Author Topic: The computer is fixed! .(URGENT SECURITY WARNING!)  (Read 2219 times)

Offline bloom25

  • Silver Member
  • ****
  • Posts: 1675
The computer is fixed! .(URGENT SECURITY WARNING!)
« on: December 13, 2000, 02:53:00 AM »
My computer problems have been solved.  To make a long story short it was a new trojan horse; a very inteligent one.

Here's how it happened:

Two weeks ago on a Saturday night I was updating sounds on my computer for AH.  Sometime later during the week someone else used this computer while I was gone for the week.  (Every week I travel 60 miles north to college.)  Evidently he opened some e-mail that was from someone he knew with the body saying "Check this out!"  The attachment was called midget.scr.  Guess where it got saved, yep, my AH sound file.
At the time he didn't notice the file had done anything, so he just assumed it was a dud and continued working.

Skip ahead to this Friday.  I came home for winter break, and just like every weekend I wanted to play a little AH before I went to work the next morning.  Unforunately something was wrong.  (Check out "Bug ... Maybe" in the bug forum for details.  Also a couple of posts in the tech support forum.)  I was able to determine that AH files were being saved in my windows\system folder.  In addition I was getting random errors when working with any program that needed an internet connection.

I spent MANY hours working on this trying among other things: 4 Scandisks (1 through, taking 3 hours) (no errors found), 2 Norton Antivirus scans (no viruses found), a repair of IE5, deletion and reinstall of Java Virtual Machine (2 hour download).  The problem was improved, but still present.  Curiously I couldn't seem to log onto www.symantec.com,  but thought nothing about it.  I was able to get to www.mcafee.com,  but found nothing useful there.

I began look in my Windows\system folder next.  There were the files from AH called things like tmp*.bmp ( * being the name of a squad CO.).  In addition there were strange files ending in .ooc and other UNREGISTERED extensions I'd never heard of before.

Around this time I fired up Dr. Watson and  during one of the errors (totally random errors, but always related to networking) there was a message that <unknown> had modified windows system files.  Again I tried to log onto symantec's web site, but I couldn't.  I got the standard message that it was unavailable.  (That made 2 nights in a row, and I was then a little suspicious.)  Earlier tonight I posted in the off-topic forum a question asking whether others could access www.symantec.com.   Immediately after posting the message, another error occured.  A few minutes later I again tried to get to www.symantec.com,  and was successful.  In about 15 minutes I found a message about W95.Hybris.gen.  (EVERYONE should read http://www.symantec.com/avcenter/venc/data/w95.hybris.gen.html  for information.)  In this write up I found the name midget.scr listed, and I knew I had found the answer.  $3.95 earned me another year of definition files and after a 3.5 meg download and 45 minutes of scanning 31000 files for viruses, the problem was solved!  (My last virus def file update was in August, one month before the virus was created.   )  Norton repaired one file and quarantened 6 others.  These 6 files were the strange files I reported earlier ending with .ooc, .hba, etc.  I later deleted them.

Take a guess what the one repaired file was?  

Did you guess Wsock32.dll, if so you are right.  That was why any internet application was having random errors.  AH on the other hand was going crazy because the midgets.scr file was downloaded into my AH sounds folder.  (I had found it in there on Friday and deleted it.  I didn't think anything of it at the time.)

The scary part about this virus (more correctly trojan horse, and not in the Symantec write-up) is that it blocks access to the Symantec web site.  Because of an error earlier in the day through, I was able to connect to it.  The virus is able to send off copies of itself to anyone you send e-mail to, so the file appears to come from someone you trust.

I'm just glad it's all over now.  Be very careful everyone, this one is easy to catch.  It is also only detectable with the very latest NAV update.  The McAfee virus program doesn't seem to scan for it yet.

If you get AH problems like the ones in my bug thread, be on the lookout!

 

------------------
bloom25
THUNDERBIRDS

Pepino

  • Guest
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #1 on: December 13, 2000, 04:51:00 AM »
Thks a bunch for the info.

Pepe.

Offline Lephturn

  • Silver Member
  • ****
  • Posts: 1200
      • http://lephturn.webhop.net
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #2 on: December 13, 2000, 07:57:00 AM »
Interesting.

Because you had mentioned you scanned for viruses several times, I had thought you were having hardware problems.  D'oh.

In retrospect, all the Winsock errors should have been the tip off.  Modifying Winsock or replacing it is how a trojan is going to get control of your network functions.

------------------
Lephturn - Chief Trainer
A member of The Flying Pigs  http://www.flyingpigs.com
 
"A pig is a jolly companion, Boar, sow, barrow, or gilt --
A pig is a pal, who'll boost your morale, Though mountains may topple and tilt.
When they've blackballed, bamboozled, and burned you, When they've turned on you, Tory and Whig,
Though you may be thrown over by Tabby and Rover, You'll never go wrong with a pig, a pig,
You'll never go wrong with a pig!" -- Thomas Pynchon, "Gravity's Rainbow"

Offline Eagler

  • Plutonium Member
  • *******
  • Posts: 19342
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #3 on: December 13, 2000, 08:00:00 AM »
Glad to hear you have resolved your difficulty. Thanks for the heads up info..

Eagler
"Masters of the Air" Scenario - JG27


Intel Core i7-13700KF | GIGABYTE Z790 AORUS Elite AX | 64GB G.Skill DDR5 | 16GB GIGABYTE RTX 4070 Ti Super | 850 watt ps | pimax Crystal Light | Warthog stick | TM1600 throttle | VKB Mk.V Rudder

LJK Raubvogel

  • Guest
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #4 on: December 13, 2000, 11:58:00 AM »
Thanks for the tip Bloom.

------------------
LJK_Raubvogel
LuftJägerKorps

 

[This message has been edited by LJK Raubvogel (edited 12-13-2000).]

Offline Fariz

  • Silver Member
  • ****
  • Posts: 1087
      • http://9giap.warriormage.com
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #5 on: December 13, 2000, 01:18:00 PM »
Have you killed that other guy?

I had a firewall on my pc, was VERY puzzled when someone hacked into my computer and killed 3 shared directory with bunch of work. Good thing I am backuping every 6-7 days at least, so not much dammage. When I tried to found out what was the problem I found that some of firewall functions were dissabled with other guy who had access to my computer. He did it simply because he was "annoyed" with a waring messages from it while he serfed the web.

BTW I sold that guys organs to the local clinic.  

Fariz

Antix

  • Guest
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #6 on: December 14, 2000, 02:18:00 AM »
Most of this can be resolved by doing the following;

Click the Start Button,
Goto Control Panel,
Open up Add/Remove Programs,
Click the Windows Setup tab at the top,
double click Accesories,
scroll down and remove "Windows Scripting Host".

This will remove the ability of Windows to automatically execute Scripts.

THE ABOVE IS IMPORTANT INFORMATION, however, after writing it, I realized that .SCR files are ScreenSaver files, that are executable, ones that are capable of this sort of thing usually ships with a .DLL or .BIN file. While my post doesn't necessarily relate to your situation, it is something that everyone should do to their computers. Sorry for not reading completely.

Antix

Offline bloom25

  • Silver Member
  • ****
  • Posts: 1675
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #7 on: December 14, 2000, 04:01:00 AM »
I personally would never have opened that file.  Unfortunately I'm not the only one that uses this particular computer.  This particular virus is pretty cunning though; it can make itself look like a file from someone you trust.  Not only that, but it doesn't actually do any damage in its current form.  It must update itself in order to do so.  The particular one I had on this computer also had the ability to block access to symantec.com.  (IE would crash if you tried.)  Fortunately it left enough clues I was eventually able to figure it out.

After nearly 5 days of fighting with this computer, finally playing online for an hour tonight was great.  



------------------
bloom25
THUNDERBIRDS

Offline RAM

  • Parolee
  • Zinc Member
  • *
  • Posts: 38
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #8 on: February 02, 2001, 03:49:00 AM »
umpf...I think I have this one, downloading Norton Update as I write.

I noticed problems to connect to some URLs...strange as it may seem, I am unable to connect to www.microprose.com  ,tried Mcaffee and symantec (as bloom did)...and I cant get connected

I <Punt> this one because, while I received the mail that could be the virus...I DIDNT OPEN IT!!!!!!!!!!!!

So beware and do a check just for the sake of doing it. Somehow I think my PC is infected and I haven't opened a single "suspected" file.

TheWobble

  • Guest
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #9 on: February 02, 2001, 03:58:00 AM »
watch out for an e-mail labled
"the real story of show white and the seven dwarfs"
thats is a VERY commin virus thats been floating around.

MrSiD

  • Guest
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #10 on: February 02, 2001, 04:36:00 AM »
If you open e-mails coming from total strangers (well at least ones containing attachments) you're asking for trouble.

I can see no reason why I should do so..

Of course if you have to do business @home its different, but in that case you should purchase the best available protection anyway.

Offline fd ski

  • Silver Member
  • ****
  • Posts: 1537
      • http://www.northotwing.com/wing/
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #11 on: February 02, 2001, 06:36:00 AM »
 
Quote
Originally posted by RAM:
umpf...I think I have this one, downloading Norton Update as I write.

I noticed problems to connect to some URLs...strange as it may seem, I am unable to connect to www.microprose.com  ,tried Mcaffee and symantec (as bloom did)...and I cant get connected

I <Punt> this one because, while I received the mail that could be the virus...I DIDNT OPEN IT!!!!!!!!!!!!

So beware and do a check just for the sake of doing it. Somehow I think my PC is infected and I haven't opened a single "suspected" file.


RAM if you use Outlook and have a preview pane open - virus can be triggered that way.



------------------
Bartlomiej Rajewski
aka. Wing Commander fd-ski
Northolt Wing
1st Polish Fighter Wing
303 (Polish) Squadron "Kosciuszko" RAF
308 (Polish) Squadron "City of Cracow" RAF
315 (Polish) Squadron "City of Deblin" RAF

Turning 109s and 190s into scrap metal since 1998

Northolt Wing Headquarters

Offline RAM

  • Parolee
  • Zinc Member
  • *
  • Posts: 38
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #12 on: February 02, 2001, 06:59:00 AM »
 
Quote
Originally posted by fd ski:

RAM if you use Outlook and have a preview pane open - virus can be triggered that way.



That can be it...yes I have it :/

BTW after running norton, I still can't get in Microprose, hasbro, or bombs-away.net webs...

someone else having the same problem?

Offline xela

  • Zinc Member
  • *
  • Posts: 36
      • http://www.teamblau.it/iwai/
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #13 on: February 02, 2001, 07:26:00 AM »
Check also the latest (security) updates from microsoft at windowsupdate.microsoft.com

Offline Westy

  • Gold Member
  • *****
  • Posts: 2871
The computer is fixed! .(URGENT SECURITY WARNING!)
« Reply #14 on: February 02, 2001, 08:36:00 AM »
 MacAfeee has great info on this:
 http://vil.nai.com/vil/dispVirus.asp?virus_k=98873


 Thanks for the warning on this virus!!

-Westy