Issues with your account? Bug us in the Discord!

Virus Warning!

BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
This is especially for all those who love to file share. First, go read [url="http://securityresponse.symantec.com/avcenter/venc/data/w32.dlder.trojan.html"]this page[/url].

Now, it mentions two file sharing utils there. I would like to add another to that list: KaZaa. That "Clicktilluwin" thing is distributed with the latest version of KaZaa, as I found out the other day. This basically means that KaZaa is distributing a trojan virus. I [b]highly[/b] recommend not downloading KaZaa from this point on! Morpheus is likely to be similarly affected, as it is essentially the same program.
Fortunately the virus isn't too harmful, but I don't like the idea of my user ID and IP address being sent out into the internet. I suggest all KaZaa users scan their system immediatly.
I'll never be downloading that program again...

------------------
[b][url="http://www.minbari.co.uk/log12.2263/"]Required reading[/url][/b]
Never eat anything bigger than your own head.
The Balance provides. The Balance protects.

"Nonono...Is not [i]Great[/i] Machine. Is...[i]Not[/i]-so-Great Machine. It make good snow cone though." - Zathras

Comments

  • Entil'ZhaEntil'Zha I see famous people
    [quote]Originally posted by Biggles:
    [b]This is especially for all those who love to file share. First, go read [url="http://securityresponse.symantec.com/avcenter/venc/data/w32.dlder.trojan.html"]this page[/url].

    Now, it mentions two file sharing utils there. I would like to add another to that list: KaZaa. That "Clicktilluwin" thing is distributed with the latest version of KaZaa, as I found out the other day. This basically means that KaZaa is distributing a trojan virus. I [b]highly[/b] recommend not downloading KaZaa from this point on! Morpheus is likely to be similarly affected, as it is essentially the same program.
    Fortunately the virus isn't too harmful, but I don't like the idea of my user ID and IP address being sent out into the internet. I suggest all KaZaa users scan their system immediatly.
    I'll never be downloading that program again...

    [/B][/quote]


    Its not really a virus, its spyware, a good 75% of shareware these days has some form of spyware in it, instead of not downloading the program, get AdAware, a nice program the removes spyware [url="http://www.lavasoftusa.com/"]http://www.lavasoftusa.com/[/url]

    I've used it on KaZaa and it removed the spyware.

    once you run AdAware, i guarentee it that you will find that you have at least a dozen spy programs on your machine that you didn't even know were there.
  • PJHPJH The Lovely Thing
    Will it remove Windows too?

    [img]http://216.15.145.59/mainforums/biggrin.gif[/img] [img]http://216.15.145.59/mainforums/biggrin.gif[/img] [img]http://216.15.145.59/mainforums/biggrin.gif[/img]

    - PJH
  • samuelksamuelk The Unstoppable Mr. 'K'
    [quote]Originally posted by Entil'Zha:
    [b]
    Its not really a virus, its spyware, a good 75% of shareware these days has some form of spyware in it, instead of not downloading the program, get AdAware, a nice program the removes spyware [url="http://www.lavasoftusa.com/"]http://www.lavasoftusa.com/[/url]

    I've used it on KaZaa and it removed the spyware.

    once you run AdAware, i guarentee it that you will find that you have at least a dozen spy programs on your machine that you didn't even know were there.

    [/b][/quote]


    Oh, it's definitely a virus. Read the article. The install program asks you if you want to install the "virus", and even if you choose "No", it installs anyway. And relays IP information to another location.
  • shadow boxershadow boxer The Finger Painter & Master Ranter
    will it turn a Windose box into a real computer like a Macintosh ?

    [img]http://216.15.145.59/mainforums/biggrin.gif[/img]
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    [quote]Originally posted by samuelk:
    [b]
    Oh, it's definitely a virus. Read the article. The install program asks you if you want to install the "virus", and even if you choose "No", it installs anyway. And relays IP information to another location.[/b][/quote]

    And that counts as a virus in my book. I don't care if it's spyware, it's a virus as well. Besides, spyware doesn't usually disguise itself as the Windows Explorer executable, instead it tries to masquerade as a legitimate program (eg Bonzi Buddy).
    I've already run AdAware, I ran it after installation. It didn't pick this little thing up.

    SB: You know very well that Windows is too low in the chain of goodness to move up it. [img]http://216.15.145.59/mainforums/smile.gif[/img]

    ------------------
    [b][url="http://www.minbari.co.uk/log12.2263/"]Required reading[/url][/b]
    Never eat anything bigger than your own head.
    The Balance provides. The Balance protects.

    "Nonono...Is not [i]Great[/i] Machine. Is...[i]Not[/i]-so-Great Machine. It make good snow cone though." - Zathras
  • Entil'ZhaEntil'Zha I see famous people
    [quote]Originally posted by Biggles:
    [b] And that counts as a virus in my book. I don't care if it's spyware, it's a virus as well. Besides, spyware doesn't usually disguise itself as the Windows Explorer executable, instead it tries to masquerade as a legitimate program (eg Bonzi Buddy).
    I've already run AdAware, I ran it after installation. It didn't pick this little thing up.

    SB: You know very well that Windows is too low in the chain of goodness to move up it. [img]http://216.15.145.59/mainforums/smile.gif[/img]

    [/b][/quote]


    Have you gotten Adaware's newest definitions? cause it picked it up on mine..
  • SanfamSanfam I like clocks.
    Download Refupdate to make it easy.
    Also, make sure refupdate points to the right folder.
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    Yes I did. I wonder why it missed it. Maybe because my windows directory is on the E: drive? Either way, it's still a virus, it's still being distributed by KaZaa, which has millions of downloads, and most people are not aware of this.

    ------------------
    [b][url="http://www.minbari.co.uk/log12.2263/"]Required reading[/url][/b]
    Never eat anything bigger than your own head.
    The Balance provides. The Balance protects.

    "Nonono...Is not [i]Great[/i] Machine. Is...[i]Not[/i]-so-Great Machine. It make good snow cone though." - Zathras
  • Entil'ZhaEntil'Zha I see famous people
    [quote]Originally posted by Biggles:
    [b]Yes I did. I wonder why it missed it. Maybe because my windows directory is on the E: drive? Either way, it's still a virus, it's still being distributed by KaZaa, which has millions of downloads, and most people are not aware of this.

    [/b][/quote]


    To be fair, Most people are not aware of half the things that get installed on their machines.
  • Does anyone know the specifics on the "security flaw" that student from Utah State found in AIM?
  • Ohhhhhhhhh...do tell!
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    [url="http://www.w00w00.org/advisories/aim.html"]This page[/url] does.

    Entil'Zha: That doesn't change the fact that a virus is being distributed by a popular program. People should not need to worry about things like that.

    ------------------
    [b][url="http://www.minbari.co.uk/log12.2263/"]Required reading[/url][/b]
    Never eat anything bigger than your own head.
    The Balance provides. The Balance protects.

    "Nonono...Is not [i]Great[/i] Machine. Is...[i]Not[/i]-so-Great Machine. It make good snow cone though." - Zathras
  • Entil'ZhaEntil'Zha I see famous people
    [quote]Originally posted by Biggles:
    [b][url="http://www.w00w00.org/advisories/aim.html"]This page[/url] does.

    Entil'Zha: That doesn't change the fact that a virus is being distributed by a popular program. People should not need to worry about things like that.

    [/b][/quote]

    Course they shouldnt have to, But its a fact of life these days.
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    I still think that hiding it by calling it "Explorer.exe" and trying to make it look like a part of the OS so that people don't remove it is going far far too far.

    ------------------
    [b][url="http://www.minbari.co.uk/log12.2263/"]Required reading[/url][/b]
    Never eat anything bigger than your own head.
    The Balance provides. The Balance protects.

    "Nonono...Is not [i]Great[/i] Machine. Is...[i]Not[/i]-so-Great Machine. It make good snow cone though." - Zathras
  • Entil'ZhaEntil'Zha I see famous people
    [quote]Originally posted by Biggles:
    [b]I still think that hiding it by calling it "Explorer.exe" and trying to make it look like a part of the OS so that people don't remove it is going far far too far.

    [/b][/quote]


    I'd tend to agree with that.
  • JackNJackN <font color=#99FF99>Lightwave Alien</font>
    It's ironically funny that the 'Nimda A'virus tends to attach itself to Explorer.exe and Admin.dll files in Windows 2000 pro...

    [img]http://216.15.145.59/mainforums/frown.gif[/img]
  • SanfamSanfam I like clocks.
    In other news, Biggles was infected with Nimda. Quite a twist, no?
  • Vertigo1Vertigo1 Official Fuzzy Dice of FirstOnes.com
    Serves him right for not keeping his anti-virus definitions up to date. [img]http://216.15.145.59/mainforums/smile.gif[/img]

    Seriously, its not hard to keep yourself from not being affected by Nimda. Nuke the index service and set your anti-virus program to auto-protect. [img]http://216.15.145.59/mainforums/smile.gif[/img]

    <- have yet to get infected with any type of virus (unless you consider windows a virus. [img]http://216.15.145.59/mainforums/biggrin.gif[/img]).

    ------------------
    [url="http://www.mdstudios.f2s.com/index.html"]Material Defender Studios[/url]
    [i]Fan Artwork[/i]
    [i]3dsmax tutorials ONLINE! More to come soon![/i]

    [b]PROUD TO BE AN AMERICAN![/b]
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    Vertigo1: Do not imply things that are not true, please. I keep my virus definitions extremely up to date. I also have the latest virus checker from Symantec, and thanks to Jack I have another, free one running as well now. I have no idea how Nimda managed to get on my system, but the only file it managed to infect was a file called "desktop.eml" in some preferences directory deep into the chain of folders under "Documents and Settings". All I can say is that it came down some time after I got WinXP, since that drive was formatted before installing WinXP.
    As for the index service: Quite how do I nuke it? Preferably without taking down windows.

    ------------------
    [b][url="http://www.minbari.co.uk/log12.2263/"]Required reading[/url][/b]
    Never eat anything bigger than your own head.
    The Balance provides. The Balance protects.

    "Nonono...Is not [i]Great[/i] Machine. Is...[i]Not[/i]-so-Great Machine. It make good snow cone though." - Zathras
  • PJHPJH The Lovely Thing
    I think he meant to turn it off Biggles.

    - PJH
  • Entil'ZhaEntil'Zha I see famous people
    [quote]Originally posted by Biggles:
    [b]Vertigo1: Do not imply things that are not true, please. I keep my virus definitions extremely up to date. I also have the latest virus checker from Symantec, and thanks to Jack I have another, free one running as well now. I have no idea how Nimda managed to get on my system, but the only file it managed to infect was a file called "desktop.eml" in some preferences directory deep into the chain of folders under "Documents and Settings". All I can say is that it came down some time after I got WinXP, since that drive was formatted before installing WinXP.
    As for the index service: Quite how do I nuke it? Preferably without taking down windows.

    [/b][/quote]


    I thought that too when i had nimda, but the only way i found to get rid of it was to format the harddrive.

    and i got it because i was running a win2000 webserver, nice huh, Now i just sit back with my Apache webserver and watch the nimda hits in the log, its amazing how many people are infected.
  • JackNJackN <font color=#99FF99>Lightwave Alien</font>
    Nimda is a pissy little f***er of a virus...

    Before I go on, Biggles, just delete that "desktop.eml" file. .EML is an email file that was placed there by some web location you visited. I'll explain more in a minute.

    It has at least 3 ways into your system:

    1. The most common way for someone to get it is to visit a web page that is run on an infected server. The infected pages have additional code either as a javascript or as a seperate HTML tagged subsection that opens a new window.

    Once this new window gets opened, it tries to open an email file of various file names, that all end with the .EML extension.

    This is why it is mainly considered an email virus, although it has alternate entry options. (You have to give the author credit for his ingenuity).

    Once this email is opened in your email client, the virus makes entry unless you have installed the security patches for Windows OS, IE, and your Email Client to intercept it.

    2. The second way is obvious from the first one. If you get an infected email, and you aren't protected... well... you get the idea.

    3. This one is elusive. This virus also makes use of ISAPI and MAPI protocols. This only affects unprotected IIS and PWS web servers on Windows. That's why Apache users sit back and laugh at the rest of us.

    When you install Windows 2000 Pro, by default IIS is NOT installed, and so the only way you might get infected is with options 1 or two above. If you however have installed IIS after installing W2k Pro, then you are vulnerable, unless you have installed the patches and service packs.

    Windows 2000 server and advanced server are a different story. By default, when server is installed, so is IIS 5.0. So, before you even connect your machine to the internet or a LAN for that matter, install the patches and service packs, otherwise you are open season.

    Hope this helps some of you. It's a real bitch to get rid of too...

    Especially if it has copied you Admin.dll or Explorer.exe to the root. It will set the read only attribute on them, so you have to boot up in command line only SAFE mode, and unset the read only attribute on either of these two files, then delete them from the root.

    While you are there, you can make a fresh copy of the Admin.dll from the windows\dllcache directory into the root folder. I'm not sure if you need to do this but, it's a safe move. Just be warry of any file that is roughly 57k larger than it should be...

    Also, you'll likelyt have infected TFTP####.htm files in your InetPUB\Scripts folder. Just kill em', after you unset the read only attribute on them.

    After all this, reboot normally and you should be clean, for the time being, until you make preparations to protect your machine.
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    PJH: I know he did. So did I.

    Jack: The first thing I did after the scan was delete that file, even though Norton wanted to just quarintine it. I'm no fool, I know to delete infected files outright.
    Now for the possible inlets:
    1: Well all we can hope for here is auto-protect I guess. Hopefully it will catch anything, but nothings perfect. That's what weekly system scans are for.
    2: I don't open email attachments unless I am expecting them and know exactly what they are. I also have email scanning setup so that incoming emails are scanned before they get to my inbox and outgoing emails are scanned on the way out.
    3: I don't run any webservers off this machine and I don't intend to. If I do set one up it'll be setup on my linux box and it will be an Apache server. It has always been so.

    ------------------
    [b][url="http://www.minbari.co.uk/log12.2263/"]Required reading[/url][/b]
    Never eat anything bigger than your own head.
    The Balance provides. The Balance protects.

    "Nonono...Is not [i]Great[/i] Machine. Is...[i]Not[/i]-so-Great Machine. It make good snow cone though." - Zathras
  • Vertigo1Vertigo1 Official Fuzzy Dice of FirstOnes.com
    Biggles, I know you keep your defs up to date. Re-read my post. I was [b]teasing[/b] you. Note the bit where I got serious AFTER that comment. [img]http://216.15.145.59/mainforums/smile.gif[/img]

    Now for how to nuke Indexing Services:

    Goto your Admin Tools and double-click on Services. Double-click on Indexing Services. Set it to disabled. Reboot windows.

    Its as simple as that. [img]http://216.15.145.59/mainforums/smile.gif[/img]

    ------------------
    [b]PROUD TO BE AN AMERICAN![/b]
  • BigglesBiggles <font color=#AAFFAA>The Man Without a Face</font>
    Thanks. Turns out it's already stopped.

    ------------------
    [b][url="http://www.minbari.co.uk/log12.2263/"]Required reading[/url][/b]
    Never eat anything bigger than your own head.
    The Balance provides. The Balance protects.

    "Nonono...Is not [i]Great[/i] Machine. Is...[i]Not[/i]-so-Great Machine. It make good snow cone though." - Zathras
Sign In or Register to comment.