[Dshield] Re: Susan - A cracked machine?

R.H. Cotterell seec at mail.retina.ar
Sat Aug 25 19:31:05 GMT 2001

I'm leaving the message intact inasmuch as I find it a bit confusing, 
notwithstanding, here are some steps you can take immediately as a remedial 
action to an obvious compromised machine (or is it three in total?).  
Understand, of course, that this is merely a third person's opinion and not the 
gospel.  :-)

Step #1 = Go to the Trend Micro site and use House Call to clean your infected 
machine on-line.  It is an excellent service and free.

Step #2 - Get a good Anti-Virus programme.

Step #3 - Get a  good e-mail client and try to get your correspondents to use 
text only mail.  :-)

Step #4 - If HTML mail is to be transacted, get (and here I presume POP3/SMTP 
amil server) a good mail maintenance programme such as *mailmaint* which can be 
had from Magenta Systems in the UK (freeware) to check headers and mail on the 
server, at which point you can decide whether to delete or download whatever 
you decide.

Step #5 - I do NOT have IE installed at all though I run Windows 98.  :-)  The 
secret is to run the unzipped *IErad6.zip* file.  Good and freeware.  This cuts 
out a lot of the scripting that makes Windows vulnerable.

Step #6 - This is a personal opinion, so take it as that: Netscape Navigator 
v4.08 is a great browser that is lean in comparison to the one-size-fit-all-I-
want-to-satisfy-the-crowd variety.  I don't know exactly why, but the Tucows 
download sites have this listed as a tucows identified programme (did they 
modify something for the better?) to which you can add some very interesting 
plug-ins.  Stable and reliable, especially since IE is not present.
The programme identifier is *tucows_n32e408.exe* if you are interested.

That's about it, for the moment.


Message: 9
From: "Susan" <pobox2 at pinn.net>
To: dshield at dshield.org
Date: Fri, 24 Aug 2001 23:17:54 -0400
Subject: [Dshield] Re: Dshield digest, Vol 1 #220 - 11 msgs
Reply-To: dshield at dshield.org

Well. I figured this list would be helpful. much appreciated advice.

Thats exactly how I'm tackling it.>> "Windows 98, for example, 
comes with the possibility to backup your registry without a 
problem.  For that go to Start\Programs\Accessories\System 
Tools\System Information and open the Tools menu item and 
select Registry Checker."

Zonealarm? Love it, have had it on 2 years+.

Unfortunately they are still getting in. I have TDS-3 as a port 
checker. I am a quiet computer if you knock on my doors.

However. I have 3 computers here to verify system properties 
against. None show explorer.exe as c:\windows \explorer.exe /n, 
/e, c:\ so figure, its a hack. Could have been written to by an 
infected email even. Mobsync? I told you I have deleted it twice 

I am pulling unidenitifed stuff out of registry now, I do a few lines I 
reboot i backup. Its going well but I am really just testing here i 
know I will still have to reformat again this weekend I need this 
machine clean by Monday. I need to know what they're up to first 
however to protect fully against it

I only have a few progs in here it's not as though anything can hide 
un-noticed. And again, it's only 6 days old now. I loaded it real 
clean with fighter equipment before accessing the net thats what is 
worrying me, they still seem to be getting in, not as much as 
before (quite a story certain letters coming in with certain subject 
lines from our websites were copying themselves and shipping 
out). I found the demon this eve in that computers registry when 
matched against this one. But it will stay for now, that machine will 
get reformatted again too. It's the hidden scripts that worry me the 

Any suggestions on the running process? It's name is RNAPP.EXE 
is this a hidden windows application I don't know about? That is the 
exact name. TDS identifies it when reloaded with an internet 
connection running. Still cannot find it either by "Find file" or 
manual search.

Either I reinfected myself on last format or it came in a new via 
email. all probs did start about 4 days ago when I opened an email 
with pics in it. I did not open the pics. Just a suspicion, but it did 
start then. Someone sent me mail LOADED with gifs and jpgs, just 
trying to get the email to download (56K) may have been an 

likewise i do not assume ignorance on anyone's part. These hacks 
can be very wily. They may simply be coming in quielty past the 
firewall somehow. zonealarm shutoff while I was online a 2 nights 
ago by the way, only for a moment (it prompted for reststart) and 
that is not the first time I have seen it shut down by itself without 

I downloaded Mosaic today any word on that as compared to IE 5+ 
as far as hack tampering is concerned? Figure I'll test it a few 
hours before a format here what the heck...

on the double window by the way, yes, I get prompted twice a lot 
by zonealarm even for IE5. Haven't located that prob yet. 
Zonealarm many times shows it as running twice on the icon bar. 
RE: 2 passwords too. windows explorer was acting as an interet 
server according to zonealarm 3 nights ago. can anyone explain? 
zonealarm did not prompt for permission either. These hacks (if) 
know the software is my guess.

kind of why I have resorted to checking the registry. I should keep 
a list of the things I'm pulling for review huh? I will! Any word on 
possible affect to bios (if thats the right term) from Trojans? what I 
mean is the system settings that remain after a format. Not a 
certified computer pro here.

How did I discover the initial tampering? aside from the mail 
shipping itself out, not randomly, but very selectively, I opened up 
Inbox.dbx one day, then folders.nch and... goodness. Even Ftp 
was keeping it's log in there. If you guessed correctly Outlook 
Express was the first to go. YES fully updated sp2.  heh. They 
seem to use streaming data and audio to accomplish whatever, 
and OBDC/MSADC/MQIS drivers, dlls, and associated ports. if you 
aren't using those items you can (carefully) rid your system of 
them. except the ports of course. Oh yes how do we close certain 
ports? anyone done that with zonealarm?

I have gotten rid of lots of glitches here in just a few hours. hey 
heres an interesting one: I was online looking for the browser, I 
clicked a link at the Mosaic site and got a 404 error. I checked 
TDS for established connections. sure enough I had someone 
(unresolved ip) online. When i killed the socket and tried the link 
again, guess what? Yep site was dandy. That fella(connection) had 
followed me from site to site for 2 hours, I kept killing the socket, 
he kept showing back up. I logged him with TDS, so not likely it 
was something at Mosaic. Mosaic is clean and quiet. they close 
connections very politely.

Sorry on so long. I have been at this 3-4 weeks now as things 
escalated It was getting to the point where I could barely use this 
computer. I get about 75-100+ letters a day from my websites, 
many times they are mixed with very obvious virus emails.

 According to the definitions I did read Sir Cam did come in here 
many times, I never opened them however Really not once. I sent 
copies to Norton 3-4 weeks ago on 3/12" floppies, so they did get 
copied. But we had the mail copy problem for at least 6 weeks 
before It got out of hand enough to be really something you were 
sure about. anyway, whoevr was recieving that mail, well I have 
them listed on the registry of rthat machine, I found the letter ID's 
that matched this evening. Further details later.

"Bear in mind that SirCam is also going around, and there's no way 
to patch the hole it's based on apart from keeping the user well 
away from the computer... :)" CAN THIS BE ELABORATED 
PLEASE? I have looked at Sircam, i have the worm remover here 
but haven't had a chance to test that machine where it may still 
reside, what do you mean 'patch the hole its based on'?

Thank you for Internet Storm by the way.

Susan. (with what will hopefully be a very solid clean machine in a 
few days... getting it to stay that way is the trick. This is my 
mailbox with which I want to disable as many possiblities as 
possible for future attempts, which I assume will never end.)

Richard H. Cotterell <mailto:seec at mail.retina.ar>

A quotation for your reading pleasure:
Men often oppose a thing merely because they have had no agency
in planning it, or because it may have been planned by those whom
they dislike.
  -Alexander Hamilton

More information about the list mailing list