Viruse killing AV software?

B

Baruch

I upgraded from Win 98 to XP Home today. The upgrade didn't like my
AV or firewall software (AntiVir and Sygate Personal), so I was
unprotected for a while. I also waited too long to install the
various Microsoft patches, thinking that since this was a fresh
install, it would be OK to wait a while. Silly me...

When I tried to install the software (AV and firewall), they wouldn't
work correctly. I went to their respective Websites, did a fresh
download, uninstalled everything, reinstalled, and still no good. The
programs start up and die. Once, it ran long enough to tell me that
it had found a "nachi.b.1 worm". Apparently another name for this is
"welchia".

Then I tried to access McAfee and Symantec, but could not get through
to them - "Cannot Find Server". In fact, almost *any* antivirus
software site was inaccessible.

Any software I had that might give me insight (msconfig, for example)
died right after it started.

Other programs, however, worked fine. I could get to most Websites,
run other programs, whatever. Just security-related stuff.

I tried to ping Symantec and McAfee from the command line, and this is
where it got interesting. Their IP address showed up as 127.0.0.1.
At least now I know why I couldn't access their sites.

I looked at the "hosts" file (on XP Home it's at:
C:\Windows\System32\drivers\etc). It had many entries, which I
produce here:

127.0.0.1 localhost
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

As you can see, many AV companies are redirected to localhost. The
other files in the folder were uncorrupted, and once I fixed hosts I
was able to get to the AV companies without problems.

My questions are:

1. Has anyone encountered a similar situation?
2. Aside from using AV to clean up, and a firewall to keep from
getting reinfected, is there anything else I need to do?
 
P

Pepperoni

http://vil.nai.com/vil/stinger/

Baruch said:
I upgraded from Win 98 to XP Home today. The upgrade didn't like my
AV or firewall software (AntiVir and Sygate Personal), so I was
unprotected for a while. I also waited too long to install the
various Microsoft patches, thinking that since this was a fresh
install, it would be OK to wait a while. Silly me...

When I tried to install the software (AV and firewall), they wouldn't
work correctly. I went to their respective Websites, did a fresh
download, uninstalled everything, reinstalled, and still no good. The
programs start up and die. Once, it ran long enough to tell me that
it had found a "nachi.b.1 worm". Apparently another name for this is
"welchia".

Then I tried to access McAfee and Symantec, but could not get through
to them - "Cannot Find Server". In fact, almost *any* antivirus
software site was inaccessible.

Any software I had that might give me insight (msconfig, for example)
died right after it started.

Other programs, however, worked fine. I could get to most Websites,
run other programs, whatever. Just security-related stuff.

I tried to ping Symantec and McAfee from the command line, and this is
where it got interesting. Their IP address showed up as 127.0.0.1.
At least now I know why I couldn't access their sites.

I looked at the "hosts" file (on XP Home it's at:
C:\Windows\System32\drivers\etc). It had many entries, which I
produce here:

127.0.0.1 localhost
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

As you can see, many AV companies are redirected to localhost. The
other files in the folder were uncorrupted, and once I fixed hosts I
was able to get to the AV companies without problems.

My questions are:

1. Has anyone encountered a similar situation?
2. Aside from using AV to clean up, and a firewall to keep from
getting reinfected, is there anything else I need to do?
Click to expand...
 
G

Guillermito

Baruch said:
1. Has anyone encountered a similar situation?
Click to expand...

The type of virus you encountered are called "retroviruses" (*). They
try to fight back anti-viruses or firewall by shutting them down or
uninstalling them, and they forbid connections to security websites
that may correct the problem (information or updates). It's pretty
usual today.
2. Aside from using AV to clean up, and a firewall to keep from
getting reinfected, is there anything else I need to do?
Click to expand...

- Avoid clicking on attachments :)
- Update your OS (especially to correct the RPC windows flaw).
- Use a decent e-mail software.

(*) This was probably an attempt to do an analogy with biological
retroviruses, but these ones have nothing to do with "fighting back".
Viruses like HIV are called this way because they don't follow the
biology central dogma, which defines the normal information flow to
be:

DNA (genome) => RNA (messenger) => Proteins (the real players)

The retroviruses have a genome consisting of RNA and go the other way
round:

RNA (viral genome) => DNA (host genome)

Well. This said, you may see the central dogma of computer virology as
"the antivirus kills the virus". So when it's the opposite "the virus
kills the antivirus", than it's a retrovirus.
 
B

Baruch

On Tue, 6 Apr 2004 00:39:39 -0400, "Pepperoni"

|>http://vil.nai.com/vil/stinger/
|>
Thanks. I tried that, without finding anything...

|>|>> I upgraded from Win 98 to XP Home today. The upgrade didn't like my
|>> AV or firewall software (AntiVir and Sygate Personal), so I was
|>> unprotected for a while. I also waited too long to install the
 
B

Baruch

|>
|>>1. Has anyone encountered a similar situation?
|>
|>The type of virus you encountered are called "retroviruses" (*). They
|>try to fight back anti-viruses or firewall by shutting them down or
|>uninstalling them, and they forbid connections to security websites
|>that may correct the problem (information or updates). It's pretty
|>usual today.
|>
It certainly gave me a run for my money...

|>>2. Aside from using AV to clean up, and a firewall to keep from
|>>getting reinfected, is there anything else I need to do?
|>
|>- Avoid clicking on attachments :)

Oh, is *that* what does it??? ;-)

|>- Update your OS (especially to correct the RPC windows flaw).
|>- Use a decent e-mail software.
|>
Thanks for the input. I just *LOVE* Microsoft products.
 
G

Geese_Hunter

baruch01 said:
I upgraded from Win 98 to XP Home today. The upgrade didn't like my
AV or firewall software (AntiVir and Sygate Personal), so I was
unprotected for a while. I also waited too long to install the
various Microsoft patches, thinking that since this was a fresh
install, it would be OK to wait a while. Silly me...

When I tried to install the software (AV and firewall), they wouldn't
work correctly. I went to their respective Websites, did a fresh
download, uninstalled everything, reinstalled, and still no good. The
programs start up and die. Once, it ran long enough to tell me that
it had found a "nachi.b.1 worm". Apparently another name for this is
"welchia".

Then I tried to access McAfee and Symantec, but could not get through
to them - "Cannot Find Server". In fact, almost *any* antivirus
software site was inaccessible.

Any software I had that might give me insight (msconfig, for example)
died right after it started.

Other programs, however, worked fine. I could get to most Websites,
run other programs, whatever. Just security-related stuff.
Click to expand...
<snip>
If you are using anything above 98se go to
http://www.grc.com/default.htm
& get shoot the messenger, The DCOMbobulator, & UnPlug n' Pray These
will close known vulnerable ports, also don't use a p2p w/o a p2p virus
scanner that scans the file as it's coming down Like Avast does. Does it
use more resources than AVG, You bet, why because it is actively
scanning (if configured properly) not waiting till it's on your machine
& then try to scan when you run it.
 
K

kurt wismer

Baruch said:
I upgraded from Win 98 to XP Home today. The upgrade didn't like my
AV or firewall software (AntiVir and Sygate Personal), so I was
unprotected for a while. I also waited too long to install the
various Microsoft patches, thinking that since this was a fresh
install, it would be OK to wait a while. Silly me... [snip]
My questions are:

1. Has anyone encountered a similar situation?
Click to expand...

many people have... in fact, many times many...
2. Aside from using AV to clean up, and a firewall to keep from
getting reinfected, is there anything else I need to do?
Click to expand...

read (and apply) http://www.cablemodemhelp.com/xpsurvivalguide.pdf ...
in fact it might even be worth your while to print it out, reinstall xp
and apply these protective settings before reconnecting to the internet
(since that's how the guide is intended to be used)...
 
B

Baruch

Thanks, folks, for all your help. I appreciate it and I'll try to
implement the suggestions you gave me.
-B
 
F

FromTheRafters

Guillermito said:
Well. This said, you may see the central dogma of computer virology as
"the antivirus kills the virus". So when it's the opposite "the virus
kills the antivirus", than it's a retrovirus.
Click to expand...

Nice explanation. It is also noteworthy that when retroviruses
kill an AV, they may breathe new life into old and known to
AV malware. So they are "retro" in more ways than one.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

New virus 5
dns cache problem. sasser virus may have caused this. 4
Using HOSTS file questions 2
CVMONITOR.EXE 3
Solution to MyDoom woes 1
Variant: [email protected] 8
Is AV software necessary? 32

Top