Security Basics mailing list archives
Re: New Trojan?
From: "Okiwaso" <okiwaso () hotmail com>
Date: Tue, 29 Jun 2004 16:32:42 -0300
You have probably been infected with a trojan via spyware. Even if your kids did not use IE to browse, its security zones are still in use when they check email with Outlook Express or Outlook, so you could have been infected that way if links were clicked. First check the following registry keys for list of startup programs for anything unfamiliar as trojans usually use this key to automatically start on bootup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run If you find any unfamiliar entries here, then see if you can see them running in TaskManager. If so try and kill them by pressing "End Process" button in task manager. If you cant shut them down, they are either critical windows services which would unlikely be started in Run key, they would be services, so these running programs are likely your trojan infection. To make sure use Firefox and go to http://security.symantec.com and follow the links so you can scan your machine for known malware as your versions of Adware, SpywareBlaster, etc are likely blocked from detecting what your infected with. Also they may say you have all the current updates when you try to update them. If this scan tells you that you have infections, it will give you a name of a virus, trojan, etc to lookup at symantec for its list of files or processes used in the attack. Compare these files to the unknown ones you find in registry and in Task Manager. You could also look at the files properties and look for the company info (ex. Microsoft, etc), but don't always trust this as the hacker could label it any way he wants. Now, If you cannot stop them, then to disinfect yourself, remove their entries from registry Run key, reboot into Safe Mode by pressing and holding F8 on bootup and delete the files as more than likely they will not run in Safe Mode. Then update your virus definitions and scan again for remaining files, etc. _______ Now to prevent further infection through this hole in IE and its security zones which are integrated into Windows, do the following registry edit to make My Computer (Local Zone) show up in IE's security zones. In the My Computer zone disable Active scripting. Just disabling it in the Internet Zone prevents a lot of legitimate web pages from working, so disable it in the Local zone as this is where exploits do their damage anyways. Just change the Flags value to 1 in the \Zones\0 Key: Another fix, and a really good idea, is to make your "My Computer" zone, a.k.a., the "Local Zone" appear in your internet properties (done with the registry entry below) and adjust the security properties to mirror the "Restricted Zone" (done manually). [HKEY CURRENT USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings\Zones\0]"Fla gs"= dword:00000001 ------------ Also note when you disable "Active scripting" and "Run active x controls and plug-ins", then some software GUI's like Norton AV will not work properly. It is because they are written in Java, VB, etc and need these options to show you thier user interface. So in your profile set them to PROMPT instead of disable, this way you can say yes when asked if you want them to run, so you can change configurations, or start a scan, etc in Norton AV Hope this helps Okiwaso ----- Original Message ----- From: "Jeff" <Jeff@Not_A_Real_Address.com> To: <security-basics () securityfocus com> Sent: Monday, June 28, 2004 4:14 PM Subject: New Trojan?
PLEASE READ ... I feel violated and need much help, if not for the PC, for my nerves. The PC is a WinXP box, fully patched, routinely checked with Spybot 1.3 and AdAware 6. I run SpywareBlaster as well. I also use Thunderbird 0.6 and Firefox 0.8. All other family members run Thunderbird on this box. IE6 has not bee removed but is fully patched. Norton Antivirus Corporate Edition 9.0, AV file 6/25/2004 r19 is running. (I purposely purchased the licenses at work for our home users also so that they WOULD stay up to date -- a practice I learned from Sprint a long, long time ago.) I use a Netgear FVS318 to interface to my Verizon DSL account. The events as they happened. 1. My son read his email via the web. It included e-cards. He read them. Doesn't remember where they took him, nor does he remember if he used IE6 or Firefox. 2. Long screaming session about things TO do and things NOT to do while on the internet. 278th time. Disabled his account. 3. Mis-typing a URL will now take me automatically to www.netidentity.com with the mistaken URL clearly identified inside. Identical results on IE6 and Firefox. Java and Javascript are disabled on Firefox. I leave IE6 alone because I use it when I absolutely must go to some bogus activex site, oh, and windowsupdate. But I don't use it otherwise. I always use Firefox. URLs that caused this include: mapblast, mapquest, abc, def ... through xyz. Please note: I had typed "mapblast" but had hit Enter rather than Ctrl-Enter, by mistake. The URLs entered are literally those listed, just the word. They are then transformed to http://mapblast/ 4. SAV CE, Spybot, AdAware, SypwareBlaster were all checked for updates and the entire system was scanned. Nothing found. ** My immediate thought was that Network Solutions was up to thier ** old tricks with it's Site Finder business. A quick check of ** another PC in the house eliminated that. 5. I checked my syslogs and NULL routed the IP address being used to access www.netidentity.com. The same page comes up sans the graphics and the flash. The web page is still there though, just looking sad. Another check of the syslogs brings up 64.15.175.5 as generating the pages, an open proxy. 6. Also ran HiJackThis and went through ALL of the items on it. Nada. Couldn't find the IP addresses or domain names in the registry. I also ran them in reverse notation. Nada. 7. Checked my network settings to make certain that some new DNS server wasn't stuck in. Nope, still set to use the Netgear box. Put 4 different DNS servers in -- still get that stupid site. 8. That was all at lunchtime. Haven't had a chance to run netstat or Ethereal to gain any additional clues. ZOIKS!!! The PC is off. But NOT knowing what is going on is driving me insane. So while I <ahem> work this afternoon, I thought I would see if any of this sounds, smells or <insert fav sense here) like anything that anyone has seen before! Jeff --------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- New Trojan? Jeff (Jun 29)
- RE: New Trojan? Kenton Smith (Jun 30)
- RE: New Trojan? Kit Brown (Jun 30)
- Re: New Trojan? ph03n1x (Jun 30)
- Re: New Trojan? Brian Lund (Jun 30)
- Re: New Trojan? Brian Lund (Jun 30)
- Re: New Trojan? Okiwaso (Jun 30)
- Re: New Trojan? Brad Germany (Jun 30)
- <Possible follow-ups>
- RE: New Trojan? Beon Smal (Jun 30)
- RE: New Trojan? Chris Santerre (Jun 30)
- RE: New Trojan? Rivera Alonso, David (Jun 30)
- RE: New Trojan? Kenton Smith (Jun 30)