Collected Links : Virus/Spyware Information/Removal

Help and Discussion

Moderator: The Mod Squad

Postby Toby B. » Tue Jan 27, 2004 6:28 am

Just a friendly reminder..............

Update your Anti-virus program ASAP

I got socked with at least one trojan and at least one worm.

http://securityresponse.symantec.com/av ... .a@mm.html

That is what I have tracked down thus far on my PC...........
Toby B.
Lead Mobo-fu Master
Lead Mobo-fu Master
 
Posts: 14277
Joined: Sun Dec 16, 2001 1:01 am
Location: Maine

Postby J.C.GARCIA » Tue Jan 27, 2004 3:58 pm

thanks just got it one hour ago . luckily i had updated norton this morning , so no harm done . but i would like to know how the sender has my email address . i know that its a mass mailer , so i could be on someone's address book , i never got to open the attachment as norton deleted it before hand
p4 2.4b 533mhz fsb
epox 4bea2
768mb ddr pc2100
radeon 7000 64mb w/tv out
120gb seagate hard drive 7200rpm
40gb seagate hard drive 5400rpm
live 1024
dvdrw lg gsa 4040b
cdrw btc 48x16x48x
xp home
J.C.GARCIA
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3707
Joined: Wed Aug 22, 2001 12:01 am
Location: Great Beer Zone

Postby J.C.GARCIA » Sat Jan 31, 2004 8:51 pm

just some small tips on detection and removal of the mydoom A and B variants

http://www.microsoft.com/security/antiv ... p#whattodo
p4 2.4b 533mhz fsb
epox 4bea2
768mb ddr pc2100
radeon 7000 64mb w/tv out
120gb seagate hard drive 7200rpm
40gb seagate hard drive 5400rpm
live 1024
dvdrw lg gsa 4040b
cdrw btc 48x16x48x
xp home
J.C.GARCIA
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3707
Joined: Wed Aug 22, 2001 12:01 am
Location: Great Beer Zone

Postby Tau » Sat Feb 07, 2004 4:06 pm

Tau.

"Learn from other people's mistakes, it's quicker."

Image
Tau
Black Belt 3rd Degree
Black Belt 3rd Degree
 
Posts: 3221
Joined: Sat Jul 07, 2001 12:01 am
Location: Essex England

Postby Big Jake » Fri Feb 13, 2004 2:41 am

I'm using SpyBot, Ad-Aware and F-PROT and Zone Alarm.

Seer the current issue opf PC MAG for a decent discussion of the issue.

Jake
Big Jake
 

nyb

Postby poundu1 » Sat Feb 14, 2004 11:45 pm

Pent 1 100mgz 1 gig hd NEC laptop.
Using Norton SysWorks 2002 It detected and Removed NYB. However I cant tell that its gone, as using msd showing strange things still like progs named pyright, ??? and other named with ascii text.
Also there is a folder (system) wih no name in explorer that i can not move delete etc.
crispr edit
poundu1
Black Belt 1st Degree
Black Belt 1st Degree
 
Posts: 1069
Joined: Sat May 24, 2003 3:59 am
Location: Bay Area, California, USA

NetSky.B

Postby peta_byte » Wed Feb 18, 2004 5:49 pm

oops double post.. would a mod please delete ?
Last edited by peta_byte on Wed Feb 18, 2004 6:23 pm, edited 1 time in total.
Need a free host ? click here
Need a free small host for hotlinking sigs into a forum ? click here
peta_byte
Black Belt
Black Belt
 
Posts: 955
Joined: Mon Jul 28, 2003 11:43 pm

Re: NetSky.B

Postby peta_byte » Wed Feb 18, 2004 6:19 pm

poundu1, we discussed in length about your NYB.. for the most part you seemed to ignore our suggestions.. I mentioned a few ideas in that thread about backing up some of the data.. but in the end, you have to bite the bullet and kill the partition and fdisk /mbr it..

now there's a new virus on the loose.. the AV definitions are only just coming out. I'll post 3 of the major AV vendors links.. but note that AVG also has recognised the exsistence.. I'm not sure if they've released definitions.

NetSky.B (Mass mailing worm..)

http://vil.nai.com/vil/content/v_101034.htm
http://www.sophos.com/virusinfo/analyse ... tskyb.html
http://securityresponse.symantec.com/av ... ky@mm.html

removal tool :
http://securityresponse.symantec.com/av ... .tool.html

Norton beta definition :
http://securityresponse.symantec.com/av ... nload.html

some quoted info from Symantec :

"Creates a mutex named "AdmSkynetJKIS003." This mutex allows only one instance of the worm to execute in memory."

Deletes the values:

"Taskmon"
"Explorer"

from the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre
ntVersion\RunServices


Deletes the values:

"KasperskyAV"
"System."

from the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run


Deletes the registry key:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32


one guy infected himself and reported this : (pm me for source if needed)

After you start the file that's inside the zip file you will get a popup

Error!
The file could not be opened!

It will copy itself to %systemroot% (usually c:\winnt or c:\windows) as services.exe.
The Run registrykey is used to make it startup after a reboot.

The key added will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr
entVersion\Run
service: REG_SZ: C:\WINNT\services.exe -serv

It will also drop about 40 zip files with varying names (listed below) and a sizes between 22130 and 22150 bytes. These are probably copies of itself.

I'm not sure but it also looks like it opens 2 tcp ports (2701 & 2702). I could not verify if these actually belonged to the virus as fport.exe doesn't seem to work on this machine.

zip files:
aboutyou.zip
attachment.zip
bill.zip
concert.zip
creditcard.zip
details.zip
dinner.zip
disco.zip
doc.zip
document.zip
final.zip
found.zip
friend.zip
information.zip
jokes.zip
location.zip
mail2.zip
mails.zip
me.zip
message.zip
misc.zip
msg.zip
nomoney.zip
note.zip
object.zip
part2.zip
party.zip
posting.zip
product.zip
ps.zip
ranking.zip
release.zip
shower.zip
story.zip
stuff.zip
swimmingpool.zip
talk.zip
textfile.zip
topseller.zip
website.zip
-----------------------------

yet's symantec's list of attachments are different, so there might be a family of them..

Attachment: The attachment is one of the following,

prod_info_55761.rtf.exe.zip
prod_info_65642.rtf.scr.zip
prod_info_33543.rtf.scr.zip
prod_info_56474.txt.exe.zip
prod_info_33325.txt.exe.zip
prod_info_77256.txt.scr.zip
prod_info_34157.htm.exe.zip
prod_info_87968.htm.scr.zip
prod_info_43859.htm.scr.zip
prod_info_56780.doc.exe.zip
prod_info_43631.doc.exe.zip
prod_info_47532.doc.scr.zip
prod_info_54433.doc.exe.zip
prod_info_42314.pif
prod_info_54235.scr
prod_info_49146.exe
prod_info_33967.cmd
prod_info_42818.pif
prod_info_54739.scr
prod_info_04650.bat
prod_info_49541.exe
prod_info_33462.cmd
prod_info_42313.pif
prod_info_54234.scr
prod_info_04155.bat
Need a free host ? click here
Need a free small host for hotlinking sigs into a forum ? click here
peta_byte
Black Belt
Black Belt
 
Posts: 955
Joined: Mon Jul 28, 2003 11:43 pm

Help with virus

Postby dougall » Tue Apr 20, 2004 2:24 pm

Trying to help a friend who has a PC with no anti-virus software. About 10 days ago he began to have problems where his internet connection was being dropped a few minutes after logging on, typically between 5 and 15 mins.

I have managed to run Spybot with latest defs, but after installing Norton Antivirus I could not keep the connection up long enough for the latest updates to download. The stuff I removed with Spybot didn't help the problem, and Norton could only scan with out-of-date virus definitions and found nothing.

Is this problem likely to be a virus? If so, how can I get the latest Norton Antivirus definition files from my laptop to their PC (ie. what to copy and where?) if that is an option.

Any ideas, or am I barking up the wrong tree? Is it perhaps, just a noisy phone line on their 56k modem connection?

Appreciate any input
Cheers...Dougall
I was that soldier
dougall
Initiate
Initiate
 
Posts: 24
Joined: Thu Jul 10, 2003 9:05 am
Location: Torquay, Devon, UK

Postby Denniss » Tue Apr 20, 2004 3:22 pm

Just look at the links on the first post in this thread !

Directs you to a manual definitions update at Symantec - use the 7MB download and burn it onto CD and execute it on the other PC

www.free-av.com - another good free Virus-Scanner/Killer
Denniss
Black Belt 1st Degree
Black Belt 1st Degree
 
Posts: 1577
Joined: Fri May 03, 2002 12:01 am
Location: Around Hannover - Germany

PreviousNext

Return to Virus/Spyware/Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron