Re: "we have been hacked"

From: Jeff Cochran (jcochran.nospam_at_naplesgov.com)
Date: 12/15/03

• Next message: Chris Vinall: "Re: IIS 6.0 COM App cant write to event log"
• Previous message: David Wang [Msft]: "Re: cannot publish the *.asp files from the Netscape"
• In reply to: Karl Levinson [x y] mvp: "Re: "we have been hacked""
• Next in thread: Karl Levinson [x y] mvp: "Re: "we have been hacked""
• Reply: Karl Levinson [x y] mvp: "Re: "we have been hacked""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 15 Dec 2003 18:24:00 GMT

On Fri, 12 Dec 2003 20:01:22 -0500, "Karl Levinson [x y] mvp"
<levinson_k@despammed.com> wrote:

>Correct instructions for which virus?
>
>I would think the instructions really should:
>* not advise everyone to delete their hosts files... some people might need
>some of those entries
>* use antivirus to identify and detect the virus
>* update antivirus and/or figure out why they were not protected against
>being infected, or else they could very well be re-infected in a very short
>time
>
>Also, I'm not familiar with this trojan / virus that both uses a file named
>SVCHOST.EXE and also modifies the hosts file. Which one is it? Or have
>they possibly confused the welchia and qhosts removal instructions?

It appears a combination of Welchia/Qhosts and possibly others. I
wouldn't think SVCHost would normally be an issue to pull out of
Startup, and it's a common method of loading several
viruses/trojans/malware/etc. *Most* users wouldn't run into a problem
deleting the HOSTS file and I suspect those that would either know
enough not to or have admins that know enough not to let them, but it
isn't what I'd say was proper either. I'd agree with the advice not
being the best, and wasn't really commenting on the advice being the
most useful, but rather on the fact that a hijacked site now provided
removal instructions at all.

Jeff

• Next message: Chris Vinall: "Re: IIS 6.0 COM App cant write to event log"
• Previous message: David Wang [Msft]: "Re: cannot publish the *.asp files from the Netscape"
• In reply to: Karl Levinson [x y] mvp: "Re: "we have been hacked""
• Next in thread: Karl Levinson [x y] mvp: "Re: "we have been hacked""
• Reply: Karl Levinson [x y] mvp: "Re: "we have been hacked""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: "we have been hacked" ... but those are the correct instructions. ... >all patches for your computer from the Windows Update Site ... Clear your 'hosts' file. ... >will bring up a list of programs to edit the file with. ... (microsoft.public.inetserver.iis.security) Re: Help w/ Sandboxer virus. ... You may want to print these instructions out as I wll be be having you do ... O1 - Hosts: 127.0.0.4 bulletproofsoft.net ... Disable System Restore. ... Managing Windows Millenium System Restore ... (microsoft.public.security) isearch, hosts directory ... instructions, ... do i evenutally rename the original hosts back to ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: Uninstalling old McAfee program ... mcafee removal manual instructions. ... Manual Removal Instructions To remove this virus "by ... (microsoft.public.windowsxp.basics) Re: QUALCO Muffler Weld - Exhaust system repair ... > Imagine this - the repair I did is in the place, ... You're asking a technical automotive forum for advice on a shade-tree, ... BEFORE simply reading the instructions. ... (rec.autos.tech)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint