Focus on Virus
Virus or trojan help Oct 12 2006 06:08AM
genome (jtroxas gmail com) (4 replies)
Re: Virus or trojan help Oct 14 2006 11:33PM
Genome (jtroxas gmail com) (1 replies)
Re: Virus or trojan help Oct 17 2006 06:06PM
brain5ide (brain5ide gmail com)
Re: Virus or trojan help Oct 13 2006 05:39PM
gmx (pal_adam gmx net) (1 replies)
RE: Virus or trojan help Oct 14 2006 12:08AM
Mark Brunner (mark_brunner hotmail com)
Re: Virus or trojan help Oct 13 2006 04:01PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Re: Virus or trojan help Oct 12 2006 05:29PM
genome (jtroxas gmail com) (3 replies)
Re: Virus or trojan help Oct 15 2006 11:08PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
On 2006-10-13 genome wrote:
> I am not entirely sure If its infected explorer.exe as the virus does
> not run in safemode and while running explorer.exe.. I have been able
> to extract files with winrar and the exe files are not deleted upon
> extraction.. I have even been able to install Outpost firewall in
> safemode and scan the system with spyware..

You installed a PERSONAL FIREWALL to scan for spyware? o_O

> it detected some spyware including bagle and removed it then... when I
> restarted the system in normal mode the virus keeps restarting the
> system imidiately after the desktop is shown.. This is probably
> because the virus cannot delete outpost.exe as it is already running
> as a service before the virus loads... so virus simply restarted the
> system so I would not be able to fix anything..
> I booted again in safemode and disabled outpost.exe service and surely
> windows booted ok in nomal mode but looking in outpost installation
> directory the virus deleted outpost.exe...
> also the standard windows firewall service will not automaticaly start
> I had to start it manually all the time..
> I could not see any rouge running process in taskmanager and Ive even
> installed WintaskPro and cannot find anything out of the ordinary.. Ive
> disabled all other non microsoft services and microsoft servises I can
> disable.. to no avail..

First of all you should take the machine off the net IMMEDIATELY. Your
system is compromised and a hazard not only to your network, but to any
host it may reach over networks it's connected to. Put it into a lab
that's not connected to other networks so you can analyze it. Usually
you'd image the harddisk before doing anything else, but it's probably a
bit late for that in your case.

Incomplete list of things you can try on the live system:

- Inspect the running processes with Process Explorer [1] (Task Manager
will NOT suffice).
- Read the eventlog.
- Check the patchlevel.
- Run TCPView [2] (or maybe "netstat -ano" or "netstat -anb") to look
what ports are opened by which process and which connections to which
address are (seem to be) established.
- Run rootkit detection tools (e.g. RootkitRevealer [3], Rootkit Hook
Analyzer [4], or BlackLight [5]).
- Inspect the autoruns with Autoruns [6] or Silent Runners [7].
- Run spyware detection tools (e.g. HijackThis! [8]).
- Tap the network wire and inspect the network traffic with a sniffer
(e.g. Wireshark [9]).
- Run a port scan (e.g. nmap) against the compromised machine.

Incomplete list of things you can try on the shut-down system:

- Install the harddisk into another computer (as a slave) and run a
virus scan from the other computer's operating system against the disk
from the compromised system.
- Inspect Alternate Data Streams using the streams utility [10].
- Running strings [11] against infected files may give you information
about what the malware does or where it communicates to.
- Analyze registry hives from the infected system (e.g. by loading them
into regedit).

> Its a shame...Evil people are getting smarter and smarter every day....

No offense, but to me the problem seems to be that you have no clue
whatsoever of what you're doing rather than the bad guys getting
smarter.

[...]
> Unfortunately I cannot just format and reinstall without knowing what
> has gone wrong as this virus probably have infected some in our
> network and chances are it will just return again...

Unfortunately you don't seem experienced enough to do anything BUT
format and reinstall. Sorry.

However, if you really want to try the hard route you first need to
identify WHAT hit you, and then HOW it hit you, so you can mitigate the
attack vector. The suggestions I made above may help with this. I also
suggest you ask any further questions about this matter on the forensics
list [12], which is IMHO more appropriate in this case.

[1] http://www.sysinternals.com/Utilities/ProcessExplorer.html
[2] http://www.sysinternals.com/Utilities/TcpView.html
[3] http://www.sysinternals.com/Utilities/RootkitRevealer.html
[4] http://www.resplendence.com/hookanalyzer
[5] http://www.f-secure.com/blacklight/
[6] http://www.sysinternals.com/Utilities/Autoruns.html
[7] http://www.silentrunners.org/
[8] http://www.merijn.org/programs.php#hijackthis
[9] http://www.wireshark.org/
[10] http://www.sysinternals.com/Utilities/Streams.html
[11] http://www.sysinternals.com/Utilities/Strings.html
[12] http://www.securityfocus.com/archive/104/description

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
----
ALERT: "How a Hacker Launches a SQL Injection Attack!" - White Paper
It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CZW
l
------------------------------------------------------------------------
----

[ reply ]
Re: Virus or trojan help Oct 15 2006 09:17PM
brain5ide (brain5ide gmail com) (1 replies)
RE: Virus or trojan help Oct 17 2006 02:10AM
Miguel Valentin (valentinousn verizon net) (1 replies)
Re: Virus or trojan help Oct 18 2006 11:58AM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Re: Virus or trojan help Oct 15 2006 05:02PM
John Mason Jr (john mason jr cox net)


 

Privacy Statement
Copyright 2010, SecurityFocus