Re: New Trojan?Jun 29 2004 10:14PM ph03n1x (ph03n1x gmx net)
Re: New Trojan?Jun 29 2004 09:16PM Michael Painter (tvhawaii shaka com)
Re: New Trojan?Jun 29 2004 07:32PM Okiwaso (okiwaso hotmail com)
You have probably been infected with a trojan via spyware.
Even if your kids did not use IE to browse, its security zones are still in
use when they check email with Outlook Express or Outlook, so you could have
been infected that way if links were clicked.
First check the following registry keys for list of startup programs for
anything unfamiliar as trojans usually use this key to automatically start
on bootup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
If you find any unfamiliar entries here, then see if you can see them
running in TaskManager. If so try and kill them by pressing "End Process"
button in task manager. If you cant shut them down, they are either
critical windows services which would unlikely be started in Run key, they
would be services, so these running programs are likely your trojan
infection.
To make sure use Firefox and go to http://security.symantec.com and follow
the links so you can scan your machine for known malware as your versions of
Adware, SpywareBlaster, etc are likely blocked from detecting what your
infected with. Also they may say you have all the current updates when you
try to update them.
If this scan tells you that you have infections, it will give you a name of
a virus, trojan, etc to lookup at symantec for its list of files or
processes used in the attack. Compare these files to the unknown ones you
find in registry and in Task Manager. You could also look at the files
properties and look for the company info (ex. Microsoft, etc), but don't
always trust this as the hacker could label it any way he wants.
Now, If you cannot stop them, then to disinfect yourself, remove their
entries from registry Run key, reboot into Safe Mode by pressing and holding
F8 on bootup and delete the files as more than likely they will not run in
Safe Mode.
Then update your virus definitions and scan again for remaining files, etc.
_______
Now to prevent further infection through this hole in IE and its security
zones which are integrated into Windows, do the following registry edit to
make My Computer (Local Zone) show up in IE's security zones. In the My
Computer zone disable Active scripting.
Just disabling it in the Internet Zone prevents a lot of legitimate web
pages from working, so disable it in the Local zone as this is where
exploits do their damage anyways. Just change the Flags value to 1 in the
\Zones\0 Key:
Another fix, and a really good idea, is to make your "My Computer" zone,
a.k.a., the "Local Zone" appear in your internet properties (done with the
registry entry below) and adjust the security properties to mirror the
"Restricted Zone" (done manually).
[HKEY CURRENT
USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0]
"Fla
gs"= dword:00000001
------------
Also note when you disable "Active scripting" and "Run active x controls and
plug-ins", then some software GUI's like Norton AV will not work properly.
It is because they are written in Java, VB, etc and need these options to
show you thier user interface.
So in your profile set them to PROMPT instead of disable, this way you can
say yes when asked if you want them to run, so you can change
configurations, or start a scan, etc in Norton AV
Hope this helps
Okiwaso
----- Original Message -----
From: "Jeff" <Jeff (at) Not_A_Real_Address (dot) com [email concealed]>
To: <security-basics (at) securityfocus (dot) com [email concealed]>
Sent: Monday, June 28, 2004 4:14 PM
Subject: New Trojan?
> PLEASE READ ... I feel violated and need much help, if not for
> the PC, for my nerves.
>
> The PC is a WinXP box, fully patched, routinely checked with
> Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also
> use Thunderbird 0.6 and Firefox 0.8. All other family members
> run Thunderbird on this box. IE6 has not bee removed but is
> fully patched.
>
> Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
> is running. (I purposely purchased the licenses at work for
> our home users also so that they WOULD stay up to date -- a
> practice I learned from Sprint a long, long time ago.)
>
> I use a Netgear FVS318 to interface to my Verizon DSL account.
>
> The events as they happened.
>
> 1. My son read his email via the web. It included e-cards.
> He read them. Doesn't remember where they took him, nor
> does he remember if he used IE6 or Firefox.
>
> 2. Long screaming session about things TO do and things NOT
> to do while on the internet. 278th time. Disabled his account.
>
> 3. Mis-typing a URL will now take me automatically to
> www.netidentity.com with the mistaken URL clearly
> identified inside. Identical results on IE6 and Firefox.
> Java and Javascript are disabled on Firefox. I leave IE6
> alone because I use it when I absolutely must go to some
> bogus activex site, oh, and windowsupdate. But I don't use
> it otherwise. I always use Firefox.
>
> URLs that caused this include: mapblast, mapquest, abc, def
> ... through xyz.
>
> Please note: I had typed "mapblast" but had hit Enter rather
> than Ctrl-Enter, by mistake. The URLs entered are literally
> those listed, just the word.
>
> They are then transformed to http://mapblast/
>
> 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
> updates and the entire system was scanned. Nothing found.
>
> ** My immediate thought was that Network Solutions was up to thier
> ** old tricks with it's Site Finder business. A quick check of
> ** another PC in the house eliminated that.
>
> 5. I checked my syslogs and NULL routed the IP address being used
> to access www.netidentity.com. The same page comes up sans the
> graphics and the flash. The web page is still there though, just
> looking sad. Another check of the syslogs brings up 64.15.175.5
> as generating the pages, an open proxy.
>
> 6. Also ran HiJackThis and went through ALL of the items on it.
> Nada. Couldn't find the IP addresses or domain names in the
> registry. I also ran them in reverse notation. Nada.
>
> 7. Checked my network settings to make certain that some new DNS
> server wasn't stuck in. Nope, still set to use the Netgear box.
> Put 4 different DNS servers in -- still get that stupid site.
>
> 8. That was all at lunchtime. Haven't had a chance to run netstat
> or Ethereal to gain any additional clues.
>
> ZOIKS!!!
>
> The PC is off. But NOT knowing what is going on is driving me insane.
>
> So while I <ahem> work this afternoon, I thought I would see if any
> of this sounds, smells or <insert fav sense here) like anything that
> anyone has seen before!
>
> Jeff
>
>
>
> ------------------------------------------------------------------------
--
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
--
--
>
>
------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
Even if your kids did not use IE to browse, its security zones are still in
use when they check email with Outlook Express or Outlook, so you could have
been infected that way if links were clicked.
First check the following registry keys for list of startup programs for
anything unfamiliar as trojans usually use this key to automatically start
on bootup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
If you find any unfamiliar entries here, then see if you can see them
running in TaskManager. If so try and kill them by pressing "End Process"
button in task manager. If you cant shut them down, they are either
critical windows services which would unlikely be started in Run key, they
would be services, so these running programs are likely your trojan
infection.
To make sure use Firefox and go to http://security.symantec.com and follow
the links so you can scan your machine for known malware as your versions of
Adware, SpywareBlaster, etc are likely blocked from detecting what your
infected with. Also they may say you have all the current updates when you
try to update them.
If this scan tells you that you have infections, it will give you a name of
a virus, trojan, etc to lookup at symantec for its list of files or
processes used in the attack. Compare these files to the unknown ones you
find in registry and in Task Manager. You could also look at the files
properties and look for the company info (ex. Microsoft, etc), but don't
always trust this as the hacker could label it any way he wants.
Now, If you cannot stop them, then to disinfect yourself, remove their
entries from registry Run key, reboot into Safe Mode by pressing and holding
F8 on bootup and delete the files as more than likely they will not run in
Safe Mode.
Then update your virus definitions and scan again for remaining files, etc.
_______
Now to prevent further infection through this hole in IE and its security
zones which are integrated into Windows, do the following registry edit to
make My Computer (Local Zone) show up in IE's security zones. In the My
Computer zone disable Active scripting.
Just disabling it in the Internet Zone prevents a lot of legitimate web
pages from working, so disable it in the Local zone as this is where
exploits do their damage anyways. Just change the Flags value to 1 in the
\Zones\0 Key:
Another fix, and a really good idea, is to make your "My Computer" zone,
a.k.a., the "Local Zone" appear in your internet properties (done with the
registry entry below) and adjust the security properties to mirror the
"Restricted Zone" (done manually).
[HKEY CURRENT
USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0]
"Fla
gs"= dword:00000001
------------
Also note when you disable "Active scripting" and "Run active x controls and
plug-ins", then some software GUI's like Norton AV will not work properly.
It is because they are written in Java, VB, etc and need these options to
show you thier user interface.
So in your profile set them to PROMPT instead of disable, this way you can
say yes when asked if you want them to run, so you can change
configurations, or start a scan, etc in Norton AV
Hope this helps
Okiwaso
----- Original Message -----
From: "Jeff" <Jeff (at) Not_A_Real_Address (dot) com [email concealed]>
To: <security-basics (at) securityfocus (dot) com [email concealed]>
Sent: Monday, June 28, 2004 4:14 PM
Subject: New Trojan?
> PLEASE READ ... I feel violated and need much help, if not for
> the PC, for my nerves.
>
> The PC is a WinXP box, fully patched, routinely checked with
> Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also
> use Thunderbird 0.6 and Firefox 0.8. All other family members
> run Thunderbird on this box. IE6 has not bee removed but is
> fully patched.
>
> Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19
> is running. (I purposely purchased the licenses at work for
> our home users also so that they WOULD stay up to date -- a
> practice I learned from Sprint a long, long time ago.)
>
> I use a Netgear FVS318 to interface to my Verizon DSL account.
>
> The events as they happened.
>
> 1. My son read his email via the web. It included e-cards.
> He read them. Doesn't remember where they took him, nor
> does he remember if he used IE6 or Firefox.
>
> 2. Long screaming session about things TO do and things NOT
> to do while on the internet. 278th time. Disabled his account.
>
> 3. Mis-typing a URL will now take me automatically to
> www.netidentity.com with the mistaken URL clearly
> identified inside. Identical results on IE6 and Firefox.
> Java and Javascript are disabled on Firefox. I leave IE6
> alone because I use it when I absolutely must go to some
> bogus activex site, oh, and windowsupdate. But I don't use
> it otherwise. I always use Firefox.
>
> URLs that caused this include: mapblast, mapquest, abc, def
> ... through xyz.
>
> Please note: I had typed "mapblast" but had hit Enter rather
> than Ctrl-Enter, by mistake. The URLs entered are literally
> those listed, just the word.
>
> They are then transformed to http://mapblast/
>
> 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for
> updates and the entire system was scanned. Nothing found.
>
> ** My immediate thought was that Network Solutions was up to thier
> ** old tricks with it's Site Finder business. A quick check of
> ** another PC in the house eliminated that.
>
> 5. I checked my syslogs and NULL routed the IP address being used
> to access www.netidentity.com. The same page comes up sans the
> graphics and the flash. The web page is still there though, just
> looking sad. Another check of the syslogs brings up 64.15.175.5
> as generating the pages, an open proxy.
>
> 6. Also ran HiJackThis and went through ALL of the items on it.
> Nada. Couldn't find the IP addresses or domain names in the
> registry. I also ran them in reverse notation. Nada.
>
> 7. Checked my network settings to make certain that some new DNS
> server wasn't stuck in. Nope, still set to use the Netgear box.
> Put 4 different DNS servers in -- still get that stupid site.
>
> 8. That was all at lunchtime. Haven't had a chance to run netstat
> or Ethereal to gain any additional clues.
>
> ZOIKS!!!
>
> The PC is off. But NOT knowing what is going on is driving me insane.
>
> So while I <ahem> work this afternoon, I thought I would see if any
> of this sounds, smells or <insert fav sense here) like anything that
> anyone has seen before!
>
> Jeff
>
>
>
> ------------------------------------------------------------------------
--
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
--
--
>
>
------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
[ reply ]