AVG and "Run.exe"

[redbrickhat]

Every 30 minutes, AVG Free detects a trojan infection of "run.exe."
I have the following questions:

1) I was using XP Firewall, now I have added ZoneAlarm. Will this be
sufficient to stop the attacks? If so, why didn't XP Firewall work?

2) Is there any way for the attacker to "lose" my IP address, if the
address is dynamically obtained from my ISP?

3) The attacked computer is connected by a wireless link to a Netgear
router; there is a second computer attached directly to the router via
cable. Can the attacker also "see" the second computer?

4) Can someone point me to a web page or textbook where I can find more
information about this topic?



Thank you for your feedback.

 

[Duane Arnold]

Every 30 minutes, AVG Free detects a trojan infection of "run.exe."
I have the following questions:

1) I was using XP Firewall, now I have added ZoneAlarm. Will this be
sufficient to stop the attacks? If so, why didn't XP Firewall work?

No, although ZA and XP FW have some form of Application Control, they
are not enough to stop such an attack, because a human is sitting at the
keyboard and mouse and has contributed to the compromise in someway with
the happy fingers that click on unknown links in emails and going to
dubious Web Sites.

PFW(s) are not 100% protection so don't treat them as such.

2) Is there any way for the attacker to "lose" my IP address, if the
address is dynamically obtained from my ISP?

Yeah, if you tell the ISP you want the IP changed or you don't pay the
bill the IP may change if you're off long enough it will change.

On a dial-up connection the IP from the ISP will change every time you dial.

3) The attacked computer is connected by a wireless link to a Netgear
router; there is a second computer attached directly to the router via
cable. Can the attacker also "see" the second computer?

A hacker can join your wireless network and be all over the top of the
wire and wireless computers if they are not protected, secured or harden
to attack.

4) Can someone point me to a web page or textbook where I can find more
information about this topic?

You can configure your computers to use static IP(s) on the router. Then
you can set/configure the personal FW(s) on the computers to only accept
traffic from the static IP(s) you have assigned.

That will prevent anyone from joining your wireless network and using a
DHCP or static on the router IP from accessing the computers on your
network wired or wireless.

http://netsecurity.about.com/cs/wireless/a/aa112203_2.htm

You should try to secure the XP NT based O/S as much as possible or
harden it to attack.

http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

You should try to practice safe hex.

http://www.claymania.com/safe-hex.html

You should look around from time to time with the proper tools and not
let something like a PFW or other solutions tell you everything is okey
dokey.

Long

http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html

Short

http://tinyurl.com/klw1

If the router has a syslog, then use something like Wallwatcher (free)
or Kwiw Syslog Daemon to watch traffic to/from WAN IP(s) from LAN IP(s)
on the router.

Duane

 

[Duane Arnold]

2) Is there any way for the attacker to "lose" my IP address, if the
address is dynamically obtained from my ISP?

One other thing, the computers are setting behind the protection of a NAT
router so you having the IP changed means nothing. It would mean something
if a computer was connected directly to the modem and for some reason
someone locked in on the IP the computer was using.

But that's a no with the machines behind the router, because it's blocking
all unsolicited inbound traffic to the machines and the only traffic that's
going to make it to a machine is traffic software running on the machine has
solicited from a remote/WAN IP.

http://www.firewall-software.com/firewall_faqs/what_does_firewall_do.html

Duane

 

[redbrickhat]

Right now, I am relying on the antivirus program for detecting the
"run.exe".
If the attacks continue, is there anything specific I should do?

For example, would it be worth finding out the source of the attacks?




Thanks.

 

[Duane Arnold]

Right now, I am relying on the antivirus program for detecting the
"run.exe".
If the attacks continue, is there anything specific I should do?

For example, would it be worth finding out the source of the attacks?

If it keeps coming back like it comes back immediately, then there is
some hidden process that piggy backing off another one a possible legit
process that you'll have to track it down with the tools in the Hidden
Backdoor link.

If it shows sporadically, then someone that's using the computer is
doing something to bring it back and the person has contributed to it in
someway, which you'll have to find out who is doing what and correct it.
It's not just going to show-up by itself.

Duane

 

[Noel Paton]

http://www.symantec.com/avcenter/venc/data/backdoor.stanex.html

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's