|
|
Focus on Virus
what is the best procedure to track down a potentially new virus/worm/etc? Dec 10 2004 06:50PM Rodrigo Ventura (yoda isr ist utl pt) (5 replies) RE: what is the best procedure to track down a potentially new virus/worm/etc? Dec 14 2004 10:21PM Roger Padilla Jr (ropadill calpoly edu) Re: what is the best procedure to track down a potentially new virus/worm/etc? Dec 14 2004 09:14PM Phil Nelson (pdn PhilNelson DNSalias net) Re: what is the best procedure to track down a potentially new virus/worm/etc? Dec 14 2004 08:25PM John Barton (jbarton technicalworks net) Re: what is the best procedure to track down a potentially new virus/worm/etc? Dec 14 2004 08:19PM John Barton (jbarton technicalworks net) (1 replies) Re: what is the best procedure to track down a potentially new virus/worm/etc? Dec 15 2004 01:56AM Rich Gardner (rich gardner gmail com) |
|
Privacy Statement |
Glad you were able to apply a "band-aid" to get it under control temporarily.
> My question is, what do you think is the best procedure to track down
> the executables responsible for this behavior? After tracking them
> down, I could submit the sample to several online scanners in order to
> determine which specific malware is affecting the PCs.
>
> It it were UNIX, I could use commands like socklist and netstat to
> track down the malware processes. But in Windows XP, I don't know what
> to use. Are there any built-in utilities? Some freeware stuff? All
> help is welcome.
A useful program for Windows is freeware from Foundstone called Fport:
- http://www.foundstone.com/resources/proddesc/fport.htm
Once you've narrowed down the EXEs, you could submit it to a place
like VirusTotal:
- http://www.VirusTotal.com
This will scan the EXEs with many different AV engines for known
malware (even spyware/adware from some engines). They will also
automatically send your malware sample to all engines used. (To
disable this, click the "Distribute" icon next to the file submission
line.)
Nick FitzGerlad also put up a list some time ago of addresses to
submit samples too. If any of these are out of date, please let me
know and/or message the list with an update:
Authentium (Command Antivirus) <virus (at) authentium (dot) com [email concealed]>
BitDefender <virus_submission (at) bitdefender (dot) com [email concealed]>
Computer Associates (US) <virus (at) ca (dot) com [email concealed]>
Computer Associates (Vet/EZ) <ipevirus (at) vet.com (dot) au [email concealed]>
DialogueScience (Dr. Web) <Antivir (at) dials (dot) ru [email concealed]>
Eset (NOD32) <sample (at) nod32 (dot) com [email concealed]>
F-Secure Corp. <samples (at) f-secure (dot) com [email concealed]>
Frisk Software (F-PROT) <viruslab (at) f-prot (dot) com [email concealed]>
Grisoft (AVG) <virus (at) grisoft (dot) cz [email concealed]>
H+BEDV (AntiVir, Vexira engine) <virus (at) antivir (dot) de [email concealed]>
Kaspersky Labs <newvirus (at) kaspersky (dot) com [email concealed]>
Network Associates (McAfee) <virus_research (at) nai (dot) com [email concealed]>
(use a ZIP file with the password 'infected' without the quotes)
Norman (NVC) <analysis (at) norman (dot) no [email concealed]>
Panda Software <labs (at) pandasoftware (dot) com [email concealed]>
Sophos Plc. <support (at) sophos (dot) com [email concealed]>
Symantec (Norton) <avsubmit (at) symantec (dot) com [email concealed]>
Trend Micro (PC-cillin) <virus_doctor (at) trendmicro (dot) com [email concealed]>
(Trend may only accept files from users of its products)
NOTE: Resending this to the list - Mark Fossi caught a small snafu
that has now been fixed with the email addresses. He also informed me
of BitDefender's address, which has been added to the list above.
Resending to Rodrigo as well to help avoid confuson. =)
HTH!
--
Peace. ~G
On Fri, 10 Dec 2004 18:50:55 +0000, Rodrigo Ventura <yoda (at) isr.ist.utl (dot) pt [email concealed]> wrote:
>
> I have a couple of PCs (running XP) which I'm sure are infected with
> some kind of malware. Common anti-virus such as OfficeScan and
> Symantec do not detect them. They seem to be irc bots. They try to
> connect to IRC servers, using a password, and receive from there
> instructions on what to do, namely scan for LSASS vulnerabilities by
> scanning the entire IP subnet in random. I sniffed the IRC servers IPs
> and passwords, and confirmed my suspicions, after entering in those
> IRC servers (and being banned as soon as detected by the
> admins). Moreover, they open backdoors, which accoriding to the kind
> of responses to a telnet, seem spam relayers, or FTP servers (not sure
> which).
>
> (My response to this threat was to block the IPs of the suspicious IRC
> servers in the firewall. This calmed down the packet storms I've been
> watching...)
>
> My question is, what do you think is the best procedure to track down
> the executables responsible for this behavior? After tracking them
> down, I could submit the sample to several online scanners in order to
> determine which specific malware is affecting the PCs.
>
> It it were UNIX, I could use commands like socklist and netstat to
> track down the malware processes. But in Windows XP, I don't know what
> to use. Are there any built-in utilities? Some freeware stuff? All
> help is welcome.
>
> And regarding the IRC server IPs, is it worthwhile to report them to
> the authorities specified in the whois databases?
>
> Cheers,
>
> Rodrigo
>
> --
>
> *** Rodrigo Martins de Matos Ventura <yoda (at) isr.ist.utl (dot) pt [email concealed]>
> *** Web page: http://www.isr.ist.utl.pt/~yoda
> *** Teaching Assistant and PhD Student at ISR:
> *** Instituto de Sistemas e Robotica, Polo de Lisboa
> *** Instituto Superior Tecnico, Lisboa, PORTUGAL
> *** PGP fingerprint = 0119 AD13 9EEE 264A 3F10 31D3 89B3 C6C4 60C6 4585
[ reply ]