RE: OT: Urgent - Virus issue

["Mark Hetherington" <mark.egroups@xxxxxxx>]

It seems that adding Urgent into my Topic caused Yahoo to take almost 1.5
hours to send this to members. :(

So a progress update that will hopefully be useful to anyone that runs into
similar problems and archived in the event that anything further goes wrong
tonight.

The virus itself seems to build on various techniques rather than merely
being an "update". Some Spanish people have been affected by
parts of this
issue and one published trojan uses some of the techniques but the overall
package appears to be unrecognised. Other than that, there seems to be
little information available.

I will pass my experience onto some AV people in the hope that AVPs can be
taught to cope with it but in the meantime my current fix is as follows:

1) Download and install STOPIT from http://www.mcdev.com/.

It is a useful (and free) utility in any case but essential for my current
fix.

2) Disconnect from the Internet. I do not know the full payload, but you
could be used as a zombie in a DDOS attack while infected if nothing else.

3) Run Stopit, and select and press STOPIT button on the following
processes:

C:\WINDOWS\Sysrun32.exe
C:\WINDOWS\MTask32.exe

(Note C:\WINDOWS\SYSTEM\MSTask32.exe is a valid process)

4) Delete the original email or usenet message containing the anyname.scr
file.

5) Delete the following files:

C:\WINDOWS\Sysrun32.exe
C:\WINDOWS\Sysscfg.exe
C:\WINDOWS\MTask32.exe
C:\WINDOWS\rc4toolkit.dll
C:\WINDOWS\nicks.tmp

(You might want to move the files instead of deleting them if you feel
there
is risk by deleting them but make sure you move them to a location that you
will not accidentally click on them.)

6) You can now (and should) relaunch any firewall and AV programs. You
should be safe to reconnect to the Internet to update your AV program.

7) Open regedit and navigate to
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Delete the entries for:

C:\WINDOWS\Sysrun32.exe
C:\WINDOWS\MTask32.exe

Note your Anti Virus program will be disabled and may require a reinstall
since the virus has stolen the normal Anti Virus registry key. (This is how
it finds and disables the AVP, great place to store the fact you are
running
one! If your AV program has an option to run at bootup in it's
configuration, deselect and reselct may be enough to restore it into the
registry.

8) Delete the directory C:\WINDOWS\SYSTEM\SYSTEMY7

It is inactive now but no point leaving trojans in place. Most AV programs
will only detect the IRC.Backdoor trojan in the file TEMP.SCR. There is
also
a file called TEMP.EXE which has a MIRC icon and is a valid Mirc v5.7.

9) Reboot and run a full virus scan.

I cannot guarantee that this will remove all elements of the virus, but
AFAICT so far, it does. If I find anything else about this, I will update
my
fix.

One other utility that I feel deserves mention and is also free is SWATIT
>from
various historical reasons, but it is free and has a better detection rate
for trojans and the like than all current AV programs. AV programs seem to
detect only IRC.backdoor in the SYSTEMY7 directory while Swaitit picks up
the additional bots in the associated utilities.
http://lockdowncorp.com/bots/downloadswatit.html

Although I hope nobody has to use it, I hope this information is useful
until the AV manufacturers catch up.

I also seem to have aquired some sort of certification on my outgoing mail.
I will leave this on for a couple days before removing it so apologies for
the temporary extra text on my posts. Anyone needing a free virus checker
for Windows can find one at http://www.grisoft.com.

Mark.

> -----Original Message-----
> From: Mark Hetherington [mailto:mark.egroups@xxxxxxx]
> Sent: 19 November 2002 22:20
> To: ukha_d@xxxxxxx
> Subject: [ukha_d] OT: Urgent - Virus issue
>
>
> Sorry for the OT, but it will likely prove useful information to list
> members.
>
> I seem to have contracted a virus that no virus checker will
> find. It was a
> pretty stupid mistake that I made while trying out a new Usenet
> program but
> it is of concern that no virus software seems able to detect it and
there
> appears to be zero information on the web.
>
> Now, so far the symptoms are:
>
> - Delivery as somename.scr with a filesize of 3568 bytes
> - Disables firewall in background on activation
> - Detects the opening of regedit, sysedit and any firewall programs
and
> immediately causes them to exit.
> - detects the runing of netstat and removes all output so any
> connection it
> makes to the net is
> - On a reboot of Windows, the firewall will appare to start
> successfully but
> then exits in the background. Windows also page faults in a VXD
> and this may
> or may not be related to the firewall shutting down.
> - Seems to detect anti virus programs and effectively stealth and is
not
> detected by them
> - creates a number of entries in C:\WINDOWS and the Windows registry
for
> startup. Very clever names that match actual Windows tasks that
> must be run.
> - Installs a dodgy copy of MIRC into C:\WINDOWS\SYSTEM in a new
directory
> called SYSTEMY7 which includes various zombie tools which I
> assume would be
> used in DDOS attacks. It installs a standard IRC backdoor which virus
> checkers easily spot. It must therefore have some form of online
> capability
> in order to download and install such things so will likely
> transmit various
> other things in various other ways to propogate.
> - What else it does is anybody's guess at this stage.
>
> So far I have only stayed online long enough to download a new AV
program
> and to grab a utility I used to have years ago called stopit. By
killing
> various tasks (incluidng what appear to be valid ones), I can now use
the
> firewall, regedit and sysedit again. This is also the first time since
I
> suspected infection that I have run email so hopefully any email based
> attack will not have occured, but SMTP is a simple procedure so I
> cannot be
> sure. The loss of the firewall means I have no logs for that short
time.
>
> Any Windows 98 user who has a little spare time can probably help me
out
> tracking it down completely. If you fancy helping out please can you
check
> your C:\Windows directory and see if the following files exist:
>
> Sysrun32.exe
> Sysscfg.exe
> MTask32.exe
> rc4toolkit.dll
> nicks.tmp
>
> All of these appear to be dated around the time of activation but I
just
> want to ensure that there are no official files with these names in
this
> location. nicks.tmp is likely the DDOS nicks.
>
> I imagine the virus is merely a remake of one of the many other ones
that
> have done the rounds of late, but if not, I hereby name it
Win32.B**tard.
>
> I will also begin a boycott NewsRover campaign since that is the
program
> that made it so easy to accidentally trigger this bl**dy thing!
>
> Thanks,
>
> Mark.
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.419 / Virus Database: 235 - Release Date: 13/11/02
>
>
> http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe:  ukha_d-subscribe@xxxxxxx
> Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
> List owner:  ukha_d-owner@xxxxxxx
>
> List of UKHA Groups here - http://groups.yahoo.com/group/UKHA_Grouplists/
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
>
________________________________________________________________________
> Delivered using the Free Personal Edition of Mailtraq
(www.mailtraq.com)
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.419 / Virus Database: 235 - Release Date: 13/11/02
>
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.419 / Virus Database: 235 - Release Date: 13/11/02


http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

List of UKHA Groups here - http://groups.yahoo.com/group/UKHA_Grouplists/

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/