[vox-tech] [OT] Now I have a virus. Argh!!!!!

[Michael J Wenk]

On Sat, Jul 17, 2004 at 04:19:55PM -0700, Peter Jay Salzman wrote:
> Ever have the feeling that you shouldn't have gotten out of bed?
> 
> One of my systems, lucifer, is a dual boot (Debian/win2k).  The only
> thing I use win2k for is to play Serious Sam, Serious Sam Second
> Encounter, and Syberia.
> 
> My wife checks her school email, which is web based.  Apparently, Opera
> can't handle the Javascript, so when lucifer is in Linux, she uses
> Galeon and when lucifer is in win2k, she uses IE.
> 
> We're behind a firewall, and NO ports are forwarded to lucifer.  There
> is no mail service on that machine --- win2k is only booted for a few
> hours a day while I play Serious Sam or Syberia.  The only packets (that
> I know of) that can reach lucifer from the outside world are
> http packets coming back from an ipmasqed request.  The only way to send
> anything to lucifer from the internet is to first ssh into another
> machine to get into the home LAN to begin with.  Anyway.
> 
> I booted win2k to play some Serious Sam, and when the machine booted, a
> window named "hello..." popped up that said:
> 
>    I think there must be something wrong.  Wouldn't you say so?
> 
>             yes / no
> 
> Ominous.  I blinked to make sure I was seeing this right.  I looked in
> all the Start directories to see if there was an application that was
> supposed to run at boot.  Nothing.  Whatever was running was running
> from the registry.  I called up the task manager to look for suspicious
> processes.  Nothing looked out of the ordinary, but then again, I don't
> really know much about win2k.
> 
> The FIRST thing I did was unplug the network cable, in case the machine
> was compromised or was being used as a zombie for spamming or DDOS.  Not
> knowing what else to do, I pressed "yes", agreeing with the question
> that, yes, something was indeed wrong.  Very wrong.  Another pop-up
> window was displayed that said:
> 
>    Then you are far more clever than I originally thought.
> 
> Well, at least whatever it was was being complementary.  At this point,
> I had no idea it could've been a virus or a worm.  As I said, nothing
> can reach this machine.  It didn't occur to me.
> 
> I googled on one of my Linux boxes, and after a little searching, found
> that this is a worm called W32.HLLP.Kindal at MM.  I was able to verify
> some of the claimed changes the worm made to the registry, although I
> couldn't find the file that was supposed to contain the viral code.  I
> saw a mention of it in the registry, and saw the key that has it run on
> boot, but the file itself seems to be missing or isn't showing up.
> Wierd.
> 
> The only way this thing could've gotten onto my system that I can think
> of is by Internet Explorer.  This OS is used for gaming (non-online
> gaming), and checking school webmail with IE and absolutely nothing
> else.  I know that 4 "critical vulnerabilities" were announced for IE a
> couple of days ago, and another 3?  6?  a few days before that.
> 
> Anyway, that's neither here nor there.  I've never had a worm before,
> so I'm new to all this.  What's the standard procedure?  Reinstallation?
> Can "virus checkers" also erase viruses?   What is a good "virus
> checker" for this purpose?


Doesn't sound like a worm to me.  In any event, Id purge the system(its 
windows after all), follow the instructions to rebuild, patch it, and then
load McAffe(sp?) or something like it.  However, as the way IE works, you 
have to be bloody careful where you surf as MS is a tad slow in its patching.
There are several known exploits to IE that don't require much to be enabled.