[Dshield] Re: Dshield digest, Vol 1 #220 - 11 msgs

Michael Flaherty MFLAHERTY1 at kc.rr.com
Sat Aug 25 14:12:42 GMT 2001


Are you running Pearl Software Pearl Echo 4.0 Global Internet Management?
It has a piece named rnapp.exe.  See here:

http://www.networkcomputing.com/1213/1213f25.html



-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Susan
Sent: Friday, August 24, 2001 10:18 PM
To: dshield at dshield.org
Subject: [Dshield] Re: Dshield digest, Vol 1 #220 - 11 msgs


Well. I figured this list would be helpful. much appreciated advice.

Thats exactly how I'm tackling it.>> "Windows 98, for example,
comes with the possibility to backup your registry without a
problem.  For that go to Start\Programs\Accessories\System
Tools\System Information and open the Tools menu item and
select Registry Checker."

Zonealarm? Love it, have had it on 2 years+.

Unfortunately they are still getting in. I have TDS-3 as a port
checker. I am a quiet computer if you knock on my doors.

However. I have 3 computers here to verify system properties
against. None show explorer.exe as c:\windows \explorer.exe /n,
/e, c:\ so figure, its a hack. Could have been written to by an
infected email even. Mobsync? I told you I have deleted it twice
already.

I am pulling unidenitifed stuff out of registry now, I do a few lines I
reboot i backup. Its going well but I am really just testing here i
know I will still have to reformat again this weekend I need this
machine clean by Monday. I need to know what they're up to first
however to protect fully against it

I only have a few progs in here it's not as though anything can hide
un-noticed. And again, it's only 6 days old now. I loaded it real
clean with fighter equipment before accessing the net thats what is
worrying me, they still seem to be getting in, not as much as
before (quite a story certain letters coming in with certain subject
lines from our websites were copying themselves and shipping
out). I found the demon this eve in that computers registry when
matched against this one. But it will stay for now, that machine will
get reformatted again too. It's the hidden scripts that worry me the
most.

Any suggestions on the running process? It's name is RNAPP.EXE
is this a hidden windows application I don't know about? That is the
exact name. TDS identifies it when reloaded with an internet
connection running. Still cannot find it either by "Find file" or
manual search.

Either I reinfected myself on last format or it came in a new via
email. all probs did start about 4 days ago when I opened an email
with pics in it. I did not open the pics. Just a suspicion, but it did
start then. Someone sent me mail LOADED with gifs and jpgs, just
trying to get the email to download (56K) may have been an
invitation.

likewise i do not assume ignorance on anyone's part. These hacks
can be very wily. They may simply be coming in quielty past the
firewall somehow. zonealarm shutoff while I was online a 2 nights
ago by the way, only for a moment (it prompted for reststart) and
that is not the first time I have seen it shut down by itself without
warning...

I downloaded Mosaic today any word on that as compared to IE 5+
as far as hack tampering is concerned? Figure I'll test it a few
hours before a format here what the heck...

on the double window by the way, yes, I get prompted twice a lot
by zonealarm even for IE5. Haven't located that prob yet.
Zonealarm many times shows it as running twice on the icon bar.
RE: 2 passwords too. windows explorer was acting as an interet
server according to zonealarm 3 nights ago. can anyone explain?
zonealarm did not prompt for permission either. These hacks (if)
know the software is my guess.

kind of why I have resorted to checking the registry. I should keep
a list of the things I'm pulling for review huh? I will! Any word on
possible affect to bios (if thats the right term) from Trojans? what I
mean is the system settings that remain after a format. Not a
certified computer pro here.

How did I discover the initial tampering? aside from the mail
shipping itself out, not randomly, but very selectively, I opened up
Inbox.dbx one day, then folders.nch and... goodness. Even Ftp
was keeping it's log in there. If you guessed correctly Outlook
Express was the first to go. YES fully updated sp2.  heh. They
seem to use streaming data and audio to accomplish whatever,
and OBDC/MSADC/MQIS drivers, dlls, and associated ports. if you
aren't using those items you can (carefully) rid your system of
them. except the ports of course. Oh yes how do we close certain
ports? anyone done that with zonealarm?

I have gotten rid of lots of glitches here in just a few hours. hey
heres an interesting one: I was online looking for the browser, I
clicked a link at the Mosaic site and got a 404 error. I checked
TDS for established connections. sure enough I had someone
(unresolved ip) online. When i killed the socket and tried the link
again, guess what? Yep site was dandy. That fella(connection) had
followed me from site to site for 2 hours, I kept killing the socket,
he kept showing back up. I logged him with TDS, so not likely it
was something at Mosaic. Mosaic is clean and quiet. they close
connections very politely.

Sorry on so long. I have been at this 3-4 weeks now as things
escalated It was getting to the point where I could barely use this
computer. I get about 75-100+ letters a day from my websites,
many times they are mixed with very obvious virus emails.

 According to the definitions I did read Sir Cam did come in here
many times, I never opened them however Really not once. I sent
copies to Norton 3-4 weeks ago on 3/12" floppies, so they did get
copied. But we had the mail copy problem for at least 6 weeks
before It got out of hand enough to be really something you were
sure about. anyway, whoevr was recieving that mail, well I have
them listed on the registry of rthat machine, I found the letter ID's
that matched this evening. Further details later.

"Bear in mind that SirCam is also going around, and there's no way
to patch the hole it's based on apart from keeping the user well
away from the computer... :)" CAN THIS BE ELABORATED
PLEASE? I have looked at Sircam, i have the worm remover here
but haven't had a chance to test that machine where it may still
reside, what do you mean 'patch the hole its based on'?

Thank you for Internet Storm by the way.

Susan. (with what will hopefully be a very solid clean machine in a
few days... getting it to stay that way is the trick. This is my
mailbox with which I want to disable as many possiblities as
possible for future attempts, which I assume will never end.)



_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list