Absoblogginlutely

trojan.ecure

Parents in Law got infected with Trojan.Ecure which so far is being really nasty to disinfect. Had to give up at midnight last night and I'll try again on sunday. In the meantime (for my reference) look at link1, link2, link3,link4
I ran through the clean of registry in safe mode but couldn't av clean as we couldn't find the av software on the machine.
Remote assistance was complaining that it couldnt allow me to request assistance - REALLY need to fix *that* so i can then remote control the pc and fix it.

Port reporter

One of our users, for the second time in two weeks reported that they had a virus on their pc and Norton had picked it up. The scary thing is that it had got on and infected the pc, despite Norton installed and running on the machine. I think the problem was/is due to the fact that the Symantec Firewall/VPN software is pants and can be configured by the user - therefore if they are not careful it can be left in a wide-open state...and thats what I think happened, although after the last infection I made sure it was in restricted mode (but it wasn't this morning). If I'd known about the Port Reporter from MS I could have worked out (easily) what ports the virus was supposedly running on. I guess I could have used netstat but not first thing before coffee.

Bloodhounds in my email!

Norton's went nuts overnight deciding that I had several Bloodhound Exploit 6 occurances in my incoming mail and has quarantined them. Annoyingly its in the log file (which is a .txt file) so I can't see who sent it to me as its blocked access to the logs. (which incidentally is why you should always exclude the exchange server directory from antivirus scanning!).
Update I got into the logs....
Update 2This one has been written up on codefish

and discovered that the offending line of code uses an object tag and tries to get data from http://privatemailboxrentals.com. This came in an email thanking me for purchasing web hosting with the domain sexigerl.com. Took me a while to work out what that was then I read it all phonetically.

Phishing exposed

Thanks to Neils post on Terrakt I've spent some time reading the articles at Code Fish Spam Watch where they run through their analysis of phishing scams they've received. Some interesting, although fairly technical, reading - and pretty scary too when you consider how vulnerable and easy these pages are to install on peoples machines.

Virus update.

Apparently, according to Symantec, the virus we discovered on the network yesterday is W32.Randex.gen which is a name given to a family of virus's - which has been around since December 2003, so why on earth did Symantec not pick it up? VERY scary.Update The AV Update that we downloaded at about 10pm last night detected this file and deleted it but I'm still unsure as to why its been available since December. I was going to try doing a heuristic scan on it to see if the av would pick it up but can't as the new defs have got to the file. I think if I get asked to renew Symantec AV next year I may well be testing different software as this is the third virus get past the detection routines in as many weeks - and we are paying a lot of money for this so called protection.

msclock.exe virus

Just a heads up that there's likely to be a new virus as msclock.exe in the windows\system32 directory that gets added to hklm\software\microsoft\windows\run and runservice It seems to replicate using common shared folders with weak passwords. msclock.exe looks like internet explorer if you look at the icons and has a description of internet explorer. Not much else is known at the moment. Nav with avdefs of today do not pick it up, neither does panda a/v software.
With msclock.exe running you will not be able to launch regedit or taskmgr. rename these files and then run them.....more details to follow....argh i hate consulting sometimes.

W32.HLLW.Polybot

The latest in the round of virus's is Polybot. At the time of writing (2pm on the 19th), Symantec have two patches - the Virus Definitions updated March 19th (which don't actually exist if you try to download them, and the Virus Definitions dated March 24th. They can work out how to name a virus and how it spreads (via RPC vulnerabilitys that should have been patched) but no fix yet.....Thankfully we've not had any come through via email yet.

MyDoom.F impact

Typical - the first recent virus that does damage to the users local files as opposed to just launching a DOS attack or act as a zombie (which the firewall would have prevented) and this is the one that the user gets infected with, AND with no backup of their data!
The cost to us was a days downtime whilst I had the users pc shipped to the office to work on, 5 hours of my time to hack the box to change the administrator password (as this was set by a previous company and I wasn't bringing the machine online to change the password over the network!),run the av software check (which took about 3 hours to run), run adaware to remove the spyware (gator) on the machine and check for windows updates (remarkably uptodate!) I also had to run a complete network sweep which REALLY slowed everyone's machine for about an hour - and all because updates were less than a day old and someone was daft enough to open a weirdly named attachment. In their defence the file did look a .txt file due to large amounts of spaces and changing the icon to look like a .txt file instead of a .exe file

Netsky virus alert from Symantec

Back in the office today after an extended 4 day visit to a customer (which was only scheduled for one day!) I decided to check that the NAV definitions were up to date (which they were) and to double check they would detect the Netsky.B virus. After waiting about 3 or 4 minutes for the list of virus's that Norton detects (wouldn't it be nice to have a search function?) to load I was able to confirm it did detect them. I then checked my mailbox and found a letter from Symantec, dated the 18th, which arrived this morning (20th) telling me about the virus. I thought the whole point of these Virus Bulletins was to give you a head start on possible infections, not notification two/three days after you read about it everywhere else and even the 4 year old from next door is asking your opinion on it (not really - hes more like 44 years old)

Mcafee Stinger

I'd come across the Stinger utility from Network Associates Inc. but didn't know what it was. Apparently its a utility that will assist you in removing the latest virus' from your computer - all in one .exe file. Although no substitute for av software it would make a good tool to have on a usb disk/floppy/cd to take to peoples machines when they ring up as they've been infected.

Microsoft & SCO ponder DR options?

Interesting post from Netcraft on how Microsoft and SCO could be planning to sort out the Denial of Service likely to happen on Sunday when the latest virus starts to attack. Apparently last time round Microsoft used Akamai to split the load - but they use Linux so it wasn't a good PR move to host Microsoft.com on a linux box - and how is SCO going to cope if they won't use Linux either (after all they'd then have to sue themselves.

Feed a beagle a bagel...

and you get a rapidly spreading virus - or so the news would have us believe. We've had one instance so far with the subject "Hi", with an attachment of "kjywtjhgnbw.exe". The body of the email contains Test =) lfcdlfaorget
--Test, yep. Now if you got an email like this would you click on the .exe file?

w32.bugbros@mm

That virus alert I posted the other day has now been classified as w32.bugbros@mm which sounds more like a bug in a movie.

New Microsoft Alert

Looks like there's a new microsoft virus doing the rounds. Similar to the previous alerts, this looks like a regular microsoft alert apart from the fact that it includes the "patch" itself and it comes from a weird microsoft email address.

Mimail

We've now started to get alerts that Mimail infected emails are coming in. Fortunately we're detecting and deleting the attachments but I'm hoping it doesn't eat too much of our bandwidth up. In the meantime the status of the threats can be seen at Symantec Security Response. When will these infected people learn?

New virus?

Looks like there might be a new virus doing the rounds as I've received several bounces where i'm the "reply to" field in the email. The body of the email contains different subjects, so far i've had "your password", sophos virus removal tools, ie6 patch etc... The good news is that I think I know who got infected with this one.

Fixing vpmsece.dll errors in outlook

when you open your first email after starting Outlook, you see the error message Error: "VPMSECE.DLL could not be installed or loaded. It may be missing or there may not be enough resources." The error message may or may not reference a location, as in: "C:\Program Files\NavNT\vpmsece.dll could not be installed or loaded. It may be missing or there may not be enough resources."
The documented solution is to uninstall the symantec security client, delete extend.dat (search your computer for this file) and start outlook. If this doesn't work, reinstall outlook (in my case office). There is no way I was going to uninstall office and then reinstall it so I went hunting.
10 minutes later I had a solution.
A quick search on the registry for vpmsece.dll comes up with LDVP under hklm\software\microsoft\exchange\client\extensions. Disabling LDVP under tools/options/other/Advanced Options/AddInManager and restarting Outlook and everything was ok. Re-enabling the extension and the problem re-occurs.
Deleting the registry entry hklm\software\microsoft\exchange\client\extensions\LDVP and restarting outlook means I don't get the error message and the LDVP addon is not listed in the registry.
I then installed Symantec Client Security again and all seems to be ok. The cryptic LDVP has been replaced with SavCorp810 in the extension manager which is a lot easier to work out what the extension is.

Virus Signature Updates

A result from Symantec:- "Submission # 3271252.The Trojan Horse detection was removed this morning and the correction is available in the 10/7/03 Intelligent Updater files.Submission # 3273288.We've corrected this detection. The fix will be available in the 10/8/03 virus definitions."
Now all I have to do is work out why Outlook insists on not being able to find a dll even after I've deleted the extend.dat file.

Submission to SARC

my firebird.dll was submitted to Norton's SARC this afternoon so hopefully it will get removed as a false positive. Apparently you can only submit one file a day, so the pspv.zip file gets sent to them tomorrow. UpdateThe (automated) response came back in saying that the file is infected -"result: This file is infected with Trojan Horse.
Developer notes: X:\Program Files\MozillaFirebird\FireDLL.dll is non-repairable threat. NAV with the latest
beta definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest beta definitions. "
Nowhere have they said that oh sorry, this might be a false positive - grrrrr
Update 2Looking on google it looks like some other people have had the same problem with firedll.dll. It turns out that this is a tool that was available for download on grc.com which tests whether your personal firewall is subject to leaks, allowing utils access to the internet that you've specifically not authorised. Norton (and others) have now decided this is not acceptable to have on your pc. Related to this, you can see if your AV software acts in the same way by checking to see whether you can download these two files from the firehole site

Troubleshooting Nav updates

Two useful pages on troubleshooting communication between a Symantec client and the Symantec Corporate Edition client. These were given as part of a solution to a problem I have but unfortunately have *nothing* to do with the actual problem but are handy for other situations. A guide to the Grc.dat file in Symantec AntiVirus Corporate Edition 8.0, How to troubleshoot Symantec AntiVirus Corporate dition 8 communication problems

Nav sorted

The problem with Norton has been fixed. I tracked the bandwidth down to our main update server downloading antivirus updates every 10 minutes - the same updates every 10 minutes. Once I disabled "continuous live updates" which should only attempt to get live updates if the definitions are more than 10 days old (they were uptodate) , I found it was *still* trying to download the updates. A long call to Symantec helpline and he asked me to check everything that I had already done, which was comforting to know that I was on the right track. We re-enabled continuous updates,clicked apply and then disabled it again....and the updates still kept being downloaded every 10 minutes. It was decided that maybe a reboot would force the system to reread the configuration and start downloading once a day (although I had already done one reboot). I scheduled a reboot for 10pm and went home - At 7pm the updates stopped.Reboot at 10pm and a scheduled download at 4am - as per configuration. Very strange.

NAV eats bandwidth.

Somewhere in our configuration I think we've set something up wrong as yesterday our central Norton AntiVirus server downloaded 324MB of updates via the http protocol...so today is being spent troubleshooting it :-(

Norton AntiVirus For Exchange version 3.

now this is the sort of message I'd expect to see - I'm very impressed with this AV for Exchange - content filtering could be good fun if you set the word "the" as objectional content :-)
Location of the infected item: //Mailing Lists/uniVerse
Sender of the infected item: MS Corporation Internet Security Center
Subject of the message: Newest Net Security Pack
The attachment "PACK817.exe" was Quarantined for the following reasons:
The file was unrepairable. Virus Info:
Virus W32.Swen.A@mm was found.
This was done due to the following Symantec AVF settings:
Policy: Standard
SubPolicy: Error SubPolicy
Rule: Unrepairable Virus Rule

Possible new virus?

I think there might be a variant on the swen virus doing the rounds as since 8.19 this morning we are getting similar looking emails coming into the office but NAV is not able to scan them and instead of "Attachment something.exe was Deleted for the following Reasons: Virus W32.Swen.A@mm was found" we are now getting "No action was taken on the attachment. Attachment something.exe was Logged Only for the following reasons: Scan Engine Failure (0x80004005). The symantec query results look like its a problem with some compressed files but I'm shortly about to upgrade our email scanning software so we'll see if we still get it then.

Worm.Automat.AHB aka Swen

We had several detections of the Worm.Automat.AHB. Interestingly this has now been renamed W32.Swen.A@mm. I checked the server that gets updates every night and it was using definitions dated 18th September (which catches this worm) and despite it updating every night, it hadn't downloaded the definitions dated 19th September which according to Symantec's Virus watch page detects 5 more new virus's

Scum Adverts.

Unixgirl details New lows in pop-ups where a message appears telling you that you have a virus if you go to http://www.ownbox.com/treasure . I've deliberately not linked the url. I can just see this being used by spyware authors and phonedialers

BitDefender Download

I've found that there is an alternative to AVG free Anti-Virus Software called BitDefender. I've not tried this yet though. It will be interesting to see if it clashes with bigfix like AVG does (although that clash is fixed by hitting the "fix button")

ANOTHER new virus - Blaster D

or why Demon put a ping filter on their routers....
Further to my rant about demon this afternoon, I got an email from Clara's announcement mailing list where they are now filtering due to the new Nachi virus, or as Symantec calls it W32.Blaster.E. My virus alert page shows there is another virus that was detected today. I do hope you are patched AND your definitions are uptodate!

MSBlast author caught.

Looks like they've caught the idiot who created the MSBlast worm...now they just need to get the scum who wrote SoBigBBC NEWS | Technology | Youth suspected of net attack

Antivirus email alerts

You would have thought that people would have turned off the email notification by now.
I'm very tempted to set up an automatic response to postmaster@ as below.
> Recipient of the infected attachment: Ronit Mani\Inbox
> Subject of the message: Re: Wicked screensaver
> One or more attachments were deleted
> Attachment application.pif was Deleted for the following reasons:
> Virus W32.Sobig.F@mm was found.
>
I did not send this virus. Can i suggest you turn off these notifications as all they are doing is clogging up all the email servers which are struggling enough already!

Thankyou.

The reason why virus's succeed.

Dilbert has a very appropriate reason why virus's spread.

AVG Automatic Updates

I fired up Kristen's laptop which has AVG on it and discovered that it hadn't actually updated the virus definitions for a month as for some weird reason I had it set to update at 6.30 am! Seeing as though the laptop is not actually on then it hadn't updated. A quick search in google and I realised that it is possible to run the AVG auto update by running "c:\program files\grisoft\avg6 \avginet.exe" /norm
Bundle this with sleep.exe saved into the windows directory, pop it into the startup folder and as the laptop is permanently connected to the internet, updates every time the machine is booted up (a bit of a pain if this is more than once a day but the pain is better than the pain of a virus infection)

The batch file contains the following two lines:-

sleep 60
"c:\program files\grisoft\avg6\avginet" /norm

A shortcut is created to this batch file, with the shortcut set to run minimised and close on exit.
This could be modified to detect for a network connection first (for dialup users) but not at 7.30 in the morning. If this is needed - remind me!

Symantec virus alerts

I noticed on ServerGeek that he has a feed from symantec with the latest news on virus's that have been discovered and removal tools available. This is useful to monitor the latest virus news and can be semi-customised and embedded into your own pages. For the moment I've got the feed installed at /virus with nothing else there. However I'd like to customise MovableType's category archives so that I have the alerts on the left and my Virus posts on the right of the page. That way I have all my anti-virus information in one place.......
I'm finding more and more things that I want to do with MT - just need the time to do it - but that is what Bank Holiday Weekends are for :-)

Virus emails reduced.

After the 170odd emails that we received yesterday I would have thought we'd have had quite a few today come into the office....instead we've had about 6. Thats really weird how the virus has basically stopped overnight....(not that I'm complaining btw!)

McAfee's Hackerwatch....

Mcafee have an interesting page that tells you how much hacking/virus activity has come from the network you are on. The results from my ip at home tells me that 4 ip address's have been detected - that probably means 4 people in the town I live in and use Pipex are/were infected.

Sobig Virus

What a morning....so far I've had 116 notifications that we've received the sobig virus into our mail servers. These are running NAV and delete the attachment and were previously configured to send an email (for historical purposes of the quantity of virus's) and a Windows Net Send Message to my desktop to notify me of the problem. However, with the amount of notifications and also notifications when the manual scan failed to open certain attachments in emails, I was unable to work as I had to keep clicking ok. Therefore I had to turn the notifications off - must remember to turn them back on again.
There would be major resistance in the company to blocking attachments at the mail server so unfortunately that option is a nogo.
At the same time I've had to arrange scans on three remote pc's that managed to get the Blaster or Welchia worms on their machines as they got infected between us updating at 4am with no patch updates, and the 11.30 manual update we initiated!
One of the laptops (from a remote site) has no firewall, runs w2k and no service packs or fixes. I've spent the last couple of hours installing sp4,rebooting and installing all the various hotfixes, ie6 and the multiple reboots needed to do them all. WHAT A MORNING!

New virus - sobig

Thanks toSOBig was very fast spreading and by 12pm we had at least 8 copies in our mailboxes and our antivirus software was updated at 4am in the morning and nothing was found when the emails came through. Thankfully (that I am aware of) the users didn't open the emails - I guess I'll find out when I am in the office tomorrow.

Symantec CE server password

I've also had symantec's console have its password changed in the past and Kevin's details the changes. All you do is change HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\ConsolePassword to 1084A085DC6BD2D755D4D6A7726 and then use the password symantec
(I've repeated it here so I have a local archive in case Kev's page ever disappears.)

Microsoft's blast page

Microsoft have a pretty good page about the blast worm and links to all the various utilities and various anti-virus software packages that deals with this. They don't mention AVG software though which considering is free and therefore widely used I'm suprised it wasn't covered.

New Worm does the rounds.

From the email that I received from eeye:-
A worm began spreading on the Internet early Monday morning that exploits a recent vulnerability in Microsoft Operating Systems. The worm, dubbed Blaster, takes advantage of a known vulnerability in Microsoft RPC DCOM that affects all current versions of Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
The worm begins by targeting Microsoft systems that have not been properly patched for the known RPC DCOM vulnerability. Once the worm detects an unpatched system, it will attempt to download and run a file called msblast.exe. If successful in infecting a system, the worm will propagate itself, modify Windows registry settings, and initiate a SYN flood denial-of-service attack on windowsupdate.com.
The worm payload does not contain any additional malicious content; however, because of the nature of the worm and the speed at which it attempts to impact systems, it can potentially create a denial-of-service attack against windowsupdate.com.
For further information and a technical description of the Blaster worm please visit:
eeye. They also have a free tool you can download (reg required) to see which machines are vulnerable...but then again you should have done that a long time ago, especially with running Windows Update! Their full suite of programs will also tell you if you are unlucky to have it running around your network.

Symantec Antivirus crashing workaround

Two popular antivirus packages, Symantec AntiVirus Corporate Edition 8.0 and NSI's Double-Take, can cause all versions of Windows XP, Windows 2000, and Windows NT to crash. In one case, a system crashes with a stop code of 0x0000007F and the message "UNEXPECTED_KERNEL_MODE_TRAP." In the second case, the system might
simply restart with no warning message. According to the Microsoft article "You Receive a 'Stop 0x0000007F' Error Message or YourComputer Unexpectedly Restarts" both packages exhibit this behavior when the kernel mode scanning drivers are unable to allocate buffer space by calling the file system to map a portion of a disk file in memory. When a system has insufficient kernel-mode memory, NTFS can't allocate the requested buffer and sometimes can't allocate enough memory to indicate the buffer request failed. In this situation, the system crashes with the "0x07F Stop" message. This event will most likely happen on systems with up to 128MB of memory or on systems that perform a large amount of I/O. More details and the source of this text can be found on the Windows and .net magazine site (but its broken so use the Microsoft URL instead)

More Antivirus software available for free.

Whilst typing up the previous post I used tinyurl to get a url shortened and it had a google ad in the margin for free software. I clicked on the link which took me to OpiStat Survey Program registration page where if you register to be on a consumer panel you get the award winning Norman Virus Control software - and before you ask Pieter, no I've no idea on its performance - in fact I don't think I've ever heard of it :-)

I would do a search on google for them but google is incredibly slow this morning.

Looking at Opistats privacy policy looks like you'll be downloading spyware onto your machine and opening yourself up to targeted ads and spam

Free Panda Avirus software

Thanks to a tip off from theMezzenger email newsletter it is possible to get a free copy of Panda AntiVirus software if you are an IT professional, and nowadays who isn't?
UpdateFurther to Pieters question in the comments, I've not actually used Panda, as all my machines are covered - most of them are running Norton AntiVirus, either the corporate version or 2002 depending on whether the machine is mine or works (One laptop is running AVG from Grisoft) . Panda was the company that got into hot water a while back when it refused to disclose details on a new virus that it had received, giving it a slight edge on detection, but loosing a lot in PR. (I'm sure I blogged this but a quick search could not find it). The Panda software review on Cnets site does not have a very glowing report of it either.....but its free :-) I'll probably get an installation on one of the pc's just to try it out for experiences sake.

Gladiator Anti-Virus no more

Went to download a free copy of Gladiator today as per an old post of mine, and found that it was discontinued - the reason being that the author had a new job working for a paid-for a/v software company and they would not allow him to continue with his own creation.
Guess I'll have to get AVG instead.

Virus bypass with Norton's

Unfortunately its been discovered that Norton AntiVirus Corporate edition (the one we use!) can't detect malware on floppy disks on XP. Fortunately the only XP machine that we have is the laptop that I am using, and it doesn't have a floppy drive (well 99.9% of the time - (it's an external usb one) so we should be reasonably safe. Having said that, this seems to be a pretty major oversight as in the past, virus's spread predominantly through floppy disk swapping.

Possible spam/virus from me..

Just had a bounce report from an email that supposedly has come from me. As usual its a virus playing tricks from someone else who knows me and it has set my email address as the from field, so I'm getting all the bounce reports. This only means i'm going to have loads of hassles from people asking me why i've sent them a virus OR asking me to help them to remove the virus as they've infected themselves.
Oh - and if you use freeserve for your isp and know a Big Scary Penny on demon then I'm afraid its you who is infected.

Virus's from suppliers

You would have thought that an alleged ecommerce company would have updated (or even used) anti-virus software on their computers so that they are protected. Not so in the case of ebuyer as I've received a virus from them today, so not only do they send you dented products, play silly email pingpong when you try to return the goods, they now also send you virus' as a free gift!

Spyware with Messenger Plus?

Ages ago Neil recommended a download of Messenger plus which added loads of neat features to MSN Messenger. The latest version has apparently been bundled with some spyware in the form of a LOP client. More details available on the online version of spywareinfo.net. I would therefore strongly recommend against downloading the newest versions of this software, although the old ones are probably still safe.

Got my first spam from

Got my first spam from signing up on a guestbook - Hey Kelly - afraid yours is the guilty party :-( They were offering me the klez removal tool - which was probably the virus itself! After all if you have klez on your computer then you don't have an av tool, so how are you going to know that the unsolicited attachment is not klez itself! On other anti-virus software news, I am going to remove mcaffee from this computer as it really is pants. When this machine got infected (twice) with Magistr it was unable to repair the files and they had to be deleted - and they were a few windows files! I updated the software by hand (as there is no automatic update facility) and it found yet another virus on the computer - downloader-aw trojan. However, when you look on their website to get more information on this virus - it is not listed! The nearest that I could find is that it was created using a virus toolkit. If that is the case, then how come the software didn't pick it up - the toolkit has probably been around for yonks! Norton's AV is going on real soon!
Update Instructions on removing downloader-w trojan are on mcafee's site (note name difference!)