Mass Mailer Virus?

K

Kevin Altizer

I read an article sometime back that said to open a dos prompt window and
type in netstat to check for tcp-ip connections. I was infected with the
swan32 virus and I found several smtp connections happening in the
background while my computer was running. I think I'm infected again
because earlier today I typed netstat in and found three different smtp
connections going on. I rebooted and they were gone. I just checked again
and one going on beside this news connection, it had foreign address listed
as 'criminal.net'. I'm pretty sure I'm infected again. I have a laptop
networked to a desktop via a broadband ethernet router. I have an updated
version of mcafee on the laptop. It checked ok. I tried to download a copy
of mcafee to the infected desktop and got error messages. How can I get rid
of this virus?
 
K

Kevin Altizer

Kevin Altizer said:
I read an article sometime back that said to open a dos prompt window and
type in netstat to check for tcp-ip connections. I was infected with the
swan32 virus and I found several smtp connections happening in the
background while my computer was running. I think I'm infected again
because earlier today I typed netstat in and found three different smtp
connections going on. I rebooted and they were gone. I just checked again
and one going on beside this news connection, it had foreign address listed
as 'criminal.net'. I'm pretty sure I'm infected again. I have a laptop
networked to a desktop via a broadband ethernet router. I have an updated
version of mcafee on the laptop. It checked ok. I tried to download a copy
of mcafee to the infected desktop and got error messages. How can I get rid
of this virus?
Click to expand...


After sending this thread I did the netstat check again with nothing running
on my desktop and this is what I got:


Microsoft(R) Windows 98
(C)Copyright Microsoft Corp 1981-1999.

C:\WINDOWS>netstat

Active Connections

Proto Local Address Foreign Address State
TCP Default:1139 news2-ge0.southeast.rr.com:nntp TIME_WAIT
TCP Default:1142 news2-ge0.southeast.rr.com:nntp TIME_WAIT
TCP Default:1145 altizer.org.criticalpath.net:pop3 TIME_WAIT
TCP Default:1146 criminal.ws:pop3 TIME_WAIT
TCP Default:1148 pop-server.carolina.rr.com:pop3 TIME_WAIT
TCP Default:1149 altizer.org.criticalpath.net:pop3 TIME_WAIT
TCP Default:1152 pop-server.carolina.rr.com:pop3 TIME_WAIT

C:\WINDOWS>

HELP!
 
D

David H. Lipman

W32/Swen@MM - http://vil.nai.com/vil/content/v_100662.htm

W32.Swen.A@mm - http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Download the McAfee worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 200 ~ 400MB),
reboot your PC.
5) If you are using WinME or WinXP, create a new Restore point
6) Please report back your results

Dave



| I read an article sometime back that said to open a dos prompt window and
| type in netstat to check for tcp-ip connections. I was infected with the
| swan32 virus and I found several smtp connections happening in the
| background while my computer was running. I think I'm infected again
| because earlier today I typed netstat in and found three different smtp
| connections going on. I rebooted and they were gone. I just checked again
| and one going on beside this news connection, it had foreign address listed
| as 'criminal.net'. I'm pretty sure I'm infected again. I have a laptop
| networked to a desktop via a broadband ethernet router. I have an updated
| version of mcafee on the laptop. It checked ok. I tried to download a copy
| of mcafee to the infected desktop and got error messages. How can I get rid
| of this virus?
|
|
 
D

David W. Hodgins

After sending this thread I did the netstat check again with nothing running
on my desktop and this is what I got:
Click to expand...

Once you clear up the problem, you may want to look into getting your ip
removed from the blocklists. So far, the only one I've found that has
your ip (66.56.102.176) listed is
http://www.jammconsulting.com/policies/dnsbl.html, which has you listed
as a spam sender. According to their policies, they have notified the
abuse desk at road runner. It would be nice if your isp would have let
you know that your computer was sending spam. (e-mail address removed) are well known
for ignoring all complaints.

You have a trojan installed, that's allowing spammers to send email from
your computer, or a mass mailing worm, or both.

First run an av scan. See http://www.claymania.com/panic.html for info
and links to various scanners.

Report back here, if you still have any problems.

Regards, Dave Hodgins
 
K

Kevin Altizer

I tried the stinger.exe and still have this after I rebooted: (after I
checked my email, 4 pop accounts)
/*
Microsoft(R) Windows 98
(C)Copyright Microsoft Corp 1981-1999.

C:\WINDOWS>netstat

Active Connections

Proto Local Address Foreign Address State
TCP Default:1029 altizer.org.criticalpath.net:pop3 TIME_WAIT
TCP Default:1032 criminal.ws:pop3 TIME_WAIT

C:\WINDOWS>
*/

I ran it first without safe mode, all files were clean, then ran it with
safe mode, this is the text report file from stinger:

McAfee AVERT Stinger Version 1.9.6 built on Jan 26 2004

Copyright (C) 2002-2003 Networks Associates Technology, Inc. All Rights
Reserved.

Virus data file v1000 created on Jan 26 2004.

Ready to scan for 36 viruses, trojans and variants.



Scan initiated on Mon Jan 26 18:00:39 2004

Number of clean files: 92582
<snip>

Now I'm going to try the av scan that David Hodgins suggested in his post.
I will report back asap.
 
K

Kevin Altizer

I went to claymania.com and d/l'd the free Avast cleaner and logged this:

1/26/04, 7:07:02 PM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (3.2s).
----------
Files scanning started...
No virus body found.
Files scanning finished (25837 files, 0 infected, 209.9s).
Drives scanned: C: D:
----------

Yet after rebooting and running MS Outlook Express I get this after typing
netstat at the dos prompt:



Microsoft(R) Windows 98
(C)Copyright Microsoft Corp 1981-1999.

C:\WINDOWS>netstat

Active Connections

Proto Local Address Foreign Address State
TCP Default:1029 altizer.org.criticalpath.net:pop3 TIME_WAIT
TCP Default:1032 criminal.ws:pop3 TIME_WAIT
TCP Default:1034 pop-server.carolina.rr.com:pop3 TIME_WAIT

C:\WINDOWS>


This is with everything closed. The pop-server.carolina.rr.com:pop3 is my
isp, the altizer.org is my webhost which I have a pop account with and the
criminal ws:pop3 is ????, I don't know...

I'm at bay here guys...

 
D

David H. Lipman

TIME_WAIT means you WERE connected but no longer and is waiting to time-out.

Dave



| I went to claymania.com and d/l'd the free Avast cleaner and logged this:
|
| 1/26/04, 7:07:02 PM
| Memory scanning started...
| No virus body found in memory.
| Memory scanning finished (3.2s).
| ----------
| Files scanning started...
| No virus body found.
| Files scanning finished (25837 files, 0 infected, 209.9s).
| Drives scanned: C: D:
| ----------
|
| Yet after rebooting and running MS Outlook Express I get this after typing
| netstat at the dos prompt:
|
|
|
| Microsoft(R) Windows 98
| (C)Copyright Microsoft Corp 1981-1999.
|
| C:\WINDOWS>netstat
|
| Active Connections
|
| Proto Local Address Foreign Address State
| TCP Default:1029 altizer.org.criticalpath.net:pop3 TIME_WAIT
| TCP Default:1032 criminal.ws:pop3 TIME_WAIT
| TCP Default:1034 pop-server.carolina.rr.com:pop3 TIME_WAIT
|
| C:\WINDOWS>
|
|
| This is with everything closed. The pop-server.carolina.rr.com:pop3 is my
| isp, the altizer.org is my webhost which I have a pop account with and the
| criminal ws:pop3 is ????, I don't know...
|
| I'm at bay here guys...
|
| | > On Mon, 26 Jan 2004 21:48:49 GMT, Kevin Altizer <[email protected]>
| wrote:
| >
| > > After sending this thread I did the netstat check again with nothing
| running
| > > on my desktop and this is what I got:
| >
| > Once you clear up the problem, you may want to look into getting your ip
| > removed from the blocklists. So far, the only one I've found that has
| > your ip (66.56.102.176) listed is
| > http://www.jammconsulting.com/policies/dnsbl.html, which has you listed
| > as a spam sender. According to their policies, they have notified the
| > abuse desk at road runner. It would be nice if your isp would have let
| > you know that your computer was sending spam. (e-mail address removed) are well known
| > for ignoring all complaints.
| >
| > You have a trojan installed, that's allowing spammers to send email from
| > your computer, or a mass mailing worm, or both.
| >
| > First run an av scan. See http://www.claymania.com/panic.html for info
| > and links to various scanners.
| >
| > Report back here, if you still have any problems.
| >
| > Regards, Dave Hodgins
| >
| > --
| > Change nomail.afraid.org to rogers.com to reply by email.
| > (nomail.afraid.org has been set up specfically for
| > use in usenet. Feel free to use it yourself.)
|
|
 
K

Kevin Altizer

Thanks David. I guess I'm virus free, but I've been having some weird
happenings. Thanks though...

Kevin
 
G

Gabriele Neukam

On that special day, David H. Lipman, ([email protected])
said...
TIME_WAIT means you WERE connected but no longer and is waiting to time-out.
Click to expand...

Sure, but in another post of Kevin you can read:
and still have this after I rebooted: (after I
checked my email, 4 pop accounts)
Click to expand...

Which may as well mean, that the unknown agent *was* active while he had
checked the mails, and then stopped working when he left the mail
server.

He still cannot tell whether the computer is clean or not.

Kevin, is your configuration set up to connect immediately after booting
up? Do you always receive the same IP number, or is it provided
dynamically (in Germany, there is a big DSL service, T-DSL, which
disconnects after 24 hours, and will assign a new IP number when
reconnecting)?

Read these sites to get an idea what *might* have happened to your
machine:

http://www.lurhq.com/sobig-f.html
http://www.securityfocus.com/news/4217
http://www.kaspersky.com/news.html?id=982906

Did you try programs like Pest Patrol or Spybot Search and Destroy?
Anti virus programs are fine for viruses; but trojan horses are
different beasts, and it might be better advice to use a program on then
that is specialized in trojan detection.

Just my 2 Eurocent.


Gabriele Neukam

(e-mail address removed)
 
D

David W. Hodgins

I'm at bay here guys...
Click to expand...

A seperate issue is updating your software. From you article's headers...
X-Newsreader: Microsoft Outlook Express 5.00.2615.200

That ancient version of Lookout will auto execute viruses or worms in
email or news articles. Apply all of the updates, to all of your software.

Regarding which software is currently sending the spam from your computer,
have you tried the stinger removal tool, http://vil.nai.com/vil/stinger/

Also, look at http://users.iafrica.com/c/cq/cquirke/startup.htm
to try and figure out what's being started, that shouldn't be.

Regards, Dave Hodgins
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Best methods for tracing a mass-mailing worm infected workstation ona network? 12
Why does Panda Anti Virus not detect trojans or rootkits?? 2
VIRUS QUESTION 11
Mass Mailer 3
AVG Not Scanning Archives Properly 7
Window XP: Removing Aleureon-B@mbr? 7
Virus/Malware infection 2
Norton 2005 & mass mailing virus 2

Top