I'm being uploaded from!

[Home Mail]

I don't know how my computer was infected. I've been running AVG free
version and it picked nothing up. Then yesterday I noticed my connection
displaying activity when I was downloading anything. When I checked the
connection I had uploaded 50mb of data!!!

I proceeded to download norton antivirus trial edition and it found a number
of nasty critters. These included IRC/Backdoor.something, dropper.delf and a
few "bloodhounds". I hope I've disinfected myself now but am unsure.
Infected files found were winsys.exe and mirc(1).exe.

Can someone give me some more information about these viruses? What sort of
information do you think was uploaded from my comp? I need to know this so
that I can change passwords etc, if necessary. Also, I noticed (using
netstat -a) that there were numerous connections to my comp so there must
have been 60 - 70 odd people exploiting the virus/trojan. What sorts of
programs do these people use to connect to my comp?

As I said I haven't got a clue how I was infected and am pissed off that AVG
didn't pick anything up. I guess what you pay for is what you get.

 

[Bart Bailey]

As I said I haven't got a clue how I was infected and am pissed off that AVG
didn't pick anything up. I guess what you pay for is what you get.

Maybe you weren't infected at all, just compromised (owned) by some
remote administration tool (RAT) that someone was clever enough to get
you to install for them.

 

[null]

I don't know how my computer was infected.

If you didn't Run some email attackment, then it's usually a matter
of:

1. Not using a firewall and strong passswords.
2. Not using secure browser settings

I've been running AVG free
version and it picked nothing up.

You can't rely on just a antivirus scanner (as you're learning the
hard way).

Then yesterday I noticed my connection
displaying activity when I was downloading anything. When I checked the
connection I had uploaded 50mb of data!!!

I proceeded to download norton antivirus trial edition and it found a number
of nasty critters. These included IRC/Backdoor.something, dropper.delf and a
few "bloodhounds". I hope I've disinfected myself now but am unsure.
Infected files found were winsys.exe and mirc(1).exe.

Bloodhounds are NAV's heuristic alert, which means NAV can't pinpoint
a particular malware.

Can someone give me some more information about these viruses?

Not viruses. Backdoors and RATs, apparently. You need a specific
malware name (or names). Then you can look them up in Symantec's virus
encyclopedia (if they have the malware description available). Or just
Google the malware name and hope that leads quickly to descriptions.

Another approach is to use Project VGrep to find alias names used by
other av vendors:

http://www.virusbtn.com/resources/vgrep/index.xml

Other vendors might have descriptions.

What sort of
information do you think was uploaded from my comp?

Probably anything and everything of interest to a hacker. All
passwords and personal info.

I need to know this so
that I can change passwords etc, if necessary. Also, I noticed (using
netstat -a) that there were numerous connections to my comp so there must
have been 60 - 70 odd people exploiting the virus/trojan. What sorts of
programs do these people use to connect to my comp?

In some cases, they use scripts running on MIRC. Why should you care
what they use?

As I said I haven't got a clue how I was infected and am pissed off that AVG
didn't pick anything up. I guess what you pay for is what you get.

AVG isn't the best, but neither is NAV. But that's beside the point.
You've got to learn how to protect yourself. No av is going to save
you from yourself. See my web site. It has a link to the claymania
"safe hex" page. Note that some of us use no realtime av monitor at
all, and we have no problems with malware or spyware. So don't blame
your av.


Art
http://www.epix.net/~artnpeg

 

[Home Mail]

If you didn't Run some email attackment, then it's usually a matter
of:

1. Not using a firewall and strong passswords.
2. Not using secure browser settings

What sort of browser settings should I be using?

You can't rely on just a antivirus scanner (as you're learning the
hard way).

Unfortunately ...

Not viruses. Backdoors and RATs, apparently. You need a specific
malware name (or names). Then you can look them up in Symantec's virus
encyclopedia (if they have the malware description available). Or just
Google the malware name and hope that leads quickly to descriptions.

I've used MIRC recently but I still can't understand how some third party
software was installed on my comp. I've only recently reinstalled XP on a
new drive.

Probably anything and everything of interest to a hacker. All
passwords and personal info.

So I guess it would pay to change my passwords now.

In some cases, they use scripts running on MIRC. Why should you care
what they use?

Hmm, perhaps this is how it happened. I wasn't running mirc when I was being
uploaded from. I would like to know as knowing is learning. If I know how
people operate then I can be prepared to stop them.

AVG isn't the best, but neither is NAV. But that's beside the point.
You've got to learn how to protect yourself. No av is going to save
you from yourself. See my web site. It has a link to the claymania
"safe hex" page. Note that some of us use no realtime av monitor at
all, and we have no problems with malware or spyware. So don't blame
your av.


Art
http://www.epix.net/~artnpeg

Thanks for your help Art. I will have a look at this.

 

[madmax]

What sort of browser settings should I be using?




Unfortunately ...




I've used MIRC recently but I still can't understand how some third party
software was installed on my comp. I've only recently reinstalled XP on a
new drive.




So I guess it would pay to change my passwords now.




Hmm, perhaps this is how it happened. I wasn't running mirc when I was being
uploaded from. I would like to know as knowing is learning. If I know how
people operate then I can be prepared to stop them.




Thanks for your help Art. I will have a look at this.

In addition to good advice from art you should consider a better browser
and e-mail client.I use firefox and thunderbird.I have links and info on
my site.
-max

--
To help you stay safe see: http://www.geocities.com/maxpro4u/madmax.html
This message is virus free as far as I can tell.
Change nomail.afraid.org to neo.rr.com so you can reply
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)

 

[null]

What sort of browser settings should I be using?

Here's the CERT recommendations:

http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps

CERT also recommends the use of alternate browsers other than IE. My
preference is Mozilla as you can see at my web site.

Unfortunately ...


I've used MIRC recently but I still can't understand how some third party
software was installed on my comp. I've only recently reinstalled XP on a
new drive.

Do yourself a favor and Google up

MIRC SECURITY
IRC SECURITY

So I guess it would pay to change my passwords now.


Hmm, perhaps this is how it happened. I wasn't running mirc when I was being
uploaded from.

The malware I had in mind doesn't require that you have MIRC
installed. It uses MIRC whether you use it or not It installs
whatever it needs, hidden from you. But that's just one method. There
are others.

I would like to know as knowing is learning. If I know how
people operate then I can be prepared to stop them.

Knowing the many ways hackers operate won't necessarily help you with
prevention. I know little about hacking but enough about prevention to
not have any problems with any forms of malware or spyware.

Thanks for your help Art. I will have a look at this.

You're welcome.


Art
http://www.epix.net/~artnpeg

 

[Vladesch]

I don't know how my computer was infected. I've been running AVG free
version and it picked nothing up. Then yesterday I noticed my connection
displaying activity when I was downloading anything. When I checked the
connection I had uploaded 50mb of data!!!

A firewall like zonealarm or sygate will pick up these outbound connections,
plus they are free. www.zonealarm.com

I proceeded to download norton antivirus trial edition and it found a number
of nasty critters. These included IRC/Backdoor.something, dropper.delf and a
few "bloodhounds". I hope I've disinfected myself now but am unsure.
Infected files found were winsys.exe and mirc(1).exe.

Can someone give me some more information about these viruses? What sort of
information do you think was uploaded from my comp? I need to know this so
that I can change passwords etc, if necessary.

Bloodhound could be a lot of things. Most likely uploaded data was attacks
on ports 135, 137 or 445.

Also, I noticed (using

netstat -a) that there were numerous connections to my comp so there must
have been 60 - 70 odd people exploiting the virus/trojan. What sorts of
programs do these people use to connect to my comp?

More likely your computer attempting atacks on other pc's

As I said I haven't got a clue how I was infected and am pissed off that AVG
didn't pick anything up. I guess what you pay for is what you get.

If your concerned you AV program isnt picking things up, a good place to
check manually is in your startup programs (run msconfig).
Sometimes they are hard to spot tho, since they use names that look like
windows components. Often the "modified date" will give it away.
mcaffee has an online virus scan which may pick up more.