Professional Web Applications Themes

possible to find out if a virus has sent an info from the system? - Windows Setup, Administration & Security

Excuse me for cross-posting, I wasn't sure which group would be the most right, since the question might involve few OS's. I have two Ethernet connected machines - a dual boot (2000 Server/ XP Pro) ICS hosting machine connected to the Internet via ADSL USB modem and a 95C machine (in fact it's multiboot too, but, the whole thing happened while it was under W95, so, the other OS's can be ignored here) with Norton AntiVirus2001 installed (the first one has AVG under both OS's). The 95 machine has no any network shares and it's accessible from the another one ...

  1. #1

    Default possible to find out if a virus has sent an info from the system?

    Excuse me for cross-posting, I wasn't sure which group would be the most
    right, since the question might involve few OS's.

    I have two Ethernet connected machines - a dual boot (2000 Server/ XP Pro)
    ICS hosting machine connected to the Internet via ADSL USB modem and a 95C
    machine (in fact it's multiboot too, but, the whole thing happened
    while it was under W95, so, the other OS's can be ignored here) with Norton
    AntiVirus2001 installed (the first one has AVG under both OS's). The 95
    machine has no any network shares and it's accessible from the another one
    only via smtp or http (however, it has only a local IP address, so, I don't
    think it could be accessed from Internet, unless someone gains a control
    over the ICS hosting machine) .

    I am using only the 95 machine for downloading email. I'm running a personal
    mail server (Mercury) on it, so, all incoming mail is NAV checked at least
    twice (when downloaded from the Internet by Mercury and when 'downloaded'
    from Mercury by a mail client), furthermore, Mercury is configured to start
    NAV whenever arrives a message addressed to some of my less private
    addresses, particularly exposed to sparring, to scan the folders on disk
    where it's stored before being delivered to a client (and, of course, in
    case of a particular suspect, the files can be checked manually, too). BTW,
    on XP I have the built-in firewall enabled on ICS, but, I am not sure
    whether is configured well and whether it's protecting me. I don't think I
    have a firewall under 2000. (I know, I know... but, I am quite new to
    networking and firewalling.)

    During the last system scan on the 95 machine NAV discovered
    W32.Bugbear.Bmm in Eudora\attach folder and has put it in quarantine.
    Actually, since the previous system scan (maybe just since that particular
    message has been downloaded), NAV mail protection was frequently crashing,
    or it's proxy just stopping to work.and the system has also been frequently
    unreasonably short of memory. In fact, also the Eudora 'download' has
    crashed in the first attempt and the crash has been caused by NAV (although
    at the moment I have accounted it to the huge amount of messages it had to
    load - it was a mail for accounts I hadn't been checking for a while)

    I've seen on
    [url]http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.bmm.htm[/url]
    l that W32.Bugbear.Bmm 'contains routines that specifically affect
    financial institutions. This functionality will cause the worm to send
    sensitive data to one of ten hard-coded public Internet e-mail addresses.
    The information sent includes cached passwords and key-logging data.' It
    attempts to terminate processes of various antivirus and firewall programs
    (see above!) It copies itself to accessible shares (my 95 machine has no LAN
    shares on it, but, practically the whole 2000/XP machine, not only the
    shared folders, is accessible, since the 95 user is administrator on it -
    the drive letters are just hidden for him, but not inaccessible).

    I don't have any suspect ***.exe's in any Startup folder on any system. In
    my 95's C:\Windows\System I have 5 5,632 bytes DLL's, but, all seem to be
    legitimate Windows DLL's and none is randomly named (as the article
    describes the PWS.Hooker.Trojan, dropped by the worm for keylogging). I
    don't see any suspect *.exe in my network shared doents, but, Symantec
    says it infects files matching filenames like regedit.exe, mplayer.exe,
    notepad.exe etc. However, I don't seem to have any file from the Symantec's
    list in my Shareddocs (All users\Doents), but, I also have a shared
    program repository on that (2000/XP) machine and, although the exe's there
    are mainly just installation archives and never installed programs
    themselves, there're hundreds of them and I hardly can be sure non of the
    filenames matches any from the list. AVG has detected nothing. It doesn't
    seem that I have 1080 port open on any system.

    If an attachment is .js or .scr (and W32.Bugbear.Bmm *is*) it may execute
    without an user's action, am I right?Although I am sure I have never opened
    the infected message in Eudora and I really don't believe it has even ever
    been displayed in preview window...

    So I might seem paranoiac, but... NAV protection crashes and memory problems
    strangely coincide with the worm's arrive. And the nature of the threat is
    very... delicate. I am certainly not a 'financial institution' :)) but I do,
    from time to time, do online financial transactions. Well, I assume that now
    it has been put out of combat (is
    it?), but, I need to be sure it hasn't sent any information before being put
    in quarantine. Meanwhile I'll use Linux for online payments. Although...
    *if* the 2000/XP machine is infected too, maybe the worm, somehow, can
    intercept the traffic passing through it's ICS? I need to know A) whether I
    have any way to find out if any information has already been sent from the
    W95 system? B) How can I be absolutely sure that the XP/2000 machine is free
    of that worm?

    An additional question, please: after the incident (only after :( ), I've
    added to my Mercury server rules like this - to delete any incoming message
    that in the mess. body contains lines matching "*Content-Type:
    application/octet-stream*" AND "*filename="*.scr"" (and by ogy for .js
    and
    ..pif, I probably should add .vbs) But... *this* worm is characterised by
    incorrect MIME headers, so it can say 'Content-Type: image/jpeg' (matching
    the type of the file whose name it has 'stolen'), and then contain - a .scr
    file! So, I suppose my rules wouldn't block it and I'm afraid that only
    "*filename="*.js"" might be too restrictive. Opinions? A better way to
    create rules?

    I apologise for the long post and will greatly appreciate any response.
    Thanks in advance.








    Onilotreb Valsimot Guest

  2. #2

    Default Re: possible to find out if a virus has sent an info from the system?

    Slightly off-topic - but

    a) all workstations, whether Internet connected or not - need AV software. I
    would look at [url]www.grisoft.com[/url] and check out the free AVG antivirus - I've
    come to like it very much. Set it to update every day.
    b) do online scans at [url]http://housecall.antivirus.com[/url]
    c) block all the extensions you see here:
    [url]http://www.swinc.com/resource/exch_faq_appxj.htm[/url]
    d) get a firewall/router, and ditch ICS. I'd look at the NetGear
    FVS318...cheap and cheerful, and a hell of a lot more secure - and better
    performing than ICS.


    Onilotreb Valsimot wrote:
    > Excuse me for cross-posting, I wasn't sure which group would be the
    > most right, since the question might involve few OS's.
    >
    > I have two Ethernet connected machines - a dual boot (2000 Server/ XP
    > Pro) ICS hosting machine connected to the Internet via ADSL USB modem
    > and a 95C machine (in fact it's multiboot too, but, the whole thing
    > happened while it was under W95, so, the other OS's can be ignored
    > here) with Norton AntiVirus2001 installed (the first one has AVG
    > under both OS's). The 95 machine has no any network shares and it's
    > accessible from the another one only via smtp or http (however, it
    > has only a local IP address, so, I don't think it could be accessed
    > from Internet, unless someone gains a control over the ICS hosting
    > machine) .
    >
    > I am using only the 95 machine for downloading email. I'm running a
    > personal mail server (Mercury) on it, so, all incoming mail is NAV
    > checked at least twice (when downloaded from the Internet by Mercury
    > and when 'downloaded' from Mercury by a mail client), furthermore,
    > Mercury is configured to start NAV whenever arrives a message
    > addressed to some of my less private addresses, particularly exposed
    > to sparring, to scan the folders on disk where it's stored before
    > being delivered to a client (and, of course, in case of a particular
    > suspect, the files can be checked manually, too). BTW, on XP I have
    > the built-in firewall enabled on ICS, but, I am not sure whether is
    > configured well and whether it's protecting me. I don't think I have
    > a firewall under 2000. (I know, I know... but, I am quite new to
    > networking and firewalling.)
    >
    > During the last system scan on the 95 machine NAV discovered
    > W32.Bugbear.Bmm in Eudora\attach folder and has put it in
    > quarantine. Actually, since the previous system scan (maybe just
    > since that particular message has been downloaded), NAV mail
    > protection was frequently crashing, or it's proxy just stopping to
    > work.and the system has also been frequently unreasonably short of
    > memory. In fact, also the Eudora 'download' has crashed in the first
    > attempt and the crash has been caused by NAV (although at the moment
    > I have accounted it to the huge amount of messages it had to load -
    > it was a mail for accounts I hadn't been checking for a while)
    >
    > I've seen on
    >
    [url]http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.bmm.htm[/url]
    > l that W32.Bugbear.Bmm 'contains routines that specifically affect
    > financial institutions. This functionality will cause the worm to send
    > sensitive data to one of ten hard-coded public Internet e-mail
    > addresses. The information sent includes cached passwords and
    > key-logging data.' It attempts to terminate processes of various
    > antivirus and firewall programs (see above!) It copies itself to
    > accessible shares (my 95 machine has no LAN shares on it, but,
    > practically the whole 2000/XP machine, not only the shared folders,
    > is accessible, since the 95 user is administrator on it - the drive
    > letters are just hidden for him, but not inaccessible).
    >
    > I don't have any suspect ***.exe's in any Startup folder on any
    > system. In my 95's C:\Windows\System I have 5 5,632 bytes DLL's, but,
    > all seem to be legitimate Windows DLL's and none is randomly named
    > (as the article describes the PWS.Hooker.Trojan, dropped by the worm
    > for keylogging). I don't see any suspect *.exe in my network shared
    > doents, but, Symantec says it infects files matching filenames
    > like regedit.exe, mplayer.exe, notepad.exe etc. However, I don't seem
    > to have any file from the Symantec's list in my Shareddocs (All
    > users\Doents), but, I also have a shared program repository on
    > that (2000/XP) machine and, although the exe's there are mainly just
    > installation archives and never installed programs themselves,
    > there're hundreds of them and I hardly can be sure non of the
    > filenames matches any from the list. AVG has detected nothing. It
    > doesn't seem that I have 1080 port open on any system.
    >
    > If an attachment is .js or .scr (and W32.Bugbear.Bmm *is*) it may
    > execute without an user's action, am I right?Although I am sure I
    > have never opened the infected message in Eudora and I really don't
    > believe it has even ever been displayed in preview window...
    >
    > So I might seem paranoiac, but... NAV protection crashes and memory
    > problems strangely coincide with the worm's arrive. And the nature of
    > the threat is very... delicate. I am certainly not a 'financial
    > institution' :)) but I do, from time to time, do online financial
    > transactions. Well, I assume that now it has been put out of combat
    > (is it?), but, I need to be sure it hasn't sent any information
    > before being put in quarantine. Meanwhile I'll use Linux for online
    > payments. Although... *if* the 2000/XP machine is infected too, maybe
    > the worm, somehow, can intercept the traffic passing through it's
    > ICS? I need to know A) whether I have any way to find out if any
    > information has already been sent from the W95 system? B) How can I
    > be absolutely sure that the XP/2000 machine is free of that worm?
    >
    > An additional question, please: after the incident (only after :( ),
    > I've added to my Mercury server rules like this - to delete any
    > incoming message that in the mess. body contains lines matching
    > "*Content-Type: application/octet-stream*" AND "*filename="*.scr""
    > (and by ogy for .js and
    > .pif, I probably should add .vbs) But... *this* worm is
    > characterised by incorrect MIME headers, so it can say 'Content-Type:
    > image/jpeg' (matching the type of the file whose name it has
    > 'stolen'), and then contain - a .scr file! So, I suppose my rules
    > wouldn't block it and I'm afraid that only "*filename="*.js"" might
    > be too restrictive. Opinions? A better way to create rules?
    >
    > I apologise for the long post and will greatly appreciate any
    > response. Thanks in advance.

    Lanwench [MVP - Exchange] Guest

  3. #3

    Default Re: possible to find out if a virus has sent an info from the system?

    > "Onilotreb Valsimot" <valsimot2002libero?it> wrote in
    > message news:%23BwvhBaRDHA.2196TK2MSFTNGP11.phx.gbl...
    >
    > Very usefull link!!! Thank you. Now, if there were also
    > a list of the file tipes with extensions listed on the
    > page can be executed even without an user's action,
    > just by being a message displayed in the preview window...
    > I think .js and .scr can, I think .exe can not, I might
    > be wrong, I don't know about the others. I certainly
    > will never click on an .exe attachment arrived from
    > [email]xt23q7hotmail.com[/email]


    Onilotreb, (Bertolino?)

    On the Windows 95 machine the trouble is that you can't
    update to the latest version of Internet Explorer 6, which
    fixes the problem you describe above.

    However, I think the latest version of Internet Explorer
    5.5 might also have this problem patched.

    Finding it might be difficult!

    --
    AZC



    Andrew Z Carpenter [Newsgroup Groupie] Guest

Similar Threads

  1. Can't Find System.Web.UI.Design??
    By paul reed in forum ASP.NET Building Controls
    Replies: 3
    Last Post: February 9th, 02:30 PM
  2. Find the name of all the function on the system
    By Marcos Rebelo in forum PERL Beginners
    Replies: 2
    Last Post: September 8th, 03:20 PM
  3. Virus detected in System Volume Information
    By Simon Ray in forum Windows Setup, Administration & Security
    Replies: 2
    Last Post: July 5th, 04:56 PM
  4. Replies: 0
    Last Post: June 30th, 02:51 PM
  5. Replies: 0
    Last Post: June 29th, 06:44 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139