Re: Somebody saw this trojan ? (nicely)
From: Jayson Diaz (jayson.diaz@managedmail.com)Date: 10/09/02
- Previous message: Louis Erickson: "RE: Is SSH worth it??"
- In reply to: JM: "Re: Somebody saw this trojan ? (nicely)"
- Next in thread: Nick FitzGerald: "Re: Somebody saw this trojan ? (nicely)"
- Next in thread: Mike Dresser: "Re: Somebody saw this trojan ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jayson Diaz" <jayson.diaz@managedmail.com> To: "JM" <jm@mindless.com>, <nick@virus-l.demon.co.uk>, <SECURITY-BASICS@securityfocus.com>, <focus-virus@securityfocus.com> Date: Wed, 9 Oct 2002 12:32:40 -0500
Agreed.
----- Original Message -----
From: "JM" <jm@mindless.com>
To: <nick@virus-l.demon.co.uk>; <SECURITY-BASICS@securityfocus.com>;
<focus-virus@securityfocus.com>
Sent: Tuesday, October 08, 2002 4:25 PM
Subject: Re: Somebody saw this trojan ? (nicely)
> Nick
>
> Great email, if you are trying to put the guy off..
> I agree with what you are saying and I am sure most of the list's readers
> also do.
> However, most readers use this forum as a means to obtain constructive
> advice, and surely by posting damning critiques of a person's practices we
> are not helping at all.
> I am sure that the original poster will have learned from his previous
> mistake, and I hope will continue to use this forum to keep abreast of
> future developments.
> I dont want to dump on you either, all your points are very valid, but
feel
> we should all be trying to help eachother, and I do agree this would also
> involve helpingeachother to help themselves which other responses to the
> original request have done.
>
> Cheers
>
> JM
>
>
> ----- Original Message -----
> From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
> To: <SECURITY-BASICS@securityfocus.com>; <focus-virus@securityfocus.com>
> Sent: Tuesday, October 08, 2002 1:25 AM
> Subject: Re: Somebody saw this trojan ?
>
>
> > > I have received an e-mail today that is not supposed to be sent to me
> (they
> > > were calling somebody else that I don't know ..). When I read the mail
> with
> > > Outlook Express I noticed that the popup window of dowmloading the
> > > attachement is invoked rapidly (Slow computer) without asking for
> +ACI-Open+ACI- or
> > > +ACI-Save as+ACI- ...
> >
> > So, we know you are running an old, long-since patched version of
> > Internet Explorer...
> >
> > > Well, I have some basic concepts about viruses and security. ...
> >
> > Yet you use an ancient and decrepid version of the buggiest, most
> > security-flawed product of recent (if not all) computing history?
> >
> > Worse, you use it to open an Email message you already considered as
> > being suspect?
> >
> > There was white powder leaking from the envelope, so I chose to
> > open it with my trusty Leatherman rather than the standard
> > letter opener on my desk...
> >
> > > ... I am using NAV
> > > 2001 with the virus definitions of 16/09/2002 ...
> >
> > Excuse me -- 16 September DEf files?
> >
> > That is ancient. Have you any idea how many hundred new viruses,
> > Trojans, and so on Symantec has added detection of between then and
> > now? The AV industry averages avoer 500 a month and you are talking
> > about three week old DEFs...
> >
> > > ... and it generally scans the
> > > incoming emails. ...
> >
> > "generally" -- so that makes it safe?
> >
> > > ... but after reading that email I noticed that NAV is not
> > > running +ACEAIQAh-
> >
> > The first rule of virus/antivirus warfare is that the bad guy gets to
> > go first. You were just got.
> >
> > > With Ctrl-Alt-Del I Didn't see any +ACI-Strange+ACI- runnong program.
> >
> > Well, there are features in the OS that allow processes to very
> > easily hide from the standard task list. The first virus or Trojan
> > to do this was so long ago I can't even recall, nor do I care any
> > more, what its name was.
> >
> > > On a promt command I wrote : netstat -an and I found :
> > > TCP 0.0.0.0:36794 0.0.0.0:0 LISTENING
> > > I think it could be a trojan horse listning on the port 36794 ..
> >
> > Yep.
> >
> > Or it caould be a RAT.
> >
> > Or a DDoS agent.
> >
> > Or just a virus running some funky server for whatever purpose -- a
> > potential comms channel "back home" or an update channel.
> >
> > Or any other network-aware program having a use for receiving some
> > kind of information across the net.
> >
> > > I ran NAV manually to scan my system...but it (NAV) soon shut down.
> >
> > Again, it is becoming a more common ploy among mlaware writers to
> > take serious advantage of the "the bad guy gets to go first" rule.
> > Of late this has increasingly been seen with malware that screws with
> > AV, PFW and similar software.
> >
> > > I ran a free +ACI-Process Viewer+ACI- and then I noticed a
> +ACI-strange+ACI- running program
> > > with the name +ACI-Hfyj.exe+ACI-, so I killed it.
> > > With the +ACI-Regedit+ACI- I deleted the key that was invoking this
> program in :
> > >
>
HKEY+AF8-LOCAL+AF8-MACHINE+AFw-Software+AFw-Microsoft+AFw-Windows+AFw-Curren
> tVersion+AFw-RunOnce
> > >
> > > I deleted the exe file and when I rebooted I noticed that it is always
> there
> > > and that Nav is not running. I killed the program again ..deleted the
> > > registry key... ran Nav to scan the exe file but it sayed that it is
not
> > > infected +ACEAIQAh-
> >
> > OK -- well yuou already know that three weeks out of date is way too
> > out of date. Also, you know NAV did not detect it when it arrived,
> > so why do you expect it to detect it now?
> >
> > Try updating NAV...
> >
> > Oh, but you can't because NAV keeps getting killed.
> >
> > Try also deleting the copy of the EXE (different name though -- what
> > a concept!) in the Startup folder.
> >
> > > Help.. The Resident Evil is always here and runing ...
> > >
> > > Note : the mail was sent from a fake address ....and I didn't found
the
> +ACI-To:
> > > +ACI- statement in the header ....How could it come to me without the
> +ACI-To :+ACI-
> > > statement.
> > >
> > > what about sending the exe file to Symantec ???
> >
> > You most likely have an entirely detectable sample of Bugbear and
> > Symantec will have seen about a gazillion of them by now and probably
> > not really want any more.
> >
> > Update NAV so it has current DEFs, set it to update daily, upgrade
> > your copy of IE to 5.5SP2 plus all post-SP2 security hotfixes or to
> > IE6.0SP1, and then visit Windows Update regularly (say once a month).
> >
> >
> > --
> > Nick FitzGerald
> > Computer Virus Consulting Ltd.
> > Ph/FAX: +64 3 3529854
>
>
- Previous message: Louis Erickson: "RE: Is SSH worth it??"
- In reply to: JM: "Re: Somebody saw this trojan ? (nicely)"
- Next in thread: Nick FitzGerald: "Re: Somebody saw this trojan ? (nicely)"
- Next in thread: Mike Dresser: "Re: Somebody saw this trojan ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
