RE: Hacked

From: Steve Scholz (steve_at_sybari.com)
Date: 04/14/05

  • Next message: Conlan Adams: "RE: Hacked" 
    Date: Thu, 14 Apr 2005 14:37:14 -0400
To: <mfernandez@fdta-valles.org>

    From Sophos.

    This parasitic memory resident virus is functionally identical to Win32.Parite.a. It differs from Parite.a only in the key that it creates in the system registry:

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]

    http://www.sophos.com/support/disinfection/pedis.html

    1. Disinfecting PE executables in Windows NT/2000/XP/2003
    On a lightly infected computer running Windows NT/2000/XP/2003, where no significant services have become infected, it may be possible to run SAV32CLI from a command prompt with the -DI switch.

    First, check the recovery instructions in the virus analysis for any extra measures you should take before (and after) disinfecting. Also, check to see if you need an IDE file. If you do, download it and save it to a floppy disk.

    Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).

    Now close down all possible programs and services, then open a command prompt.

    On Windows NT
    Shut down all programs.
    Go to Start|Settings|Control Panel and double-click 'Services'.
    Stop as many services as possible using the Stop button.
    Close and shut down the Control Panel.
    Press the Ctrl, Alt and Del keys at the same time.
    Click on 'Task Manager', then select the Processes tab.
    Select a process and click on 'End Process'. It may or may not end.
    Repeat this for other processes (including the Windows desktop).
    After closing all possible programs go to File|New Task (Run) and type 'Cmd'.
    Close down the Task Manager screen.
    Insert the write-protected disk from which you are using SAV32CLI.
    On Windows 2000/XP/2003
    Go to Start|Shut Down.
    Select 'Restart' from the dropdown list and click 'OK'. Windows will restart.
    Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8".
    In the Windows 2000 Advanced Options Menu, select the third option "Safe Mode with Command Prompt".
    When requested, logon as local administrator.
    When Windows 2000/XP/2003 has started in Safe Mode, insert the write-protected disk from which you are using SAV32CLI.
    At the command prompt type

    E:
    where E: is the drive in which you placed the SAV32CLI disk.

    Type:

    CD SAV32CLI
    Now type:
    SAV32CLI -DI -P=C:\VIRUSLOG.TXT
    to disinfect all fixed drives.

    The command above runs SAV32CLI, which scans all of the directories and files on your PC, including subdirectories. Files which the virus has infected are cleaned and a report is made of them in the root of the C: drive. SAV32CLI will disinfect all files that can be disinfected.

    All other files must be deleted. Some of these were dropped by the virus and need not be restored. Others should be recovered from backups.

    SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT
    This command writes a report to the root of the C: drive. This report can be used to check which deleted files should be restored from backups.

    In Windows NT when disinfection and deletion have finished, type 'Explorer' to restart the Windows Desktop.

    In Windows 2000/XP/2003 when disinfection and deletion have finished, restart the computer in Windows.

    Install or reinstall Sophos Anti-Virus then run an 'All files' scan to check that the virus has gone.

    System Restore and Windows XP
    Note: This will delete any previously created restore points.

    Infected files may be found in the System Restore area in Windows XP.
    Go to Start|Control Panel|Performance and Maintenance.
    Double-click 'System', then select the System Restore tab.
    Click to select the 'Turn off System Restore on all drives' box.
    Click 'Apply'.
    Click 'Yes'.
    Now click to clear the 'Turn off System Restore on all drives' box.
    Click 'OK'.
    Restart the computer.
    If the virus has not gone, contact Sophos technical support.

    Infected files may not always be restored to their original state. A file that has been disinfected cannot be guaranteed to function correctly. In order to recover files to their original state, they should be subsequently restored from backups, new media or a clean computer.

    2. Disinfecting PE executables in Windows 95/98/Me
    To disinfect PE executables in Windows 95/98/Me and in DOS, use DOS SWEEP with the -DIPE switch.

    Download DOS SWEEP, extract the files, and copy them into a C:\Sophtemp directory on your computer. Add any relevant IDEs to this folder.

    First, check the recovery instructions in the virus analysis for any extra measures you should take before (and after) disinfecting.

    Before running DOS SWEEP under Windows 95/98/Me, it is vital that you ensure that the virus is not resident in memory. For this, you must disinfect in a 16-bit environment under which you can be sure that the 32-bit virus is completely paralysed.

    On Windows 95/98
    Restart the computer in MS-DOS mode.
    Note: Starting a Command Prompt (a DOS window) is not enough.
    Go to the Start menu and select 'Shut Down'. Choose the option 'Restart the computer in DOS mode'. This disables the virus and provides a safe environment for disinfection.
    On Windows Me
    This version of Windows does not allow you to exit directly into MS-DOS mode. You need to create a startup disk and boot from that.
    Go to Start|Settings|Control Panel. Click 'Add/Remove Programs', select the Startup Disk tab and click the Create Disk button.
    When you have created the startup disk, write-protect it and boot from it. This disables the virus and provides a safe environment for disinfection.

    Go to the Sophtemp directory and run DOS SWEEP.

    C:
    CD \
    CD SOPHTEMP
    SWEEP C: -PB -DIPE -P=VIRLOGC.TXT
    The command above runs SWEEP, which scans all of the directories and files on your computer, including subdirectories. Files which the virus has infected are cleaned and a report is made of them.

    Repeat this process for other hard drives, (e.g. SWEEP D: -PB -DIPE -P=VIRLOGD.TXT.)

    All other files must be deleted. Some of these were dropped by the virus and need not be restored. Others should be recovered from backups.

    SWEEP C: -PB -REMOVEF -P=REMVLOGC.TXT
    Repeat this for all drives (e.g. SWEEP D: -PB -REMOVEF -P=REMVLOGD.TXT).

    Use the log files to identify which of the deleted files should be restored from a clean backup or the original media.

    After disinfection, you must restart the computer in Windows. Install/reinstall Sophos Anti-Virus if need be, then use it to scan the computer in Windows. This is necessary to ensure that directories that cannot be recognised under DOS (those whose names contain illegal characters such as "!" and "?") are scanned.

    Run an 'All files' scan.
    Start Sophos Anti-Virus.
    Right-click your hard drive and select 'All files' from the menu that appears.
    Ensure that 'Subfolders' is selected. Then run a scan.
    After you have finished, right-click the drive again and select 'Executables'.
    System Restore on Windows Me
    Note: This will delete any previously created restore points.

    Go to Start|Settings|Control Panel.
    Double-click 'System' and select the Performance tab.
    Click 'File System' and then click the Troubleshooting tab.
    Click to select the 'Disable System Restore' box, click 'Apply', click to clear the 'Disable System Restore' box, then click 'Close'.
    Restart the computer.
    If the virus has not gone, contact Sophos technical support.

    Infected files may not always be restored to their original state. A file that has been disinfected cannot be guaranteed to function correctly. In order to recover files to their original state, they should be subsequently restored from backups, new media or a clean computer.

    3. Disinfecting or removing PE executables on other platforms
    PE executable files are Windows 95/98/Me/NT/2000/XP programs. On other platforms in the majority of circumstances, you should delete the infected files and replace them from backups, new media or a clean computer.

    3.1. Disinfecting PE executables in DOS
    At the DOS prompt type:
    SWEEP *: -DIPE
    Delete any files that could not be disinfected.
    SWEEP *: -REMOVEF
    Run a scan to check that all infected files were disinfected or deleted.
    3.2. Disinfecting PE executable files in NetWare
    Contact Sophos technical support.

    3.3. Disinfecting PE executables in Unix
    Use SWEEP with the -di option
    sweep -di
    Delete any remaining infected files with the -remove option
    sweep -remove
    Run a scan to check that all infected files were disinfected or deleted.
    3.4. Disinfecting PE executables in OS/2
    At the command line type:
    OSWEEP C: -DI
    Delete any files that could not be disinfected.
    OSWEEP C: -REMOVEF
    Run a scan to check that all infected files were disinfected or deleted.
    3.5. Disinfecting PE executables in OpenVMS
    Disinfect the infected files by running VSWEEP from DCL using the command line qualifier '/DI'.
    Delete any files which could not be disinfected by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.
    Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.
    For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS manual.

    Note: If problems persist, contact Sophos technical support.

      
     
        © 1997-2005 Sophos Plc. All rights reserved. Legal | Privacy

    Steve Scholz
    Corporate Sales Engineer-North America
    Sybari Software, Inc.
    631-630-8556 Direct
    516-903-2464 Mobile

    Email: Steve_scholz@sybari.com

    MSN IM:Steve_Scholz@Msn.com (email never checked)

    -----Original Message-----
    From: Mauricio Fernandez [mailto:mfernandez@fdta-valles.org]
    Sent: Thursday, April 14, 2005 10:46 AM
    To: security-basics@securityfocus.com
    Subject: Hacked

    This morning I found a wwwhack window opened on one of my w2k servers,
    antivirus agent was deleted (TrendMicro) and when I reinstall it back, it
    found about 4500 viruses named PE_PARITE.B

    Now the virus is still regenerating itself creating files on winnt\temp
    folder, I saw the task list and stopped all the suspicious process, but
    the virus still goes on...

    The virus/hacker created a folder named RADMIN, where he copied these
    files:
    r_server.exe
    admdll.dll
    hide.reg
    raddrv.dll
    pro.bat
    start.bat

    Does anyone knows how to remove this virus and avoid this hack
    vulnerability?

    Mauricio Fernández S.
    IT Manager
    Tel. 591- 445-25160
    Fax. 591- 441-15056
    mfernandez@fdta-valles.org
    www.fdta-valles.org
    Cochabamba - Bolivia

    ---------------------------------------------------------------------------
    Earn your MS in Information Security ONLINE
    Organizations worldwide are in need of highly qualified information security
    professionals. Norwich University is fulfilling this demand with its MS in
    Information Security offered online. Recognized by the NSA as an
    academically excellent program, NU offers you the opportunity to earn your
    degree without disrupting your home or work life.

    http://www.msia.norwich.edu/secfocus_en
    ----------------------------------------------------------------------------

  • Next message: Conlan Adams: "RE: Hacked"
    • Quantcast