problem with browsing for pr0n... :-)
Phil
> -----Original Message-----
> From: Mark Hetherington
> [mailto:mark.egroups@xxxxxxx]
> Sent: 19 November 2002 22:20
> To: ukha_d@xxxxxxx
> Subject: [ukha_d] OT: Urgent - Virus issue
>
>
> Sorry for the OT, but it will likely prove useful information
> to list members.
>
> I seem to have contracted a virus that no virus checker will
> find. It was a pretty stupid mistake that I made while trying
> out a new Usenet program but it is of concern that no virus
> software seems able to detect it and there appears to be zero
> information on the web.
>
> Now, so far the symptoms are:
>
> - Delivery as somename.scr with a filesize of 3568 bytes
> - Disables firewall in background on activation
> - Detects the opening of regedit, sysedit and any firewall
> programs and immediately causes them to exit.
> - detects the runing of netstat and removes all output so any
> connection it makes to the net is
> - On a reboot of Windows, the firewall will appare to start
> successfully but then exits in the background. Windows also
> page faults in a VXD and this may or may not be related to
> the firewall shutting down.
> - Seems to detect anti virus programs and effectively stealth
> and is not detected by them
> - creates a number of entries in C:\WINDOWS and the Windows
> registry for startup. Very clever names that match actual
> Windows tasks that must be run.
> - Installs a dodgy copy of MIRC into C:\WINDOWS\SYSTEM in a
> new directory called SYSTEMY7 which includes various zombie
> tools which I assume would be used in DDOS attacks. It
> installs a standard IRC backdoor which virus checkers easily
> spot. It must therefore have some form of online capability
> in order to download and install such things so will likely
> transmit various other things in various other ways to propogate.
> - What else it does is anybody's guess at this stage.
>
> So far I have only stayed online long enough to download a
> new AV program and to grab a utility I used to have years ago
> called stopit. By killing various tasks (incluidng what
> appear to be valid ones), I can now use the firewall, regedit
> and sysedit again. This is also the first time since I
> suspected infection that I have run email so hopefully any
> email based attack will not have occured, but SMTP is a
> simple procedure so I cannot be sure. The loss of the
> firewall means I have no logs for that short time.
>
> Any Windows 98 user who has a little spare time can probably
> help me out tracking it down completely. If you fancy helping
> out please can you check your C:\Windows directory and see if
> the following files exist:
>
> Sysrun32.exe
> Sysscfg.exe
> MTask32.exe
> rc4toolkit.dll
> nicks.tmp
>
> All of these appear to be dated around the time of activation
> but I just want to ensure that there are no official files
> with these names in this location. nicks.tmp is likely the DDOS
nicks.
>
> I imagine the virus is merely a remake of one of the many
> other ones that have done the rounds of late, but if not, I
> hereby name it Win32.B**tard.
>
> I will also begin a boycott NewsRover campaign since that is
> the program that made it so easy to accidentally trigger this
> bl**dy thing!
>
> Thanks,
>
> Mark.
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.419 / Virus Database: 235 - Release Date: 13/11/02
>
>
http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe: ukha_d-subscribe@xxxxxxx
Unsubscribe: ukha_d-unsubscribe@xxxxxxx
List owner: ukha_d-owner@xxxxxxx
List of UKHA Groups here -
http://groups.yahoo.com/group/UKHA_Grouplists/
Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe: ukha_d-subscribe@xxxxxxx
Unsubscribe: ukha_d-unsubscribe@xxxxxxx
List owner: ukha_d-owner@xxxxxxx
List of UKHA Groups here - http://groups.yahoo.com/group/UKHA_Grouplists/
Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
Home |
Main Index |
Thread Index
|
|