Coffeehouse Thread

21 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

MSN Virus Help

Back to Forum: Coffeehouse
  • User profile image
    Tyler Brown

    Recently, my girlfriends computer has become infected by the latest MSN virus going around. It sends messages to all of your contacts asking them to click on a hyperlink (to an executable file) of their latest picture. My parents computer became infected from the messages that my girlfriends computer has been sending out. Does anyone know how to remove this virus? It places entries in the registry, and I've tried disbling them via msconfig, however upon restart there are new entries added. I've found a Canada.exe file installed in the System32 directory, which I've removed but it just comes back. Obviously this is more than just an executable running in the background, and likely a process that has been injected into another. Has anyone had any success removing this from computers? Google has turned up nothing...

  • User profile image
    Maurits

    You have two options.
    1) Get virus-scanning software (AVG is free for personal use)
    2) Back up your data and rebuild the machine.

    Once a machine has been infected, you probably shouldn't trust it further.

  • User profile image
    W3bbo

    I don't know about you guys...

    But every single virus I've faced has been cleaned within minutes by using Safe Mode. How come I almost never see Safe Mode listed as a means of situation resolution on the MS KB anyway?

  • User profile image
    Tyler Brown

    I've been walking my father through some steps on his computer over MSN and we've identified the virus as WORM_SPYBOT.PB. He's currently following the instructions on the Trendmicro website. Hopefully this will get rid of it.

  • User profile image
    Custard555

    I would first get stinger @ http://vil.nai.com/vil/stinger/ on a computer which is not infected, then copy it to a floppy disk and then make the disk read only (you know the tab thing on the floppy disk)

    Then run stinger on the computer which in infected and then get AVG.

    Also have a look into getting a firewall and AntiSpyware to complete your protection for the web

  • User profile image
    figuerres

    W3bbo wrote:
    I don't know about you guys...

    But every single virus I've faced has been cleaned within minutes by using Safe Mode. How come I almost never see Safe Mode listed as a means of situation resolution on the MS KB anyway?


    Problem with manual clenaing goes like this:

    you know that "evil code" is in your system.
    you found say 10 files that have been tampered with and you remove them.

    sounds good so far....

    but now come a few questions:

    what files did you not find? say you have a big hd with thousands of files...

    and then comes the "Back door" problem.
    did they add a service or hook a service with a file that is not "Infected" per-se but can run code that opens a back door into your system... where is it?
    what's it's name?
    did they load a rootkit you do not know about that is hiding one or more processes from you?

    did they modify the windows file ACL's to open up a permission hole?
    did they copy your password file to a remote computer?
    did they add any extra code to your windows system restore to re-load the mal-ware later?

    each of the things I have listed I have seen done on cracked / brocken windows servers and pc's over the last 5 years.

    so ok, you found the first part... now do you want to gamble that your skills are good enough to find the rest??


    Hey, I am not trying to be rude / mean / and such...
    just that I have seen folks get jacked when they thought they had fixed the system.

  • User profile image
    W3bbo

    figuerres wrote:
    what files did you not find? say you have a big hd with thousands of files...

    and then comes the "Back door" problem.
    did they add a service or hook a service with a file that is not "Infected" per-se but can run code that opens a back door into your system... where is it?
    what's it's name?
    did they load a rootkit you do not know about that is hiding one or more processes from you?


    Start > Find > Files or Folders > Created/Modified Since
    Start > Run > SFC

    And make regular system-state NTBackups too Smiley

  • User profile image
    pikatung
  • User profile image
    Maurits

    W3bbo wrote:

    Start > Find > Files or Folders > Created/Modified Since
    Start > Run > SFC

    And make regular system-state NTBackups too


    All good ideas Smiley

  • User profile image
    Tyler Brown

    The Trendmicro instructions were successful in removing the malware from my fathers computer. I'm writting an exam in about 20 minutes, 2nd out of the 6 that I have to write, and then I'm going to do the same procedure on the girlfriends computer.

  • User profile image
    figuerres

    W3bbo wrote:
    figuerres wrote: what files did you not find? say you have a big hd with thousands of files...

    and then comes the "Back door" problem.
    did they add a service or hook a service with a file that is not "Infected" per-se but can run code that opens a back door into your system... where is it?
    what's it's name?
    did they load a rootkit you do not know about that is hiding one or more processes from you?


    Start > Find > Files or Folders > Created/Modified Since
    Start > Run > SFC

    And make regular system-state NTBackups too


    and you are 100% sure you can trust the date-time stamp??  thats just data stored in a directory record. it can be changed by a program with admin rights.

  • User profile image
    Maurits

    It's a good way to find things that have been touched.  It's not guaranteed to be an exhaustive list of everything that's bad.

    For example the virus could contact the mother ship and download/install the spam-blaster-software of the day - these program files would not show as Created or Modified today.  But probably the logs these programs generate would show as Created/Modified today.

  • User profile image
    figuerres

    a few other things I have seen just for general info:

    folders created with the names of old-skool DOS devices like COM1: LPT2: and so on....

    at least on a windows 2000 server I had to deal with it was just about impossible to delete the folders with the invalid names. unless you did a sector edit in hex.

    and they would cause many normal apps to not even list them ... or you might see a folder with no files.  that plus folder names with the old ALT-255 trick, in DOS ALT-255 is a blank ... some veriations on that can make hard to find folder name.

    in this case the server had a hidden FTP site running on it and the task manager was root-kited to hide the process and also it had mIRC running in a hidden window. so mIRC was the "Terminal Server" for the cracker to run remote commands and share the server ... also part of the way in was the old IIS exploit thatlet them buffer overflow and run cmd.exe
    it then ran tftp to load a rootkit and then installed the hacked mIRC and then it was "Owned" the legal owner thought his server was acting up and had a hardware problem, the disk was going nuts and the system was way slow... I showed him the network IO was off the chart and then sniffed the lan and showed IRC and other ports in use.... then found the root-kit and the rest of the mess and formatted the system and re-built it and explained the need to have updates installed from time to time and not load programs like tftp.exe... which used to be standrd on windows servers; I think 2003 does not load it by default.

  • User profile image
    Maurits

    I once ran an FTP server that allowed anonymous PUT (I know - this was when I was a newbie) and when my bandwidth started pegging I tracked it down to illegal copies of a movie being served from the FTP server.

    The catch was that it was inside a whole string of subdirectory names that were designed to conceal it from Windows Explorer.  Devious.

  • User profile image
    W3bbo

    My procedure for suspected infections:

    a) Note the virus name
    b) Pull the power cable straight after
    c) Reboot from the Recovery Console from the CD
    d) Delete the virus name and take a quick look at the usual hiding places
    e) Delete said hiding places
    f) Reboot into Safe Mode and pray nothing's lost
    g) Run SFC and "Recently changed files" searches.
    h) Do a registry cleanup
    i) Reboot

    I've only been infected twice in the past 4 years neither were due to my action nor inaction, not bad, eh? Smiley

  • User profile image
    W3bbo

    Maurits wrote:
    I once ran an FTP server that allowed anonymous PUT (I know - this was when I was a newbie) and when my bandwidth started pegging I tracked it down to illegal copies of a movie being served from the FTP server.


    How do people find FTP servers anyway? Unless you advertised it or anything.

  • User profile image
    Maurits

    Some perl pseudoscript:

    my @openftpservers = ();
    for (my $ip = "0.0.0.0" .. "255.255.255.255")
    {  my $ftpclient = FTP->connect($ip, 21);
        if ($ftpclient->put("test.txt")
        {   push @openftpservers, $ip
        }
    }

  • User profile image
    W3bbo

    Ah yes.. classic port-scanning.

    I did something similar myself the other day when I forgot the IP address of my Terminal Server, had to pen a quick VBS and execute it.

    Took around 15 minutes to find all IP addresses within 81.86 that had an active Port 80. Then I had to spend another half-hour or so finding which one of a thousand or so was mine.

    That 'experiment' shows thatt a LOT of "home user" routers, modems, and gateways have an open Port 80 with no-password access to the control page.

    I could have brought down so many LANs that way, but I resisted temptation Smiley

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.