O
Onilotreb Valsimot
Excuse me for cross-posting, I wasn't sure which group would be the most
right, since the question might involve few OS's.
I have two Ethernet connected machines - a dual boot (2000 Server/ XP Pro)
ICS hosting machine connected to the Internet via ADSL USB modem and a 95C
machine (in fact it's multiboot too, but, the whole thing happened
while it was under W95, so, the other OS's can be ignored here) with Norton
AntiVirus2001 installed (the first one has AVG under both OS's). The 95
machine has no any network shares and it's accessible from the another one
only via smtp or http (however, it has only a local IP address, so, I don't
think it could be accessed from Internet, unless someone gains a control
over the ICS hosting machine) .
I am using only the 95 machine for downloading email. I'm running a personal
mail server (Mercury) on it, so, all incoming mail is NAV checked at least
twice (when downloaded from the Internet by Mercury and when 'downloaded'
from Mercury by a mail client), furthermore, Mercury is configured to start
NAV whenever arrives a message addressed to some of my less private
addresses, particularly exposed to sparring, to scan the folders on disk
where it's stored before being delivered to a client (and, of course, in
case of a particular suspect, the files can be checked manually, too). BTW,
on XP I have the built-in firewall enabled on ICS, but, I am not sure
whether is configured well and whether it's protecting me. I don't think I
have a firewall under 2000. (I know, I know... but, I am quite new to
networking and firewalling.)
During the last system scan on the 95 machine NAV discovered
W32.Bugbear.B@mm in Eudora\attach folder and has put it in quarantine.
Actually, since the previous system scan (maybe just since that particular
message has been downloaded), NAV mail protection was frequently crashing,
or it's proxy just stopping to work.and the system has also been frequently
unreasonably short of memory. In fact, also the Eudora 'download' has
crashed in the first attempt and the crash has been caused by NAV (although
at the moment I have accounted it to the huge amount of messages it had to
load - it was a mail for accounts I hadn't been checking for a while)
I've seen on
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
l that W32.Bugbear.B@mm 'contains routines that specifically affect
financial institutions. This functionality will cause the worm to send
sensitive data to one of ten hard-coded public Internet e-mail addresses.
The information sent includes cached passwords and key-logging data.' It
attempts to terminate processes of various antivirus and firewall programs
(see above!) It copies itself to accessible shares (my 95 machine has no LAN
shares on it, but, practically the whole 2000/XP machine, not only the
shared folders, is accessible, since the 95 user is administrator on it -
the drive letters are just hidden for him, but not inaccessible).
I don't have any suspect ***.exe's in any Startup folder on any system. In
my 95's C:\Windows\System I have 5 5,632 bytes DLL's, but, all seem to be
legitimate Windows DLL's and none is randomly named (as the article
describes the PWS.Hooker.Trojan, dropped by the worm for keylogging). I
don't see any suspect *.exe in my network shared documents, but, Symantec
says it infects files matching filenames like regedit.exe, mplayer.exe,
notepad.exe etc. However, I don't seem to have any file from the Symantec's
list in my Shareddocs (All users\Documents), but, I also have a shared
program repository on that (2000/XP) machine and, although the exe's there
are mainly just installation archives and never installed programs
themselves, there're hundreds of them and I hardly can be sure non of the
filenames matches any from the list. AVG has detected nothing. It doesn't
seem that I have 1080 port open on any system.
If an attachment is .js or .scr (and W32.Bugbear.B@mm *is*) it may execute
without an user's action, am I right?Although I am sure I have never opened
the infected message in Eudora and I really don't believe it has even ever
been displayed in preview window...
So I might seem paranoiac, but... NAV protection crashes and memory problems
strangely coincide with the worm's arrive. And the nature of the threat is
very... delicate. I am certainly not a 'financial institution'
) but I do,
from time to time, do online financial transactions. Well, I assume that now
it has been put out of combat (is
it?), but, I need to be sure it hasn't sent any information before being put
in quarantine. Meanwhile I'll use Linux for online payments. Although...
*if* the 2000/XP machine is infected too, maybe the worm, somehow, can
intercept the traffic passing through it's ICS? I need to know A) whether I
have any way to find out if any information has already been sent from the
W95 system? B) How can I be absolutely sure that the XP/2000 machine is free
of that worm?
An additional question, please: after the incident (only after
), I've
added to my Mercury server rules like this - to delete any incoming message
that in the mess. body contains lines matching "*Content-Type:
application/octet-stream*" AND "*filename="*.scr"" (and by analogy for .js
and
..pif, I probably should add .vbs) But... *this* worm is characterised by
incorrect MIME headers, so it can say 'Content-Type: image/jpeg' (matching
the type of the file whose name it has 'stolen'), and then contain - a .scr
file! So, I suppose my rules wouldn't block it and I'm afraid that only
"*filename="*.js"" might be too restrictive. Opinions? A better way to
create rules?
I apologise for the long post and will greatly appreciate any response.
Thanks in advance.
right, since the question might involve few OS's.
I have two Ethernet connected machines - a dual boot (2000 Server/ XP Pro)
ICS hosting machine connected to the Internet via ADSL USB modem and a 95C
machine (in fact it's multiboot too, but, the whole thing happened
while it was under W95, so, the other OS's can be ignored here) with Norton
AntiVirus2001 installed (the first one has AVG under both OS's). The 95
machine has no any network shares and it's accessible from the another one
only via smtp or http (however, it has only a local IP address, so, I don't
think it could be accessed from Internet, unless someone gains a control
over the ICS hosting machine) .
I am using only the 95 machine for downloading email. I'm running a personal
mail server (Mercury) on it, so, all incoming mail is NAV checked at least
twice (when downloaded from the Internet by Mercury and when 'downloaded'
from Mercury by a mail client), furthermore, Mercury is configured to start
NAV whenever arrives a message addressed to some of my less private
addresses, particularly exposed to sparring, to scan the folders on disk
where it's stored before being delivered to a client (and, of course, in
case of a particular suspect, the files can be checked manually, too). BTW,
on XP I have the built-in firewall enabled on ICS, but, I am not sure
whether is configured well and whether it's protecting me. I don't think I
have a firewall under 2000. (I know, I know... but, I am quite new to
networking and firewalling.)
During the last system scan on the 95 machine NAV discovered
W32.Bugbear.B@mm in Eudora\attach folder and has put it in quarantine.
Actually, since the previous system scan (maybe just since that particular
message has been downloaded), NAV mail protection was frequently crashing,
or it's proxy just stopping to work.and the system has also been frequently
unreasonably short of memory. In fact, also the Eudora 'download' has
crashed in the first attempt and the crash has been caused by NAV (although
at the moment I have accounted it to the huge amount of messages it had to
load - it was a mail for accounts I hadn't been checking for a while)
I've seen on
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
l that W32.Bugbear.B@mm 'contains routines that specifically affect
financial institutions. This functionality will cause the worm to send
sensitive data to one of ten hard-coded public Internet e-mail addresses.
The information sent includes cached passwords and key-logging data.' It
attempts to terminate processes of various antivirus and firewall programs
(see above!) It copies itself to accessible shares (my 95 machine has no LAN
shares on it, but, practically the whole 2000/XP machine, not only the
shared folders, is accessible, since the 95 user is administrator on it -
the drive letters are just hidden for him, but not inaccessible).
I don't have any suspect ***.exe's in any Startup folder on any system. In
my 95's C:\Windows\System I have 5 5,632 bytes DLL's, but, all seem to be
legitimate Windows DLL's and none is randomly named (as the article
describes the PWS.Hooker.Trojan, dropped by the worm for keylogging). I
don't see any suspect *.exe in my network shared documents, but, Symantec
says it infects files matching filenames like regedit.exe, mplayer.exe,
notepad.exe etc. However, I don't seem to have any file from the Symantec's
list in my Shareddocs (All users\Documents), but, I also have a shared
program repository on that (2000/XP) machine and, although the exe's there
are mainly just installation archives and never installed programs
themselves, there're hundreds of them and I hardly can be sure non of the
filenames matches any from the list. AVG has detected nothing. It doesn't
seem that I have 1080 port open on any system.
If an attachment is .js or .scr (and W32.Bugbear.B@mm *is*) it may execute
without an user's action, am I right?Although I am sure I have never opened
the infected message in Eudora and I really don't believe it has even ever
been displayed in preview window...
So I might seem paranoiac, but... NAV protection crashes and memory problems
strangely coincide with the worm's arrive. And the nature of the threat is
very... delicate. I am certainly not a 'financial institution'
) but I do,from time to time, do online financial transactions. Well, I assume that now
it has been put out of combat (is
it?), but, I need to be sure it hasn't sent any information before being put
in quarantine. Meanwhile I'll use Linux for online payments. Although...
*if* the 2000/XP machine is infected too, maybe the worm, somehow, can
intercept the traffic passing through it's ICS? I need to know A) whether I
have any way to find out if any information has already been sent from the
W95 system? B) How can I be absolutely sure that the XP/2000 machine is free
of that worm?
An additional question, please: after the incident (only after
), I'veadded to my Mercury server rules like this - to delete any incoming message
that in the mess. body contains lines matching "*Content-Type:
application/octet-stream*" AND "*filename="*.scr"" (and by analogy for .js
and
..pif, I probably should add .vbs) But... *this* worm is characterised by
incorrect MIME headers, so it can say 'Content-Type: image/jpeg' (matching
the type of the file whose name it has 'stolen'), and then contain - a .scr
file! So, I suppose my rules wouldn't block it and I'm afraid that only
"*filename="*.js"" might be too restrictive. Opinions? A better way to
create rules?
I apologise for the long post and will greatly appreciate any response.
Thanks in advance.