First of all, don't panic, just update one the virus definitions on one of your other machines and use that to scan it remotely via network share. Then go to http://windowsupdate.microsoft.com and install every update they have. If you're still having problems after that write us back, but I doubt it.
>From: Nick FitzGerald <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED], [EMAIL PROTECTED] >Subject: Re: Somebody saw this trojan ? >Date: Tue, 08 Oct 2002 12:25:05 +1200 > > > I have received an e-mail today that is not supposed to be sent to me >(they > > were calling somebody else that I don't know ..). When I read the mail >with > > Outlook Express I noticed that the popup window of dowmloading the > > attachement is invoked rapidly (Slow computer) without asking for >+ACI-Open+ACI- or > > +ACI-Save as+ACI- ... > >So, we know you are running an old, long-since patched version of >Internet Explorer... > > > Well, I have some basic concepts about viruses and security. ... > >Yet you use an ancient and decrepid version of the buggiest, most >security-flawed product of recent (if not all) computing history? > >Worse, you use it to open an Email message you already considered as >being suspect? > > There was white powder leaking from the envelope, so I chose to > open it with my trusty Leatherman rather than the standard > letter opener on my desk... > > > ... I am using NAV > > 2001 with the virus definitions of 16/09/2002 ... > >Excuse me -- 16 September DEf files? > >That is ancient. Have you any idea how many hundred new viruses, >Trojans, and so on Symantec has added detection of between then and >now? The AV industry averages avoer 500 a month and you are talking >about three week old DEFs... > > > ... and it generally scans the > > incoming emails. ... > >"generally" -- so that makes it safe? > > > ... but after reading that email I noticed that NAV is not > > running +ACEAIQAh- > >The first rule of virus/antivirus warfare is that the bad guy gets to >go first. You were just got. > > > With Ctrl-Alt-Del I Didn't see any +ACI-Strange+ACI- runnong program. > >Well, there are features in the OS that allow processes to very >easily hide from the standard task list. The first virus or Trojan >to do this was so long ago I can't even recall, nor do I care any >more, what its name was. > > > On a promt command I wrote : netstat -an and I found : > > TCP 0.0.0.0:36794 0.0.0.0:0 LISTENING > > I think it could be a trojan horse listning on the port 36794 .. > >Yep. > >Or it caould be a RAT. > >Or a DDoS agent. > >Or just a virus running some funky server for whatever purpose -- a >potential comms channel "back home" or an update channel. > >Or any other network-aware program having a use for receiving some >kind of information across the net. > > > I ran NAV manually to scan my system...but it (NAV) soon shut down. > >Again, it is becoming a more common ploy among mlaware writers to >take serious advantage of the "the bad guy gets to go first" rule. >Of late this has increasingly been seen with malware that screws with >AV, PFW and similar software. > > > I ran a free +ACI-Process Viewer+ACI- and then I noticed a >+ACI-strange+ACI- running program > > with the name +ACI-Hfyj.exe+ACI-, so I killed it. > > With the +ACI-Regedit+ACI- I deleted the key that was invoking this >program in : > > >HKEY+AF8-LOCAL+AF8-MACHINE+AFw-Software+AFw-Microsoft+AFw-Windows+AFw-CurrentVersion+AFw-RunOnce > > > > I deleted the exe file and when I rebooted I noticed that it is always >there > > and that Nav is not running. I killed the program again ..deleted the > > registry key... ran Nav to scan the exe file but it sayed that it is not > > infected +ACEAIQAh- > >OK -- well yuou already know that three weeks out of date is way too >out of date. Also, you know NAV did not detect it when it arrived, >so why do you expect it to detect it now? > >Try updating NAV... > >Oh, but you can't because NAV keeps getting killed. > >Try also deleting the copy of the EXE (different name though -- what >a concept!) in the Startup folder. > > > Help.. The Resident Evil is always here and runing ... > > > > Note : the mail was sent from a fake address ....and I didn't found the >+ACI-To: > > +ACI- statement in the header ....How could it come to me without the >+ACI-To :+ACI- > > statement. > > > > what about sending the exe file to Symantec ??? > >You most likely have an entirely detectable sample of Bugbear and >Symantec will have seen about a gazillion of them by now and probably >not really want any more. > >Update NAV so it has current DEFs, set it to update daily, upgrade >your copy of IE to 5.5SP2 plus all post-SP2 security hotfixes or to >IE6.0SP1, and then visit Windows Update regularly (say once a month). > > >-- >Nick FitzGerald >Computer Virus Consulting Ltd. >Ph/FAX: +64 3 3529854 Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "I have found the way, and the way is Perl." _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
