[vox-tech] [OT] Now I have a virus. Argh!!!!!

David King ketralnis at ketralnis.dyndns.org
Sat Jul 17 19:14:54 PDT 2004 

Try House Call, http://housecall.trendmicro.com, it's a free web-based 
antivirus that has never failed me.

On Jul 17, 2004, at 16.19, Peter Jay Salzman wrote:

> Ever have the feeling that you shouldn't have gotten out of bed?
>
> One of my systems, lucifer, is a dual boot (Debian/win2k).  The only
> thing I use win2k for is to play Serious Sam, Serious Sam Second
> Encounter, and Syberia.
>
> My wife checks her school email, which is web based.  Apparently, Opera
> can't handle the Javascript, so when lucifer is in Linux, she uses
> Galeon and when lucifer is in win2k, she uses IE.
>
> We're behind a firewall, and NO ports are forwarded to lucifer.  There
> is no mail service on that machine --- win2k is only booted for a few
> hours a day while I play Serious Sam or Syberia.  The only packets 
> (that
> I know of) that can reach lucifer from the outside world are
> http packets coming back from an ipmasqed request.  The only way to 
> send
> anything to lucifer from the internet is to first ssh into another
> machine to get into the home LAN to begin with.  Anyway.
>
> I booted win2k to play some Serious Sam, and when the machine booted, a
> window named "hello..." popped up that said:
>
>    I think there must be something wrong.  Wouldn't you say so?
>
>             yes / no
>
> Ominous.  I blinked to make sure I was seeing this right.  I looked in
> all the Start directories to see if there was an application that was
> supposed to run at boot.  Nothing.  Whatever was running was running
> from the registry.  I called up the task manager to look for suspicious
> processes.  Nothing looked out of the ordinary, but then again, I don't
> really know much about win2k.
>
> The FIRST thing I did was unplug the network cable, in case the machine
> was compromised or was being used as a zombie for spamming or DDOS.  
> Not
> knowing what else to do, I pressed "yes", agreeing with the question
> that, yes, something was indeed wrong.  Very wrong.  Another pop-up
> window was displayed that said:
>
>    Then you are far more clever than I originally thought.
>
> Well, at least whatever it was was being complementary.  At this point,
> I had no idea it could've been a virus or a worm.  As I said, nothing
> can reach this machine.  It didn't occur to me.
>
> I googled on one of my Linux boxes, and after a little searching, found
> that this is a worm called W32.HLLP.Kindal at MM.  I was able to verify
> some of the claimed changes the worm made to the registry, although I
> couldn't find the file that was supposed to contain the viral code.  I
> saw a mention of it in the registry, and saw the key that has it run on
> boot, but the file itself seems to be missing or isn't showing up.
> Wierd.
>
> The only way this thing could've gotten onto my system that I can think
> of is by Internet Explorer.  This OS is used for gaming (non-online
> gaming), and checking school webmail with IE and absolutely nothing
> else.  I know that 4 "critical vulnerabilities" were announced for IE a
> couple of days ago, and another 3?  6?  a few days before that.
>
> Anyway, that's neither here nor there.  I've never had a worm before,
> so I'm new to all this.  What's the standard procedure?  
> Reinstallation?
> Can "virus checkers" also erase viruses?   What is a good "virus
> checker" for this purpose?
>
> Pete
>
> -- 
> In theory, theory and practise are the same.  In practise, they aren't.
> GPG Instructions: http://www.dirac.org/linux/gpg
> GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

More information about the vox-tech mailing list