[Dshield] A few strange exe's

Kenneth Coney superc at visuallink.com
Mon Jan 12 04:42:12 GMT 2004

This is one of my hobbies.  I have learned you can't just rely on Norton AV
alone when dealing with a strange PC.  An updated Norton is an excellent
way of preventing an infection, but once the infection has set in, Norton
checks sometimes don't react to some strings.  Likewise some target the
Norton itself.  With a clean machine and a dial up connection make up some 
disks containing the 12 more common downloadable Symantec solutions. 
FixKlez, FixBugbear, etc. Use the online virus Symantec check to determine 
which repair disk to load and run.  Remember (a txt file on the disk as a 
reminder helps) which ones should be run as an exe and which ones as a cmd 
depending on what kind of system you are dealing with.  Turn off System 
Restore before scanning if dealing with an XP first.  Get AVG (free) 
installed on the victim machine.  There is no downside to this as the 
updates are free and AVG finds some indicators Norton misses (the reverse 
is also true).  Run the AVG and clean up what it finds.  Consisder running 
BoClean or TDS to get some nasties the others ignore.  This only brings you 
halfway home.  Some viruses can destroy vital system files or corrupt them 
so they should be destroyed.  A new system install disk (win 95, 98, XP or 
whatever) is an important part of your toolkit (you should also have the 
convert verison of the same disks which might be needed, depending on the 
history of the victim system).  Use the proper install disk to replace 
corrupt or missing system files.  Load and run the appropriate service pack 
disks (you did bring/do have them too I hope?).  At this time there doesn't 
seem to be a way of getting the 4 megabyte patch for the Blaster Nachia RPC 
vulnerabilities without going on line (unless you have a Zip drive).  Why 
MS won't make that patch smaller or available in small 1 meg chunks so it 
can be installed on older PCs with a 3.5 without going on line, I don't 
know.  The act of going online to get the patch exposes you to the Nachia 
Blaster worms.  (Had one I worked on get infected that way (i.e., while 
attempting to get the patch) with Nachia just yesterday.)  Crazy I know. 
The good news is the patch can be saved to a zip drive, so if the machine 
you are cleaning has a zip, patching without going on line is possible. 
The latest free ZoneAlarm is too big to fit on a 3.5 disk, so you have to 
go online for that too (again a Zip drive on the target machine can 
eliminate some risk).  Installing NIS as a first firewall also won't help, 
as it too has to go online to get the RPC patch instructions and all of the 
updates (about 20 megs).  I say go for it, install a current AVG then scan, 
then take a chance and get the MS patch first before worrying about the 
firewall.  If you get hit, the AVG offers some protection.  The download 
usually stops and the system tries to reboot so remember to scan and clean 
again before (and after) rebooting.  Once the system is Blaster patched you 
can deal with the other 15 megs of critical MS updates and firewall setup 
installation problems.  A patched firewall is little protection if the 
system remains vulnerable to whatever slides by.  Are all your MS critical 
patches up to date?  Fine, rescan with Symantec online and kill whatever 
crept in while you were getting the MS critical patch online.  Reinstall 
any corrupted system files.  Put your firewall on.  Update it.  Write the 
rules you want.  Quick test at GRC.com  Delete AVG, reboot and reinstall 
AVG and run it. Redo the TDS/boclean too.  It has been 3 days since you 
began, is the system clean of nasties yet?  Turn system restore back on if 
you haven't yet.  How about the mail files?  Did you check them yet?  Virus 
attachements in stored mail folders (especially in Netscape) sometimes 
escape casual virus scans as mail folders are sometimes ignored or password 
protected (etc.) and can deny access to the AV, so do a specific check of 
stored mail files.  Both Norton and AVG can sit in memory at the same time 
without a conflict.  TDS 3, AdAware and Reg Protect (from the TDS people) 
can also squeeze in there without too many problems.

Subject: [Dshield] A few strange exe's
From:"Paul Marsh" <pmarsh at nmefdn.org>
Date:Fri, 9 Jan 2004 23:07:05 -0500
To:<list at dshield.org>

Just and FYI.

   I've been working on an XP home edition for the last few hours having
all kind of problems with it.

   1.  The system was a default build from Dell, no SP's loaded..ugh
   2.  No firewall running...ugh
   3.  No Anti-virus...ugh, ugh

   Had a bitch of a time getting Norton loaded on it just run a virus scan
once I did it had about 15 instances of 5 different virus.  Had a bitch of
a time loading Spy-bot also.  The long and the short of it is I found three
strange exe's running.

   Found some info on the above, original files are OK but some research
points to trojan drop compromise.

   wini32.exe can't find anything on this one, but as soon as I got it
unloaded and removed from the system things started to improve.  Anyone
know anything about it?  NAV did not detect any of them as being infected
and spy-bot didn't find anything either.

Thanx, Paul


More information about the list mailing list