Searching \ for '[TECH] Help finding a virus' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=help+finding+virus
Search entire site for: 'Help finding a virus'.

Exact match. Not showing close matches.
PICList Thread
'[TECH] Help finding a virus'
2009\02\20@112005 by Josh Koffman

face picon face
Hi all. I'm having a rather annoying problem. My ISP has decided that
we have a virus here at the house. The "IRCBOT" virus they say. I
tried telling them that is a type of virus, not a specific one, but I
gave up that argument pretty quick. In any case, it's a rather large
problem. It could be in any of 3 computers. I've run virus scans, Ad
Aware, and Spybot on all of them. They found various tracking cookies
and the like, but nothing conclusive.

Here's the problem. My ISP are pretty bad in the customer service
department, and they threaten to shut off the connection (and of
course charge for the shut off). I can't switch ISPs, so that isn't an
option. There is one computer I know is clean, so that is currently
connected directly to the modem, bypassing the router. I'm trying to
figure out which of the other computers is infected. So far the only
conclusive way I've thought of would be to connect it to the modem and
watch a website at the ISP that says "No unauthorized communication
has come from your IP address", connect the various computers and wait
for it to change. This isn't ideal as it could lead to the connection
being shut off and annoying others.

Is there any other way? The ISP is being supremely unhelpful, the best
they could do was to read me 3 lines of the log file over the phone.
Alternatively has anyone any recommendation for a live CD I could
download to scan the systems? If I am indeed infected this seems like
one of those hard to find trojans. For the record, while I may end up
having to reformat a system, I'm not reformatting all of my computers
simultaneously just to fix one.

By the way, this is why I've been a bit spotty on my PICList email recently.

Thanks!

Josh
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

2009\02\20@122141 by Brendan Gillatt

flavicon
face
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Josh Koffman wrote:
{Quote hidden}

There are three approaches I would try:

The first is to use a packet sniffing application (such as
SmartSniff--http://www.nirsoft.net/utils/smsniff.html) to look for any
odd incoming/outgoing connections.

The second is similar to the first but more difficult to set up. Use
another computer as a gateway device to the first and use that to check
for any unknown incoming/outgoing connections. This has the benefit of
being able to catch virii that have infected your tcp/ip stack which
could otherwise hide from software packet sniffers.

The third is probably the easiest--use an online scanning tool (such as
Shields Up--https://www.grc.com/x/ne.dll?bh0bkyd2) to check for any open
ports on your computer. Alternatively, you could use something like Nmap
on one of the other computers on your network to do a similar job.

Those three lines from the log would be very useful in helping us.

- --
Brendan Gillatt | GPG Key: 0xBF6A0D94
brendan {a} brendangillatt (dot) co (dot) uk
http://www.brendangillatt.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFJnuZzrlc7Stqch40RAsN6AKCixOemSefxdDujEB8zqdP9JEb7QgCgq/UF
ZvidptFeI6//2UI79PCFLlQ=
=9ONX
-----END PGP SIGNATURE-----

2009\02\20@122931 by Harold Hallikainen

face
flavicon
face
If you're running one of the supported routers and one of the supported
OSs, Wall Watcher might be useful. See http://www.wallwatcher.com/ . It
shows you everything going in and out.

Harold


--
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!

2009\02\20@142453 by Josh Koffman

face picon face
On Fri, Feb 20, 2009 at 12:33 PM, Harold Hallikainen
<spam_OUTharoldTakeThisOuTspamhallikainen.org> wrote:
> If you're running one of the supported routers and one of the supported
> OSs, Wall Watcher might be useful. See http://www.wallwatcher.com/ . It
> shows you everything going in and out.

Intriguing. I don't currently have a compatible router on that
connection, but with a bit of shuffling I can do that. That would also
help me figure out if it's still happening but isn't coming from one
of my machines somehow.

Brendan, great links too. I will try SmartSniff first to see if I can
see any connections happening even without connecting to the net.

The lines from the log they read me looked like an attempt to connect
to an IRC server, logging in with a random character username. The
port numbers seemed to change (if indeed they were port numbers, he
wasn't sure how to read the log) so I can't just block the port.

Anyway, at least I have a couple things to try now, let's see how it goes!

Thanks,

Josh


--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

2009\02\20@145811 by Yigit Turgut

picon face
>
> The second is similar to the first but more difficult to set up. Use
> another computer as a gateway device to the first and use that to check
> for any unknown incoming/outgoing connections. This has the benefit of
> being able to catch virii that have infected your tcp/ip stack which
> could otherwise hide from software packet sniffers.


Virus infecting the tcp stack ? there is no infection methodolgy like that.

Your ISP said it is an IRCBOT  because your network has been owned and you
probably don't know it.People hacked into your boxes is using your
connection as botnet and resulting a huge amount of outgoing traffic which
actually is the only thing took the attention of your ISP.And this is why
they can not provide you any further information.

Since your network is owned and being used as botnet, it is probable that
you will not be able to detect viruses of any kind because it is a custom
botnet/trojan and none of the AV vendors have signatures for it yet.

Your first action must be to seperate your network from wan.Local port
scanning might not give any accurate results because botnets generally use
reverse connection for command input.This is why some sniffing is essential
here.Find outgoing connections (like port 6000 that irc uses) using
wireshark and save the source address.This is a node where you may use it
later to spot your attacker.

Find the service that uses this outgoing connection.And terminate it/them.

If you want any professional help on catching your attacker we know people
who can help you.

Cheers.

2009\02\20@155200 by Alan B. Pearce

face picon face
>Is there any other way? The ISP is being supremely unhelpful,
>the best they could do was to read me 3 lines of the log file
>over the phone.

Can they not email this to you? At least then you could work out what the
important bits are, and whether or not you actually have a virus.

2009\02\20@162000 by cdb

flavicon
face
I can't say I'm a great expert on this, but  something I've found over
time is, if using a MS OS, then some virii like to hide in the system
restore area if enabled, and can respawn themselves from there and
operate quite happily from this location.

The only way I've found to really delete them is to start up in safe
mode run any anti everything tools, delete the system restore
archive(s) (I always have sys restore disabled on my own systems) hunt
down any strange files that seem to hook into Windows Services and
delete and remove anything in registry and then reboot. I also
occasionally uninstall the firewall and virus checker utility and then
re-install a clean copy (disconnected from the WAN/LAN naturally).

Is it possible for some one to have rewritten the firmware in your
router and 'updated' it remotely? I know my router allows for external
upgrading to be enabled.

Colin
--
cdb, .....colinKILLspamspam@spam@btech-online.co.uk on 21/02/2009

Web presence: http://www.btech-online.co.uk  

Hosted by:  http://www.1and1.co.uk/?k_id=7988359






2009\02\20@172057 by Sean Breheny

face picon face
I had an interesting experience recently when a coworker brought his
PC over to the engineering area for us to fix it. It turned out that
he not only had a LOAD of viruses and spyware, but his antivirus
program itself was a virus. In other words, he had no antivirus
installed and one time he (or one of his kids) must have clicked on
one of those fake "your PC is infected!" ads and it installed a fake
AV program. It ALSO installed a fake Windows Update program. The fake
AV program was an obvious fake to anyone with moderate technical
knowledge (i.e., it popped up windows which were JPG images always
showing the same files infected) but the fake Windows Update was
actually quite good and it took us a while to figure out that it was
fake.

Sean


On Fri, Feb 20, 2009 at 4:19 PM, cdb <colinspamKILLspambtech-online.co.uk> wrote:
{Quote hidden}

> -

2009\02\20@205504 by Michael Algernon

flavicon
face
{Quote hidden}

You realize, don't you, that the ISP may be dead wrong and the problem  
is not originating with your computers ??  Don't go too crazy with  
your testing before you verify that the ISP knows what they are  
talking about.  That will be a tough one.  Good Luck.
MA

 WFT Electronics
Denver, CO   720 222 1309
" dent the UNIVERSE "

All ideas, text, drawings and audio , that are originated by WFT  
Electronics ( and it's principals ),  that are included with this  
signature text are to be deemed to be released to the public domain as  
of the date of this communication .

2009\02\21@012307 by me

flavicon
face
I have seen this a couple of times on our networked PC's that I look after
at work (about 30 PC's and about 40 users). The easiest way I have found to
get rid of them was by hand, finding the program and the registry entries
and in safe mode removing both.

Can be time consuming but eventually always removable.

chris
{Original Message removed}

2009\02\21@073528 by Brendan Gillatt

flavicon
face
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yigit Turgut wrote:
> Virus infecting the tcp stack ? there is no infection methodolgy like that.
>

There is dll injection. more than once I have come across a virii that
sprays a dll into as many threads as it can manage. I'm suggesting it is
no great leap to re-write a component of the tcp/ip stack or unload hooks
from it.

- --
Brendan Gillatt | GPG Key: 0xBF6A0D94
brendan {a} brendangillatt (dot) co (dot) uk
http://www.brendangillatt.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFJn/Tgrlc7Stqch40RAl2dAJ48dDRUVSV+4aIzClXBC65/MxUw+QCcD5LY
Z4C8gl8jgrbolFfi1h26kdc=
=oR6v
-----END PGP SIGNATURE-----

2009\02\21@214954 by andrew kelley

picon face
On Sat, Feb 21, 2009 at 7:34 AM, Brendan Gillatt
<brendanspamspam_OUTbrendangillatt.co.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Yigit Turgut wrote:
>> Virus infecting the tcp stack ? there is no infection methodolgy like that.
>>
>
> There is dll injection. more than once I have come across a virii that
> sprays a dll into as many threads as it can manage. I'm suggesting it is
> no great leap to re-write a component of the tcp/ip stack or unload hooks
> from it.

On the older MSDN there is a winsock32.dll that is hooked for
debugging use.  Undoubtedly it is easily modified.

>
> - --
> Brendan Gillatt | GPG Key: 0xBF6A0D94
> brendan {a} brendangillatt (dot) co (dot) uk
> http://www.brendangillatt.co.uk

2009\02\21@230915 by Josh Koffman

face picon face
On Fri, Feb 20, 2009 at 2:57 PM, Yigit Turgut <@spam@y.turgutKILLspamspamgmail.com> wrote:
> Your first action must be to seperate your network from wan.Local port
> scanning might not give any accurate results because botnets generally use
> reverse connection for command input.This is why some sniffing is essential
> here.Find outgoing connections (like port 6000 that irc uses) using
> wireshark and save the source address.This is a node where you may use it
> later to spot your attacker.

I've been watching the computers that may be affected with wireshark
and while I see a bunch of DNS requests (and netbios name requests) I
have no idea if that's normal since they aren't connected to a DNS
server when I'm running those tests.

Josh
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

2009\02\21@231248 by Josh Koffman

face picon face
On Fri, Feb 20, 2009 at 4:19 PM, cdb <KILLspamcolinKILLspamspambtech-online.co.uk> wrote:
> I can't say I'm a great expert on this, but  something I've found over
> time is, if using a MS OS, then some virii like to hide in the system
> restore area if enabled, and can respawn themselves from there and
> operate quite happily from this location.
>
> The only way I've found to really delete them is to start up in safe
> mode run any anti everything tools, delete the system restore
> archive(s) (I always have sys restore disabled on my own systems) hunt
> down any strange files that seem to hook into Windows Services and
> delete and remove anything in registry and then reboot. I also
> occasionally uninstall the firewall and virus checker utility and then
> re-install a clean copy (disconnected from the WAN/LAN naturally).

I downloaded a couple of bootable CD virus/malware checkers. They
found a couple things on one machine that the others had missed. Still
no idea if it got it, I'll have to connect to the net to see if the
ISP complains again. This time I'll at least be watching the traffic
at least.

> Is it possible for some one to have rewritten the firmware in your
> router and 'updated' it remotely? I know my router allows for external
> upgrading to be enabled.

Nah, the router is too dumb. It's an old 802.11b Linksys jobbie.
Either way I swapped it out.

Josh
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

2009\02\21@231441 by Josh Koffman

face picon face
On Sat, Feb 21, 2009 at 1:22 AM, me <RemoveMEchrisTakeThisOuTspamgavin-egan.com> wrote:
> I have seen this a couple of times on our networked PC's that I look after
> at work (about 30 PC's and about 40 users). The easiest way I have found to
> get rid of them was by hand, finding the program and the registry entries
> and in safe mode removing both.

Any tips on how you manage it? Just watching the running traffic?

Josh
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

2009\02\21@232032 by Josh Koffman

face picon face
On Sat, Feb 21, 2009 at 11:12 PM, Josh Koffman <spamBeGonejoshybearspamBeGonespamgmail.com> wrote:
> I downloaded a couple of bootable CD virus/malware checkers. They
> found a couple things on one machine that the others had missed. Still
> no idea if it got it, I'll have to connect to the net to see if the
> ISP complains again. This time I'll at least be watching the traffic
> at least.

I should add that this worked nicely on my Dell laptop. My HP tablet
refuses to run either of the bootable CDs which are linux based. No
idea why. The Avira one just doesn't like the graphic adapter it seems
and the Bitdefender one can't mount the CD filesystem partway through
boot so it fails. Ugh.

Josh
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

2009\02\21@232312 by Josh Koffman

face picon face
By the way, has anyone here used WallWatcher? I'm trying to run it,
hooked to my Linksys WRT54G running DD-WRT. It seems to connect, and I
can see system messages that show it booting, but I never see any
traffic. I'm sure there's a setting I'm missing but I haven't found it
yet.

Josh

--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

2009\02\22@112521 by Harold Hallikainen

face
flavicon
face

> By the way, has anyone here used WallWatcher? I'm trying to run it,
> hooked to my Linksys WRT54G running DD-WRT. It seems to connect, and I
> can see system messages that show it booting, but I never see any
> traffic. I'm sure there's a setting I'm missing but I haven't found it
> yet.
>
> Josh


Did you tell the router the IP address of the computer running Wall
Watcher? I think it's under logging.

Harold

--
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!

2009\02\22@141115 by Yigit Turgut

picon face
This might be an interesting case since your network is attacked by
absolutely malicious intruders.It is not a virus that's for sure, if it was
a virus infecting your filesystem than your ISP wouldn't be able to notice
it.

In the mean time, you might get into some trouble in close future because
god knows what those intruders used your network for ; they used you as a
node for hacking into other systems.I think what you should do is to let
legal authorities notice your case.I know this comes a little serious but
think about it for a while ;

there is a system compromised
there is a huge amount of traffic from it
none of the av and spyware softwares have signatures for it

What do you think ? They are not using botnets for denial of service attacks
that frequently anymore.

For the cleaning your systems ; It is a custom trojan and might be using a
not well known technique.I can not tell you (I do not know it) how to but
what is safe is to send a sample of the malicious code to an AV vendor.They
will be creating signatures for it and probably release that/those
signatures in a few days up to a week.

This is the %100 solution from my point of view.

More... (looser matching)
- Last day of these posts
- In 2009 , 2010 only
- Today
- New search...