Fcuking Virus
07 March 2003, 08:58 PM
#2
Scooby Regular
Thread Starter
Join Date: Nov 2001
Posts: 2,122
Likes: 0
Received 0 Likes
on
0 Posts
Jack thanks for the help was just reading the latest on this thread when the Firewall warning poped up again saying it had blocked the default subseven/back door trojan for 30 minutes and that the computer Protocol was TCP (inbound) gives the remote address as 81.40.115.111:4258 does this confirm what you were saying? i assume yes because it says in bound?
[Edited by Adrian F - 7/3/2003 8:59:36 PM]
[Edited by Adrian F - 7/3/2003 8:59:36 PM]
28 June 2003, 02:08 PM
#3
Scooby Senior
I've just been hit by a Backdoor.Coreflood virus.
On removal, Norton suggests deleting some value or other using Regedit. This sounds like sommat a computer muppet like me doesn't need to be doing. Can anyone show me the way forward.
Just as a side note, at least once every 3 weeks or so, i get attacked by a Backdoor.Trojan, and i assume this requires a bit of regedit too
On removal, Norton suggests deleting some value or other using Regedit. This sounds like sommat a computer muppet like me doesn't need to be doing. Can anyone show me the way forward.
Just as a side note, at least once every 3 weeks or so, i get attacked by a Backdoor.Trojan, and i assume this requires a bit of regedit too
28 June 2003, 03:56 PM
#5
Scooby Senior
Keeping your current Antivirus up to date or changing brand is your first step. This particular nasty has been around since 10/05/2001. Symantec's instructions for removing the reg key are about as simple as they get, can't offer any more advice online, perhaps a call to support is in order, they will hand hold you through the process.
[brag]McAfee would have done the registry edit for you[/brag]
[brag]McAfee would have done the registry edit for you[/brag]
28 June 2003, 11:13 PM
#6
Scooby Regular
Thread Starter
Join Date: Nov 2001
Posts: 2,122
Likes: 0
Received 0 Likes
on
0 Posts
Slightly different but i have a Sub Seven Trojan and run Norton as well which the fire wall seems to block all the time(I hope) but the anti virus won't find and remove? yet Norton gets good reviews in the magazines (and i am a simpleton with PC's)
Best step forward?
Best step forward?
28 June 2003, 11:55 PM
#7
Scooby Senior
Join Date: Feb 2000
Location: West Midlands
Posts: 5,763
Likes: 0
Received 0 Likes
on
0 Posts
Adrian F,
if you are getting something like (as per mine early yesterday morning)...
Date: 28-Jun-2003 Time: 01:22:41
Rule "Default Block Backdoor/SubSeven Trojan" blocked (MYPC,27374). Details:
Inbound TCP connection
Local address,service is (MYPC,27374)
Remote address,service is (80.202.92.237,14748)
Process name is "N/A"
...in your Norton Firewall logfile, then this is some **** trying to connect to a SubSeven trojan (should it be running on your PC and should you not have a firewall).
The message is just Norton confirming that it has done it's job and stopped said **** from getting into your Pooter.
mb
if you are getting something like (as per mine early yesterday morning)...
Date: 28-Jun-2003 Time: 01:22:41
Rule "Default Block Backdoor/SubSeven Trojan" blocked (MYPC,27374). Details:
Inbound TCP connection
Local address,service is (MYPC,27374)
Remote address,service is (80.202.92.237,14748)
Process name is "N/A"
...in your Norton Firewall logfile, then this is some **** trying to connect to a SubSeven trojan (should it be running on your PC and should you not have a firewall).
The message is just Norton confirming that it has done it's job and stopped said **** from getting into your Pooter.
mb
Trending Topics
29 June 2003, 12:10 AM
#8
Scooby Regular
Join Date: Sep 2001
Location: Kingston ( Surrey, not Jamaica )
Posts: 4,670
Likes: 0
Received 0 Likes
on
0 Posts
Here's the abuse@ details for the geezer trying to connect ....
Steve
inetnum: 80.202.16.0 - 80.202.122.255
netname: NEXTGENTEL-NO
descr: XDSL access and service provider in Norway
country: NO
admin-c: BN284-RIPE
tech-c: NGT5-RIPE
status: ASSIGNED PA
notify: hostmaster@nextgentel.com
mnt-by: NO-NEXTGENTEL-MNT
changed: aso@nextgentel.com 20020918
changed: aso@nextgentel.com 20021016
source: RIPE
route: 80.202.0.0/15
descr: NextGenTel Network
origin: AS15659
cross-mnt: NO-NEXTGENTEL-MNT
notify: hostmaster@nextgentel.com
mnt-by: NO-NEXTGENTEL-MNT
changed: aso@nextgentel.com 20011205
source: RIPE
role: NextGenTel Hostmaster
remarks: ---------------------
remarks: NextGenTel AS is an xDSL accessprovider in Norway.
remarks: NextGenTel hostmaster maintain the RIPE objects for
remarks: its own infrastructure and customers.
remarks: For trouble and abuse reports use
remarks: - abuse@nextgentel.com for DOS attack, Virus, Abuse,
remarks: Hacking, Copyright reports
remarks: - hostmaster@nextgentel.com for Network related fault
remarks: and reports
remarks: ---------------------
address: Sandslimarka 31
address: P.O Box 3 Sandsli
address: N-5861 Bergen
address: Norway
address: ---------------------
phone: +47 55527900
fax-no: +47 55527910
e-mail: abuse@nextgentel.com
e-mail: hostmaster@nextgentel.com
Steve
inetnum: 80.202.16.0 - 80.202.122.255
netname: NEXTGENTEL-NO
descr: XDSL access and service provider in Norway
country: NO
admin-c: BN284-RIPE
tech-c: NGT5-RIPE
status: ASSIGNED PA
notify: hostmaster@nextgentel.com
mnt-by: NO-NEXTGENTEL-MNT
changed: aso@nextgentel.com 20020918
changed: aso@nextgentel.com 20021016
source: RIPE
route: 80.202.0.0/15
descr: NextGenTel Network
origin: AS15659
cross-mnt: NO-NEXTGENTEL-MNT
notify: hostmaster@nextgentel.com
mnt-by: NO-NEXTGENTEL-MNT
changed: aso@nextgentel.com 20011205
source: RIPE
role: NextGenTel Hostmaster
remarks: ---------------------
remarks: NextGenTel AS is an xDSL accessprovider in Norway.
remarks: NextGenTel hostmaster maintain the RIPE objects for
remarks: its own infrastructure and customers.
remarks: For trouble and abuse reports use
remarks: - abuse@nextgentel.com for DOS attack, Virus, Abuse,
remarks: Hacking, Copyright reports
remarks: - hostmaster@nextgentel.com for Network related fault
remarks: and reports
remarks: ---------------------
address: Sandslimarka 31
address: P.O Box 3 Sandsli
address: N-5861 Bergen
address: Norway
address: ---------------------
phone: +47 55527900
fax-no: +47 55527910
e-mail: abuse@nextgentel.com
e-mail: hostmaster@nextgentel.com
29 June 2003, 12:23 AM
#9
Scooby Senior
Join Date: Feb 2000
Location: West Midlands
Posts: 5,763
Likes: 0
Received 0 Likes
on
0 Posts
stevem2k,
do you think that it is worth contacting the ISP of "hacker PCs"? These days my firewall picks up loads of incoming attempts - some just your common or garden virus ones (e.g. port 445, ms-sql-s etc.), and others more specific (e.g. SubSeven, FTP, HTTPS, Echo Requests).
I (perhaps wrongly) assume that SubSeven and the like are coming from a PC that itself has been hacked, thus the ISP probably can't do much. Do many ISPs take serious action???
mb
do you think that it is worth contacting the ISP of "hacker PCs"? These days my firewall picks up loads of incoming attempts - some just your common or garden virus ones (e.g. port 445, ms-sql-s etc.), and others more specific (e.g. SubSeven, FTP, HTTPS, Echo Requests).
I (perhaps wrongly) assume that SubSeven and the like are coming from a PC that itself has been hacked, thus the ISP probably can't do much. Do many ISPs take serious action???
mb
29 June 2003, 12:36 AM
#10
Scooby Regular
Join Date: Sep 2001
Location: Kingston ( Surrey, not Jamaica )
Posts: 4,670
Likes: 0
Received 0 Likes
on
0 Posts
It's of variable results tbh. When I can be bothered I go through the logs and send off to abuse@ for all the uk/european ISP's that have attempted repeated connects. No point if they are in asia, as nothing gets done in my experience.
I had > 300 attempted connects yesterday, mostly NetBios from virus'ed up machines probably, but I have obviously been port scanned at some point as there is an 'odd' port open ( but only to one address ) and I keep getting connection attempts on it.
SQL/Slammer is still out there and shows up in the Snort logs, as do all the nmap connects...
Can't reccommend a hardware firewall enough if you have multiple machines/permanent connections. I use smoothwall.
Steve
I had > 300 attempted connects yesterday, mostly NetBios from virus'ed up machines probably, but I have obviously been port scanned at some point as there is an 'odd' port open ( but only to one address ) and I keep getting connection attempts on it.
SQL/Slammer is still out there and shows up in the Snort logs, as do all the nmap connects...
Can't reccommend a hardware firewall enough if you have multiple machines/permanent connections. I use smoothwall.
Steve
29 June 2003, 09:02 AM
#11
Scooby Regular
29 June 2003, 06:22 PM
#12
Scooby Regular
Thread Starter
Join Date: Nov 2001
Posts: 2,122
Likes: 0
Received 0 Likes
on
0 Posts
Boomer yes the Norton Firewall is blocking it (hopefully all the time) but i was confused why the antivirus didn't remove it.
Though i have had the latest live update and now no firewall warnings! so maybe it has removed it or the Trojan is not being detected by the Firewall any more or is dormant? Don't know enough to work it out and when you look in books in WH Smiths or PC world they just tell you what a Trojan is! That i know.
Though i have had the latest live update and now no firewall warnings! so maybe it has removed it or the Trojan is not being detected by the Firewall any more or is dormant? Don't know enough to work it out and when you look in books in WH Smiths or PC world they just tell you what a Trojan is! That i know.
01 July 2003, 12:05 AM
#14
Scooby Senior
Join Date: Feb 2000
Location: West Midlands
Posts: 5,763
Likes: 0
Received 0 Likes
on
0 Posts
Adrian F,
(in simple terms) when your computer is on the Internet, it is "identified" by other computers by it's IP address (e.g. 12.34.56.78). Normally it is your computer talking to the Internet such as connecting to ScoobyNet (i.e. outbound connections).
If another computer wants to talk to yours, it finds it via the IP address, but then specifies a port to communicate with. These "ports" and known by numbers, and many are what are known as "well known ports" on which a program listen. When a connection comes in on a given port, the program springs into life and does something - such as receive e-mail.
When you have a trojan, it sits listening on a port (e.g. 27374 for SubSeven, as per my log entry above) and when the hacker connects, the trojan program activates (and sometimes asks for a password). This effectively gives the hacker access to your computer.
If you don't have a trojan on your computer, then there is nothing listening on the port, so the incoming hacker connection will fail.
If you have a firewall installed, it already knows about what ports are used by trojans, and blocks them automatically - whether or not you actually have a trojan on your computer!!!
So, the messages in your firewall log are attempts to connect, but which fail ('cos your firewall stopped them), and which would fail even without a firewall, because you (probably) don't have the trojan program on your computer anyway!!!
SO DON'T GET WORRIED - YOU SHOULD BE SAFE!!!
mb
(in simple terms) when your computer is on the Internet, it is "identified" by other computers by it's IP address (e.g. 12.34.56.78). Normally it is your computer talking to the Internet such as connecting to ScoobyNet (i.e. outbound connections).
If another computer wants to talk to yours, it finds it via the IP address, but then specifies a port to communicate with. These "ports" and known by numbers, and many are what are known as "well known ports" on which a program listen. When a connection comes in on a given port, the program springs into life and does something - such as receive e-mail.
When you have a trojan, it sits listening on a port (e.g. 27374 for SubSeven, as per my log entry above) and when the hacker connects, the trojan program activates (and sometimes asks for a password). This effectively gives the hacker access to your computer.
If you don't have a trojan on your computer, then there is nothing listening on the port, so the incoming hacker connection will fail.
If you have a firewall installed, it already knows about what ports are used by trojans, and blocks them automatically - whether or not you actually have a trojan on your computer!!!
So, the messages in your firewall log are attempts to connect, but which fail ('cos your firewall stopped them), and which would fail even without a firewall, because you (probably) don't have the trojan program on your computer anyway!!!
SO DON'T GET WORRIED - YOU SHOULD BE SAFE!!!
mb
01 July 2003, 06:33 PM
#16
Scooby Regular
Join Date: May 2003
Posts: 1,165
Likes: 0
Received 0 Likes
on
0 Posts
02 July 2003, 05:17 PM
#17
Scooby Regular
Thread Starter
Join Date: Nov 2001
Posts: 2,122
Likes: 0
Received 0 Likes
on
0 Posts
Thanks Nick
I had looked at that page but i will have to find a few hours to try and get my head round this as it is above my level of skill with a PC and also as said above the Norton AntiVirus can't find this Trojan but the firewall see's it so maybe it is like some body trying to scan the ports of my PC?
Or some other software tricking the Norton Firewall into thinking that it has a trojan runing?
I had looked at that page but i will have to find a few hours to try and get my head round this as it is above my level of skill with a PC and also as said above the Norton AntiVirus can't find this Trojan but the firewall see's it so maybe it is like some body trying to scan the ports of my PC?
Or some other software tricking the Norton Firewall into thinking that it has a trojan runing?
03 July 2003, 09:11 PM
#23
Scooby Senior
Correct. You're fine.
The person trying to connect to your machine is most likely using the Telefonica network from Madrid, Spain. Unfortunately getting his house number is a bit more difficult.
The person trying to connect to your machine is most likely using the Telefonica network from Madrid, Spain. Unfortunately getting his house number is a bit more difficult.
04 July 2003, 12:04 PM
#26
Scooby Regular
Join Date: Aug 2001
Location: wakefield
Posts: 2,082
Likes: 0
Received 0 Likes
on
0 Posts
cheers Jack, I believe this virus lays dormant ?? can't seem to find a definitive answer on how it spreads though.
I know payload doesn't activate until user either logs off or re-boot ??
cheers
shunty
I know payload doesn't activate until user either logs off or re-boot ??
cheers
shunty
07 July 2003, 08:34 AM
#28
Scooby Regular
Join Date: Aug 2001
Location: wakefield
Posts: 2,082
Likes: 0
Received 0 Likes
on
0 Posts
thanks Jack, that's exactly what I was looking for....
I thought it must be netbios type infection as we keep cleaning every pc/server, all pattern files are up to date etc....but it keeps coming back.
So it had to be pc's/servers getting IP but not on domain.
cheers
shunty
I thought it must be netbios type infection as we keep cleaning every pc/server, all pattern files are up to date etc....but it keeps coming back.
So it had to be pc's/servers getting IP but not on domain.
cheers
shunty
Thread
Thread Starter
Forum
Replies
Last Post