- From: "cquirke (MVP Windows shell/user)" <cquirkenews@xxxxxxxxxxxxxxx>
- Date: Mon, 15 May 2006 16:50:32 +0200
On 15 May 2006 02:05:10 -0700, "Changeez" <changeez@xxxxxxxxx> wrote:
i found W32.RontokBro.B@mm on my company's workgroup. i scanned it with
a strong iranian antivirus named IMEN. it remove the EXE files. then i
go to registery and remove some keys and values from registery. then i
isntall norton anti virus 2005 and update it with last virus
definitions i downloaded from symantec web site free. everything is
Looking good . until i plug in the Network Cable.
That suggests you're being re-infected from outside the system, rather
than re-infection from inside the system (e.g. "opening" hidden email
attachments, doing a System Restore) or malware persistence.
Google( W32.RontokBro.B@mm )
Many of these give enough info to kill it...
One tactic suggests itself:
"This worm is compiled with Visual Basic. It needs the file
MSVBVM60.DLL to run properly."
What I'm looking for, but not finding, is a way the malware can
exploit the OS or email app into automatically running.
Without that, it's the user who needs to be patched, a la "Think
before you click". Effectively, the user needs to perform the Turing
Test; yes, this may be "from someone I know", but was it sent by a
human user or an anonymous machine process?
after one or two hours norton virus alert apears several times.
That's a quick re-infection time if human perusal of email is the
vector - perhaps you are dealing with persistence after all, and the
av catches it only when it tries to smtp out malware email (which it
would do when online, possibly not attempted otherwise).
hard drives. in system32 or windows\temp . it causes to make my
computer slow down. and make me to restart windows
Yes, it's coded to do that on a number of triggers that include many
attempts to clean it from inside the PC.
It's not an intrafile infector, may be dependent on explicit
integration via registry settings you can delete, and if it doesn't
use random file names in "busy" locations like System32, you can
probably kill it by hand as per links and your own Google.
However - shock, horror! - it may try to defend itself if you attempt
this while it's running, so do this when it is not. Safe Mode Cmd
Only may or may not be safe enough; if not, then I'd do this from a
Bart PE CDR boot - Google( Bart PE ).
the only remaining solution is Remove and install a fresh
copy of Windows XP.
That's not a solution.
1) New incoming attachments
Your email addresses are out there on infected PCs you can't reach or
clean, so you are going to get more of the same. Hopefully your email
service provider will scan your mail and trap it, but this may fail
for a number of reasons. All it takes is one successful exploit (of
either code or the human "opening" the mail) and bingo!
2) Hidden email attachments already received
Most email apps hide incoming email attachments in the mailboxes,
where your av cannot find and eradicate them. So even if your ISP
strips the attacks out of new incoming mail, your exploitable users or
code base can re-launch the malware you already have received.
As long as you preserve or restore your email data, you will have this
problem, which is why I don't recommend "just" wiping and
re-installing Windows as a "solution".
I'd do the following:
a) Upgrade your users on "safe hex" skills
Back this up with a stick; "infections will be traced back to point of
entry, and that user will be assessed as in breah of company policy".
http://cquirke.mvps.org/9x/safe2000.htm is one place to start.
b) Rename away the malware's runtime library
IF you don't have apps that require Visual Basic runtime, you can
rename away or remove MSVBVM60.DLL in the hope that this will prevent
the malware from running. But there may be side-effects!
c) Get rid of the active malware
Google( Bart PE ) as well as swot up the malware itself.
d) Manage hidden stores to prevent self-re-infection
I'd import email into Eudora, then scan the ATTACH directory where
Eudora stores all attachments as separate manageable files. I'd
repeat this for the EMBEDDED directory too. After that I'd purge the
original mail stores and carry on using Eudora instead, or I'd delete
(from mailbox then Trash) the messages that contain what was found.
I'd also make sure infected material was purged from System Restore,
then create a new clean restore point.
e) Scan and filter incoming email
I'd do this at as many points as possible, especially under your
- ISP scanning of mail before you get it
- scan the mail stream as it arrives
The second is usually more hassle than it's worth, but in your case it
may be well worth the hassle :-)
If you have your own internal mail server, impliment scanning there.
Many email server apps spool messages as one message per file, rather
than wadded into proprietary mailboxes; that could be a good point at
which the message can be deleted without trashing a whole mailbox.
In addition, you may be able to set your email app to delete of server
if the malware always uses a predictable subject line, or delete on
arrival if there's always unique body text.
f) Practice email address hygiene
The goal is to limit the visibility of your email address, and thus
suffer less spam and malware attack:
- use BCC: if sending to multiple recipients
- do NOT automatically add addresses to address book
- mung addresses like this; exam at ple.com in your text
- don't use "real" email address in online forums and newsgroups
- don't give email address when "registering" software etc.
- create disposable aliases for different contexts
- use an alias for "junk", amputate when busy
- filter incoming mail by address (unaddressed = BCC'd or forged)
- whitelist any elists etc. you need from the above
g) Protect the rest of us
Scan and block the malware in both directions, so your systems don't
make the rest of the Internet's problem worse. This is for reason (g)
as well; every system you infected out there is one that "knows" your
address and has live malware that will use it to infect you back.
In addition, teach you users not only to not open stuff that fails the
Turing Test, but not to send "real" messages that fail this test.
Your "safe hex" training can be ruined by one dumb-ass boss who sends
Office "documents" as attachments with zero covering message text, and
who shouts at staffers who correctly refuse to open them.
You'd retire old PCs that couldn't be kept patched and safe. For
users that can't be patched and safe, Google( Silicon Pines ) <g>
-------------------- ----- ---- --- -- - - - -Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -.
- Re: W32.RontokBro.B@mm
- From: Changeez
- Re: W32.RontokBro.B@mm
- From: Changeez
- Prev by Date: Re: W32.RontokBro.B@mm
- Next by Date: Re: sinteri virus
- Previous by thread: Re: W32.RontokBro.B@mm
- Next by thread: Re: W32.RontokBro.B@mm