[vox-tech] [OT] Now I have a virus. Argh!!!!!

[Peter Jay Salzman]

Ever have the feeling that you shouldn't have gotten out of bed?

One of my systems, lucifer, is a dual boot (Debian/win2k).  The only
thing I use win2k for is to play Serious Sam, Serious Sam Second
Encounter, and Syberia.

My wife checks her school email, which is web based.  Apparently, Opera
can't handle the Javascript, so when lucifer is in Linux, she uses
Galeon and when lucifer is in win2k, she uses IE.

We're behind a firewall, and NO ports are forwarded to lucifer.  There
is no mail service on that machine --- win2k is only booted for a few
hours a day while I play Serious Sam or Syberia.  The only packets (that
I know of) that can reach lucifer from the outside world are
http packets coming back from an ipmasqed request.  The only way to send
anything to lucifer from the internet is to first ssh into another
machine to get into the home LAN to begin with.  Anyway.

I booted win2k to play some Serious Sam, and when the machine booted, a
window named "hello..." popped up that said:

   I think there must be something wrong.  Wouldn't you say so?

            yes / no

Ominous.  I blinked to make sure I was seeing this right.  I looked in
all the Start directories to see if there was an application that was
supposed to run at boot.  Nothing.  Whatever was running was running
from the registry.  I called up the task manager to look for suspicious
processes.  Nothing looked out of the ordinary, but then again, I don't
really know much about win2k.

The FIRST thing I did was unplug the network cable, in case the machine
was compromised or was being used as a zombie for spamming or DDOS.  Not
knowing what else to do, I pressed "yes", agreeing with the question
that, yes, something was indeed wrong.  Very wrong.  Another pop-up
window was displayed that said:

   Then you are far more clever than I originally thought.

Well, at least whatever it was was being complementary.  At this point,
I had no idea it could've been a virus or a worm.  As I said, nothing
can reach this machine.  It didn't occur to me.

I googled on one of my Linux boxes, and after a little searching, found
that this is a worm called W32.HLLP.Kindal at MM.  I was able to verify
some of the claimed changes the worm made to the registry, although I
couldn't find the file that was supposed to contain the viral code.  I
saw a mention of it in the registry, and saw the key that has it run on
boot, but the file itself seems to be missing or isn't showing up.
Wierd.

The only way this thing could've gotten onto my system that I can think
of is by Internet Explorer.  This OS is used for gaming (non-online
gaming), and checking school webmail with IE and absolutely nothing
else.  I know that 4 "critical vulnerabilities" were announced for IE a
couple of days ago, and another 3?  6?  a few days before that.

Anyway, that's neither here nor there.  I've never had a worm before,
so I'm new to all this.  What's the standard procedure?  Reinstallation?
Can "virus checkers" also erase viruses?   What is a good "virus
checker" for this purpose?

Pete

-- 
In theory, theory and practise are the same.  In practise, they aren't.
GPG Instructions: http://www.dirac.org/linux/gpg
GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D