Re: Strange behaviour - some text and e-mails disappeared

On Wed, 21 Mar 2007 21:03:43 -0000, "Martin" <vdp3r@xxxxxxxxxxx>

Two days ago a friend running Windows 2000 on a laptop with a wired
broadband modem connection was writing a Googlemail in Mozilla Firefox and
found text disappearing before his eyes. He also had a couple of e-mails
disappear from Outlook Express in front of him (and a later check showed
they weren't in the Deleted Items folder either).

Sounds nasty...

Anyway, he disconnected from the Internet and ran a scan with his Norton
antivirus (well, if it didn't stop anything bad in real-time monitoring, I
don't suppose it was going to find anything on a scan).

Quite. Scans done from within infected OS are non-exclusionary.

I would build a Bart CDR from a clean XP system, with scanners
integrated into that, and use that to formally scan the Win2000 box.
If file system is FATxx, you can also use DOS scanners from a DOS mode
diskette boot. If it's NTFS, then Bart's the best bet.

I got him to run an online Kaspersky scan,

If scans running from the infected OS are not trustworthy, scans run
online via the infected OS's Internet access are highly dubious. How
do you know that whatever waded through all your files looking for
"virus" was really K's site, and not a redirected malware site that's
ripping passwords and CC numbers etc. from your data?

He runs free Zonealarm as the firewall. A few months ago he cocked up
and ran for a day or so with Zonealarm off and got a message from a hacker
to say he'd been hacked (nice to know).

Once you have a human pulling on the RAT's tail, all bets are off.
All sorts of custom stuff may have been uploaded that
mugshot-recognition scanners won't recognise.

By the way, his Windows Critical Updates have always automatically been kept
up to date as has Mozilla and Internet Explorer.

Other than installing a new hard drive with a newer operating system, what
else should he do?

Because of the human element, I'd tend towards a clean rebuild rather
than formally cleaning the old installation (tho I'd do that for
forensics). I'd insist on a SP'd and firewalled OS before going
online at all, then patch up.

Be careful of what "data" you restore. MS practice happily mixes
downloaded .EXE with your data, so blindly restoring "My Documents" is
dangerous, as is re-using your old email stores and .PST (given how
these hide malware attachments from av).

If we assume it is - and was - virus and spyware free, what assurance is
there that a hacker hasn't created/installed a backdoor method of entry?

None.



--------------- ---- --- -- - - - -
Saws are too hard to use.
Be easier to use!
--------------- ---- --- -- - - - -
.

Quantcast