FortKnox's Journal: The Result of the Computer Fiasco

Well, the 'old' computer wouldn't start because the video card was burnt out. GeForce4 and the fan wasn't working. Installed new video card and voila.

The 'new' computer had 6 reported viruses:
I-Worm/Woff
Dropper.small
Backdoor.Fudoor
Downloader.Rameh
Worm/Ihit
Win32/Resur

Don't bother. Symmantic doesn't have any info on them.... neither does Grisoft (AVG people)...

The only clue was when I attempted to shut down, 2 people were connected to my computer (at least the shutdown said that). I couldn't load up anything to check for who it was, so I hit the power button, instead of shutting down, did the 'last ditch effort' to load up my machine with the 'last successful config' and everything worked peachy... so peachy in fact, I'm quite scared. I installed the latest virus definition update, rescanned everything... nothing found.

No idea what happened. A prank? I'm sitting behind a router, firewall, and antivirus... pretty sophisticated prank.

Any clue at all??

More info?

[yuri benjamin]

I'm sitting behind a router, firewall, and antivirus...

What firewall are you using? What do the firewall logs say about connections at the time Windows Shutdown reported 2 users?
My guess is you've been cracked. Firewall logs should contain clues.

Yuri

Might have been in ram, but...

[(H)elix1]

I've been owned [slashdot.org] before. I did a fair bit of digging into how they exploited my box, and the best I can figure was a fairly sophisticated dictionary attack. Not to say it could not be something else, but the box was launching dictionary attacks against other IP addresses from the box. Argh!

Time to rebuild and change all your passwords! FDISK purifies and redeems...

You might

[Safety Cap]

...want to check your users/groups and make sure there're no extra ones. Make sure to disable "guest" completely and change everyone's password.

You did run windows update [microsoft.com] recently, right?

As a matter of keeping people from connecting to your resources, make sure port 135 is blocked at the firewall/router. For fun, run some "shields up [grc.com]" goodness to find out what else is open.

Re:You might

[FortKnox]

I think the 'other users' may have been an automated web script I run from another (pass protected) account. Yeah, windows always up to dates, as with my firewall and antivirus.

Re:You might

[Safety Cap]

Now that you had a scare, it is probably a good time to burn all your important files to CDs... :)

Re:You might

[Abm0raz]

I hope that's not my script, because it doesn't connect inbound, only out. It shouldn't register a connection in windows (but should show in the firewall logs).

-Ab

Just an idea...

[Sloppy]

Well, if you have a lot of software that auto-updates itself, you might want to look into how they do this. Maybe they're helpfully installing trojans on your behalf, instead of getting the actual updates that you want.

It's not hard to make stuff like that work correctly, but.. um, how can I delicately say this? I have worked with Windows app developers and.. well.. while I'm sure there are very bright people working on this stuff, you never quite know what you're going to get. Sometimes missing some r

hmmm

[turg]

Based on a quick googling, it looks like at least a few of these are backdoor-type trojans so once you got one, it could become the conduit by which the others got there.

The machine was up-to-date with Windows security updates, I assume?

icky

[KshGoddess]

just a quick google says that your dropper.small could've come via mail, a crack file, a desktop theme... and it's 3k, and brings at least one of your other viruses with it.

I'd look at what was downloaded recently, from where, etc. Makes me glad the last desktop I downloaded was a jpeg that wasn't compressed, zipped, etc.

Re:icky

[trmj]

Makes me glad the last desktop I downloaded was a jpeg that wasn't compressed, zipped, etc.

I once thought that way as well, but when I downloaded the latest "super uber 31337" version of sub7 to see what new tricks it comes with, there was a nifty binding program that could bind the server to nearly any filetype and run it on opening, including images, office files, zips, even text documents.

It was also somewhat disturbing just how customizable the server program is for launching a sophisticated attac

Re:icky

[Abm0raz]

One my co-workers got a Downloader virus today (.JD variety). All the downloaders (there's over 50) do the same thing, connect to a website and download a trojan, usually sub-7.

-Ab

Random security advice

[Planesdragon]

Rename the administrator and guest accounts.

"root" and "user" -- or "God" or "admin" or "l33t" even.

It makes it just that little bit harder to break in.

Run Linux?

[ces]

I know it sounds like a snarky answer but I just don't have these sort of problems with my linux box. I run VMWare when I need windows only applications. I don't have the instances of windows running under VMWare as locked down as I would if they were the host OS. However I've yet to have a problem because they typically are only running when I need a windows app. Even if one of them was to get infected I'd just roll it back to the snapshots I have from just after installation.(the files are mounted from t

Re:Run Linux?

[FortKnox]

I -have- a linux machine. Works like a charm (although I think a harddrive is about to go in it...)

The windows box is there to be a windows box. Its where I put all my windows apps on (games, visual studio, etc...).

Re:Run Linux?

[ces]

I -have- a linux machine. Works like a charm (although I think a harddrive is about to go in it...)

The windows box is there to be a windows box. Its where I put all my windows apps on (games, visual studio, etc...).

I have a windows box here too, but it rarely gets turned on as I do most everything under linux and firing up VMWare is easier than firing up the windows box when I need photoshop or to browse some IE only site.

Basicly it's worth getting to the point that you don't care when your windows clie