Page 3 of 8

PostPosted: Tue Jan 27, 2004 6:28 am
by Toby B.
Just a friendly reminder..............

Update your Anti-virus program ASAP

I got socked with at least one trojan and at least one worm.

http://securityresponse.symantec.com/av ... .a@mm.html

That is what I have tracked down thus far on my PC...........

PostPosted: Tue Jan 27, 2004 3:58 pm
by J.C.GARCIA
thanks just got it one hour ago . luckily i had updated norton this morning , so no harm done . but i would like to know how the sender has my email address . i know that its a mass mailer , so i could be on someone's address book , i never got to open the attachment as norton deleted it before hand

PostPosted: Sat Jan 31, 2004 8:51 pm
by J.C.GARCIA
just some small tips on detection and removal of the mydoom A and B variants

http://www.microsoft.com/security/antiv ... p#whattodo

PostPosted: Sat Feb 07, 2004 4:06 pm
by Tau

PostPosted: Fri Feb 13, 2004 2:41 am
by Big Jake
I'm using SpyBot, Ad-Aware and F-PROT and Zone Alarm.

Seer the current issue opf PC MAG for a decent discussion of the issue.

Jake

nyb

PostPosted: Sat Feb 14, 2004 11:45 pm
by poundu1
Pent 1 100mgz 1 gig hd NEC laptop.
Using Norton SysWorks 2002 It detected and Removed NYB. However I cant tell that its gone, as using msd showing strange things still like progs named pyright, ??? and other named with ascii text.
Also there is a folder (system) wih no name in explorer that i can not move delete etc.

NetSky.B

PostPosted: Wed Feb 18, 2004 5:49 pm
by peta_byte
oops double post.. would a mod please delete ?

Re: NetSky.B

PostPosted: Wed Feb 18, 2004 6:19 pm
by peta_byte
poundu1, we discussed in length about your NYB.. for the most part you seemed to ignore our suggestions.. I mentioned a few ideas in that thread about backing up some of the data.. but in the end, you have to bite the bullet and kill the partition and fdisk /mbr it..

now there's a new virus on the loose.. the AV definitions are only just coming out. I'll post 3 of the major AV vendors links.. but note that AVG also has recognised the exsistence.. I'm not sure if they've released definitions.

NetSky.B (Mass mailing worm..)

http://vil.nai.com/vil/content/v_101034.htm
http://www.sophos.com/virusinfo/analyse ... tskyb.html
http://securityresponse.symantec.com/av ... ky@mm.html

removal tool :
http://securityresponse.symantec.com/av ... .tool.html

Norton beta definition :
http://securityresponse.symantec.com/av ... nload.html

some quoted info from Symantec :

"Creates a mutex named "AdmSkynetJKIS003." This mutex allows only one instance of the worm to execute in memory."

Deletes the values:

"Taskmon"
"Explorer"

from the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre
ntVersion\RunServices


Deletes the values:

"KasperskyAV"
"System."

from the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run


Deletes the registry key:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32


one guy infected himself and reported this : (pm me for source if needed)

After you start the file that's inside the zip file you will get a popup

Error!
The file could not be opened!

It will copy itself to %systemroot% (usually c:\winnt or c:\windows) as services.exe.
The Run registrykey is used to make it startup after a reboot.

The key added will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\Run
service: REG_SZ: C:\WINNT\services.exe -serv

It will also drop about 40 zip files with varying names (listed below) and a sizes between 22130 and 22150 bytes. These are probably copies of itself.

I'm not sure but it also looks like it opens 2 tcp ports (2701 & 2702). I could not verify if these actually belonged to the virus as fport.exe doesn't seem to work on this machine.

zip files:
aboutyou.zip
attachment.zip
bill.zip
concert.zip
creditcard.zip
details.zip
dinner.zip
disco.zip
doc.zip
document.zip
final.zip
found.zip
friend.zip
information.zip
jokes.zip
location.zip
mail2.zip
mails.zip
me.zip
message.zip
misc.zip
msg.zip
nomoney.zip
note.zip
object.zip
part2.zip
party.zip
posting.zip
product.zip
ps.zip
ranking.zip
release.zip
shower.zip
story.zip
stuff.zip
swimmingpool.zip
talk.zip
textfile.zip
topseller.zip
website.zip
-----------------------------

yet's symantec's list of attachments are different, so there might be a family of them..

Attachment: The attachment is one of the following,

prod_info_55761.rtf.exe.zip
prod_info_65642.rtf.scr.zip
prod_info_33543.rtf.scr.zip
prod_info_56474.txt.exe.zip
prod_info_33325.txt.exe.zip
prod_info_77256.txt.scr.zip
prod_info_34157.htm.exe.zip
prod_info_87968.htm.scr.zip
prod_info_43859.htm.scr.zip
prod_info_56780.doc.exe.zip
prod_info_43631.doc.exe.zip
prod_info_47532.doc.scr.zip
prod_info_54433.doc.exe.zip
prod_info_42314.pif
prod_info_54235.scr
prod_info_49146.exe
prod_info_33967.cmd
prod_info_42818.pif
prod_info_54739.scr
prod_info_04650.bat
prod_info_49541.exe
prod_info_33462.cmd
prod_info_42313.pif
prod_info_54234.scr
prod_info_04155.bat

Help with virus

PostPosted: Tue Apr 20, 2004 2:24 pm
by dougall
Trying to help a friend who has a PC with no anti-virus software. About 10 days ago he began to have problems where his internet connection was being dropped a few minutes after logging on, typically between 5 and 15 mins.

I have managed to run Spybot with latest defs, but after installing Norton Antivirus I could not keep the connection up long enough for the latest updates to download. The stuff I removed with Spybot didn't help the problem, and Norton could only scan with out-of-date virus definitions and found nothing.

Is this problem likely to be a virus? If so, how can I get the latest Norton Antivirus definition files from my laptop to their PC (ie. what to copy and where?) if that is an option.

Any ideas, or am I barking up the wrong tree? Is it perhaps, just a noisy phone line on their 56k modem connection?

Appreciate any input

PostPosted: Tue Apr 20, 2004 3:22 pm
by Denniss
Just look at the links on the first post in this thread !

Directs you to a manual definitions update at Symantec - use the 7MB download and burn it onto CD and execute it on the other PC

www.free-av.com - another good free Virus-Scanner/Killer