Nick Great email, if you are trying to put the guy off.. I agree with what you are saying and I am sure most of the list's readers also do. However, most readers use this forum as a means to obtain constructive advice, and surely by posting damning critiques of a person's practices we are not helping at all. I am sure that the original poster will have learned from his previous mistake, and I hope will continue to use this forum to keep abreast of future developments. I dont want to dump on you either, all your points are very valid, but feel we should all be trying to help eachother, and I do agree this would also involve helpingeachother to help themselves which other responses to the original request have done.
Cheers JM ----- Original Message ----- From: "Nick FitzGerald" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, October 08, 2002 1:25 AM Subject: Re: Somebody saw this trojan ? > > I have received an e-mail today that is not supposed to be sent to me (they > > were calling somebody else that I don't know ..). When I read the mail with > > Outlook Express I noticed that the popup window of dowmloading the > > attachement is invoked rapidly (Slow computer) without asking for +ACI-Open+ACI- or > > +ACI-Save as+ACI- ... > > So, we know you are running an old, long-since patched version of > Internet Explorer... > > > Well, I have some basic concepts about viruses and security. ... > > Yet you use an ancient and decrepid version of the buggiest, most > security-flawed product of recent (if not all) computing history? > > Worse, you use it to open an Email message you already considered as > being suspect? > > There was white powder leaking from the envelope, so I chose to > open it with my trusty Leatherman rather than the standard > letter opener on my desk... > > > ... I am using NAV > > 2001 with the virus definitions of 16/09/2002 ... > > Excuse me -- 16 September DEf files? > > That is ancient. Have you any idea how many hundred new viruses, > Trojans, and so on Symantec has added detection of between then and > now? The AV industry averages avoer 500 a month and you are talking > about three week old DEFs... > > > ... and it generally scans the > > incoming emails. ... > > "generally" -- so that makes it safe? > > > ... but after reading that email I noticed that NAV is not > > running +ACEAIQAh- > > The first rule of virus/antivirus warfare is that the bad guy gets to > go first. You were just got. > > > With Ctrl-Alt-Del I Didn't see any +ACI-Strange+ACI- runnong program. > > Well, there are features in the OS that allow processes to very > easily hide from the standard task list. The first virus or Trojan > to do this was so long ago I can't even recall, nor do I care any > more, what its name was. > > > On a promt command I wrote : netstat -an and I found : > > TCP 0.0.0.0:36794 0.0.0.0:0 LISTENING > > I think it could be a trojan horse listning on the port 36794 .. > > Yep. > > Or it caould be a RAT. > > Or a DDoS agent. > > Or just a virus running some funky server for whatever purpose -- a > potential comms channel "back home" or an update channel. > > Or any other network-aware program having a use for receiving some > kind of information across the net. > > > I ran NAV manually to scan my system...but it (NAV) soon shut down. > > Again, it is becoming a more common ploy among mlaware writers to > take serious advantage of the "the bad guy gets to go first" rule. > Of late this has increasingly been seen with malware that screws with > AV, PFW and similar software. > > > I ran a free +ACI-Process Viewer+ACI- and then I noticed a +ACI-strange+ACI- running program > > with the name +ACI-Hfyj.exe+ACI-, so I killed it. > > With the +ACI-Regedit+ACI- I deleted the key that was invoking this program in : > > HKEY+AF8-LOCAL+AF8-MACHINE+AFw-Software+AFw-Microsoft+AFw-Windows+AFw-Curren tVersion+AFw-RunOnce > > > > I deleted the exe file and when I rebooted I noticed that it is always there > > and that Nav is not running. I killed the program again ..deleted the > > registry key... ran Nav to scan the exe file but it sayed that it is not > > infected +ACEAIQAh- > > OK -- well yuou already know that three weeks out of date is way too > out of date. Also, you know NAV did not detect it when it arrived, > so why do you expect it to detect it now? > > Try updating NAV... > > Oh, but you can't because NAV keeps getting killed. > > Try also deleting the copy of the EXE (different name though -- what > a concept!) in the Startup folder. > > > Help.. The Resident Evil is always here and runing ... > > > > Note : the mail was sent from a fake address ....and I didn't found the +ACI-To: > > +ACI- statement in the header ....How could it come to me without the +ACI-To :+ACI- > > statement. > > > > what about sending the exe file to Symantec ??? > > You most likely have an entirely detectable sample of Bugbear and > Symantec will have seen about a gazillion of them by now and probably > not really want any more. > > Update NAV so it has current DEFs, set it to update daily, upgrade > your copy of IE to 5.5SP2 plus all post-SP2 security hotfixes or to > IE6.0SP1, and then visit Windows Update regularly (say once a month). > > > -- > Nick FitzGerald > Computer Virus Consulting Ltd. > Ph/FAX: +64 3 3529854
