[Dshield] Re: Susan - A cracked machine?
seec at mail.retina.ar
Sat Aug 25 19:31:05 GMT 2001
I'm leaving the message intact inasmuch as I find it a bit confusing,
notwithstanding, here are some steps you can take immediately as a remedial
action to an obvious compromised machine (or is it three in total?).
Understand, of course, that this is merely a third person's opinion and not the
Step #1 = Go to the Trend Micro site and use House Call to clean your infected
machine on-line. It is an excellent service and free.
Step #2 - Get a good Anti-Virus programme.
Step #3 - Get a good e-mail client and try to get your correspondents to use
text only mail. :-)
Step #4 - If HTML mail is to be transacted, get (and here I presume POP3/SMTP
amil server) a good mail maintenance programme such as *mailmaint* which can be
had from Magenta Systems in the UK (freeware) to check headers and mail on the
server, at which point you can decide whether to delete or download whatever
Step #5 - I do NOT have IE installed at all though I run Windows 98. :-) The
secret is to run the unzipped *IErad6.zip* file. Good and freeware. This cuts
out a lot of the scripting that makes Windows vulnerable.
Step #6 - This is a personal opinion, so take it as that: Netscape Navigator
v4.08 is a great browser that is lean in comparison to the one-size-fit-all-I-
want-to-satisfy-the-crowd variety. I don't know exactly why, but the Tucows
download sites have this listed as a tucows identified programme (did they
modify something for the better?) to which you can add some very interesting
plug-ins. Stable and reliable, especially since IE is not present.
The programme identifier is *tucows_n32e408.exe* if you are interested.
That's about it, for the moment.
From: "Susan" <pobox2 at pinn.net>
To: dshield at dshield.org
Date: Fri, 24 Aug 2001 23:17:54 -0400
Subject: [Dshield] Re: Dshield digest, Vol 1 #220 - 11 msgs
Reply-To: dshield at dshield.org
Well. I figured this list would be helpful. much appreciated advice.
Thats exactly how I'm tackling it.>> "Windows 98, for example,
comes with the possibility to backup your registry without a
problem. For that go to Start\Programs\Accessories\System
Tools\System Information and open the Tools menu item and
select Registry Checker."
Zonealarm? Love it, have had it on 2 years+.
Unfortunately they are still getting in. I have TDS-3 as a port
checker. I am a quiet computer if you knock on my doors.
However. I have 3 computers here to verify system properties
against. None show explorer.exe as c:\windows \explorer.exe /n,
/e, c:\ so figure, its a hack. Could have been written to by an
infected email even. Mobsync? I told you I have deleted it twice
I am pulling unidenitifed stuff out of registry now, I do a few lines I
reboot i backup. Its going well but I am really just testing here i
know I will still have to reformat again this weekend I need this
machine clean by Monday. I need to know what they're up to first
however to protect fully against it
I only have a few progs in here it's not as though anything can hide
un-noticed. And again, it's only 6 days old now. I loaded it real
clean with fighter equipment before accessing the net thats what is
worrying me, they still seem to be getting in, not as much as
before (quite a story certain letters coming in with certain subject
lines from our websites were copying themselves and shipping
out). I found the demon this eve in that computers registry when
matched against this one. But it will stay for now, that machine will
get reformatted again too. It's the hidden scripts that worry me the
Any suggestions on the running process? It's name is RNAPP.EXE
is this a hidden windows application I don't know about? That is the
exact name. TDS identifies it when reloaded with an internet
connection running. Still cannot find it either by "Find file" or
Either I reinfected myself on last format or it came in a new via
email. all probs did start about 4 days ago when I opened an email
with pics in it. I did not open the pics. Just a suspicion, but it did
start then. Someone sent me mail LOADED with gifs and jpgs, just
trying to get the email to download (56K) may have been an
likewise i do not assume ignorance on anyone's part. These hacks
can be very wily. They may simply be coming in quielty past the
firewall somehow. zonealarm shutoff while I was online a 2 nights
ago by the way, only for a moment (it prompted for reststart) and
that is not the first time I have seen it shut down by itself without
I downloaded Mosaic today any word on that as compared to IE 5+
as far as hack tampering is concerned? Figure I'll test it a few
hours before a format here what the heck...
on the double window by the way, yes, I get prompted twice a lot
by zonealarm even for IE5. Haven't located that prob yet.
Zonealarm many times shows it as running twice on the icon bar.
RE: 2 passwords too. windows explorer was acting as an interet
server according to zonealarm 3 nights ago. can anyone explain?
zonealarm did not prompt for permission either. These hacks (if)
know the software is my guess.
kind of why I have resorted to checking the registry. I should keep
a list of the things I'm pulling for review huh? I will! Any word on
possible affect to bios (if thats the right term) from Trojans? what I
mean is the system settings that remain after a format. Not a
certified computer pro here.
How did I discover the initial tampering? aside from the mail
shipping itself out, not randomly, but very selectively, I opened up
Inbox.dbx one day, then folders.nch and... goodness. Even Ftp
was keeping it's log in there. If you guessed correctly Outlook
Express was the first to go. YES fully updated sp2. heh. They
seem to use streaming data and audio to accomplish whatever,
and OBDC/MSADC/MQIS drivers, dlls, and associated ports. if you
aren't using those items you can (carefully) rid your system of
them. except the ports of course. Oh yes how do we close certain
ports? anyone done that with zonealarm?
I have gotten rid of lots of glitches here in just a few hours. hey
heres an interesting one: I was online looking for the browser, I
clicked a link at the Mosaic site and got a 404 error. I checked
TDS for established connections. sure enough I had someone
(unresolved ip) online. When i killed the socket and tried the link
again, guess what? Yep site was dandy. That fella(connection) had
followed me from site to site for 2 hours, I kept killing the socket,
he kept showing back up. I logged him with TDS, so not likely it
was something at Mosaic. Mosaic is clean and quiet. they close
connections very politely.
Sorry on so long. I have been at this 3-4 weeks now as things
escalated It was getting to the point where I could barely use this
computer. I get about 75-100+ letters a day from my websites,
many times they are mixed with very obvious virus emails.
According to the definitions I did read Sir Cam did come in here
many times, I never opened them however Really not once. I sent
copies to Norton 3-4 weeks ago on 3/12" floppies, so they did get
copied. But we had the mail copy problem for at least 6 weeks
before It got out of hand enough to be really something you were
sure about. anyway, whoevr was recieving that mail, well I have
them listed on the registry of rthat machine, I found the letter ID's
that matched this evening. Further details later.
"Bear in mind that SirCam is also going around, and there's no way
to patch the hole it's based on apart from keeping the user well
away from the computer... :)" CAN THIS BE ELABORATED
PLEASE? I have looked at Sircam, i have the worm remover here
but haven't had a chance to test that machine where it may still
reside, what do you mean 'patch the hole its based on'?
Thank you for Internet Storm by the way.
Susan. (with what will hopefully be a very solid clean machine in a
few days... getting it to stay that way is the trick. This is my
mailbox with which I want to disable as many possiblities as
possible for future attempts, which I assume will never end.)
Richard H. Cotterell <mailto:seec at mail.retina.ar>
A quotation for your reading pleasure:
Men often oppose a thing merely because they have had no agency
in planning it, or because it may have been planned by those whom
More information about the list