Agreed. ----- Original Message ----- From: "JM" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, October 08, 2002 4:25 PM Subject: Re: Somebody saw this trojan ? (nicely)
> Nick > > Great email, if you are trying to put the guy off.. > I agree with what you are saying and I am sure most of the list's readers > also do. > However, most readers use this forum as a means to obtain constructive > advice, and surely by posting damning critiques of a person's practices we > are not helping at all. > I am sure that the original poster will have learned from his previous > mistake, and I hope will continue to use this forum to keep abreast of > future developments. > I dont want to dump on you either, all your points are very valid, but feel > we should all be trying to help eachother, and I do agree this would also > involve helpingeachother to help themselves which other responses to the > original request have done. > > Cheers > > JM > > > ----- Original Message ----- > From: "Nick FitzGerald" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Tuesday, October 08, 2002 1:25 AM > Subject: Re: Somebody saw this trojan ? > > > > > I have received an e-mail today that is not supposed to be sent to me > (they > > > were calling somebody else that I don't know ..). When I read the mail > with > > > Outlook Express I noticed that the popup window of dowmloading the > > > attachement is invoked rapidly (Slow computer) without asking for > +ACI-Open+ACI- or > > > +ACI-Save as+ACI- ... > > > > So, we know you are running an old, long-since patched version of > > Internet Explorer... > > > > > Well, I have some basic concepts about viruses and security. ... > > > > Yet you use an ancient and decrepid version of the buggiest, most > > security-flawed product of recent (if not all) computing history? > > > > Worse, you use it to open an Email message you already considered as > > being suspect? > > > > There was white powder leaking from the envelope, so I chose to > > open it with my trusty Leatherman rather than the standard > > letter opener on my desk... > > > > > ... I am using NAV > > > 2001 with the virus definitions of 16/09/2002 ... > > > > Excuse me -- 16 September DEf files? > > > > That is ancient. Have you any idea how many hundred new viruses, > > Trojans, and so on Symantec has added detection of between then and > > now? The AV industry averages avoer 500 a month and you are talking > > about three week old DEFs... > > > > > ... and it generally scans the > > > incoming emails. ... > > > > "generally" -- so that makes it safe? > > > > > ... but after reading that email I noticed that NAV is not > > > running +ACEAIQAh- > > > > The first rule of virus/antivirus warfare is that the bad guy gets to > > go first. You were just got. > > > > > With Ctrl-Alt-Del I Didn't see any +ACI-Strange+ACI- runnong program. > > > > Well, there are features in the OS that allow processes to very > > easily hide from the standard task list. The first virus or Trojan > > to do this was so long ago I can't even recall, nor do I care any > > more, what its name was. > > > > > On a promt command I wrote : netstat -an and I found : > > > TCP 0.0.0.0:36794 0.0.0.0:0 LISTENING > > > I think it could be a trojan horse listning on the port 36794 .. > > > > Yep. > > > > Or it caould be a RAT. > > > > Or a DDoS agent. > > > > Or just a virus running some funky server for whatever purpose -- a > > potential comms channel "back home" or an update channel. > > > > Or any other network-aware program having a use for receiving some > > kind of information across the net. > > > > > I ran NAV manually to scan my system...but it (NAV) soon shut down. > > > > Again, it is becoming a more common ploy among mlaware writers to > > take serious advantage of the "the bad guy gets to go first" rule. > > Of late this has increasingly been seen with malware that screws with > > AV, PFW and similar software. > > > > > I ran a free +ACI-Process Viewer+ACI- and then I noticed a > +ACI-strange+ACI- running program > > > with the name +ACI-Hfyj.exe+ACI-, so I killed it. > > > With the +ACI-Regedit+ACI- I deleted the key that was invoking this > program in : > > > > HKEY+AF8-LOCAL+AF8-MACHINE+AFw-Software+AFw-Microsoft+AFw-Windows+AFw-Curren > tVersion+AFw-RunOnce > > > > > > I deleted the exe file and when I rebooted I noticed that it is always > there > > > and that Nav is not running. I killed the program again ..deleted the > > > registry key... ran Nav to scan the exe file but it sayed that it is not > > > infected +ACEAIQAh- > > > > OK -- well yuou already know that three weeks out of date is way too > > out of date. Also, you know NAV did not detect it when it arrived, > > so why do you expect it to detect it now? > > > > Try updating NAV... > > > > Oh, but you can't because NAV keeps getting killed. > > > > Try also deleting the copy of the EXE (different name though -- what > > a concept!) in the Startup folder. > > > > > Help.. The Resident Evil is always here and runing ... > > > > > > Note : the mail was sent from a fake address ....and I didn't found the > +ACI-To: > > > +ACI- statement in the header ....How could it come to me without the > +ACI-To :+ACI- > > > statement. > > > > > > what about sending the exe file to Symantec ??? > > > > You most likely have an entirely detectable sample of Bugbear and > > Symantec will have seen about a gazillion of them by now and probably > > not really want any more. > > > > Update NAV so it has current DEFs, set it to update daily, upgrade > > your copy of IE to 5.5SP2 plus all post-SP2 security hotfixes or to > > IE6.0SP1, and then visit Windows Update regularly (say once a month). > > > > > > -- > > Nick FitzGerald > > Computer Virus Consulting Ltd. > > Ph/FAX: +64 3 3529854 > >
