Warning - Potentially Expensive virus!!

On Mon, 11 Apr 2005 13:02:14 +0100, Doc <webmaster RemoveThis @tentpants.com> wrote:

 > ...
 > Before you connect to the internet again I'd install a good
 > virus protection software and firewall.

make that a hardware firewall. they usually come out of the box
configured to allow nothing in and everything out. It's worth taking time
to learn how to bolt down the connection so outgoing port25 traffic is
only allowed to your known mail servers, ftp only to your known ftp
servers etc. and block all outgoing ports you have no need for.


--
Rover Cars - RIP. Let the asset stripping begin.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

I agree. The most common mistake is to allow port 80 to be accessed by your
email client. Sure you have a lot of broken images in your emails but it
stops a lot of problems allow only 25, and 110


"William Tasso" <SpamBlocked.RemoveThis@tbdata.com> wrote in message
news:op.so2hh7zcm9g4qz@jupiter.cavern.tbdata.com...
 > On Mon, 11 Apr 2005 13:02:14 +0100, Doc <webmaster.RemoveThis@tentpants.com> wrote:
 >
  > > ...
  > > Before you connect to the internet again I'd install a good
  > > virus protection software and firewall.
 >
 > make that a hardware firewall. they usually come out of the box
 > configured to allow nothing in and everything out. It's worth taking time
 > to learn how to bolt down the connection so outgoing port25 traffic is
 > only allowed to your known mail servers, ftp only to your known ftp
 > servers etc. and block all outgoing ports you have no need for.
 >
 >
 > --
 > Rover Cars - RIP. Let the asset stripping begin.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

On Mon, 11 Apr 2005, Kerry wrote:

 > I've recently done a disk reformat and fresh WinXp install. All was going
 > well untill this morning.
 >
 > My pc is connect to the net via a dailup connection. This morning I booted
 > my pc, checked a few emails and left the machine to itself for an hour while
 > I had breakfast.
 >
 > When I came back the machine had rebooted itself - that's weird I thought.
 > But when I looked closer I noticed a pop-up blocker had been installed into
 > IE. The name on the blocker toolbar is Mirar
 >
 > Furthermore, when I went to reconnect to the internet I noticed the username
 > had been changed from kerryww1 to kerry29.14.80233.2. Worse still the dialup
 > number had also changed to 0011675277024. I found out this number is an
 > international number costing $US1.60 a minute!!
 >
 > Just as well I looked before I pressed the dial button again. Also, luckily
 > I didn't have the automatic re-dia box checked.
 >
 > That's just part of the problem, the connection status dialogue box shows
 > that I'm in a constant state of upload and download which has slowed the
 > connection to a snails pace.What am I uploading and downloading?
 >
 > When I open a new window of IE I often get re-routed to various porn sites.
 >
 > I've come across some viruses in my time but this beats them all!.
 >
 > Anyone have any ideas apart from the usual disk reformat and load windows
 > again for the upteenth time?

The next time you connect, follow these instructions first:
<a style='text-decoration: underline;' href="http://www.cablemodemhelp.com/xpsurvivalguide.pdf" target="_blank">http://www.cablemodemhelp.com/xpsurvivalguide.pdf</a>
or (redirects to the above):
<a style='text-decoration: underline;' href="http://isc.sans.org/presentations/xpsurvivalguide.pdf" target="_blank">http://isc.sans.org/presentations/xpsurvivalguide.pdf</a>

If you need a French version, "Windows XP : Survivre le premier jour":
<a style='text-decoration: underline;' href="http://www.lsdp.net/~lotfree/doc/win/xpsurvivalguide-fr.pdf" target="_blank">http://www.lsdp.net/~lotfree/doc/win/xpsurvivalguide-fr.pdf</a>

You might also find it safer to use IE *only* for Windows Updates
and install an alternate browser for everything else. Also avoid
Outlook/Outlook Express and switch to some other email software.

The software recommended by my ISP:

<a style='text-decoration: underline;' href="http://beacon.chebucto.info/news.shtml" target="_blank">http://beacon.chebucto.info/news.shtml</a>

[snip]
: Updated - Recommended software list
:
: With the recent interest in Internet security and the rise in various
: exploits meant to take over user machines, the Chebucto Office has
: compiled this list of recommended software for user computers running
: Microsoft Windows.
:
: Web browser: Mozilla Firefox free from [18] Mozilla.org
18. <a style='text-decoration: underline;' href="http://mozilla.org/" target="_blank">http://mozilla.org/</a>
:
: Email client: Mozilla Thunderbird free from [19] Mozilla.org
19. <a style='text-decoration: underline;' href="http://mozilla.org/" target="_blank">http://mozilla.org/</a>
:
: Anti-Spyware Software:
: * Ad-Aware SE free and paid versions from [20] Lavasoft.de
20. <a style='text-decoration: underline;' href="http://www.lavasoft.de/" target="_blank">http://www.lavasoft.de/</a>
: * Spybot: Search & Destroy free from [21] Safer-networking.org
21. <a style='text-decoration: underline;' href="http://www.safer-networking.org/" target="_blank">http://www.safer-networking.org/</a>
:
: Firewall: Zone Alarm free and paid versions from [22] Zonelabs.com
22. <a style='text-decoration: underline;' href="http://www.zonelabs.com/" target="_blank">http://www.zonelabs.com/</a>
:
: FTP Software: FileZilla free from [23] FileZilla.SourceForge.net
23. <a style='text-decoration: underline;' href="http://filezilla.sourceforge.net/" target="_blank">http://filezilla.sourceforge.net/</a>
:
: RSS Newsfeed Reader: RSSOwl free from [24] RSSOwl.SourceForge.net
24. <a style='text-decoration: underline;' href="http://rssowl.sourceforge.net/" target="_blank">http://rssowl.sourceforge.net/</a>
[snip]

--
Norman De Forest <a style='text-decoration: underline;' href="http://www.chebucto.ns.ca/~af380/Profile.html" target="_blank">http://www.chebucto.ns.ca/~af380/Profile.html</a>
af380.DeleteThis@chebucto.ns.ca [=||=] (A Speech Friendly Site)
"It's MyParty and I'll delete it if I want to."
-- Trafton Ziegler in alt.comp.virus, on Sunday, February 10, 2002.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

On Mon, 11 Apr 2005 14:04:20 +0100, Norman L. DeForest
<af380.DeleteThis@chebucto.ns.ca> wrote:

 > ...
 > You might also find it safer to use IE *only* for Windows Updates
 > and install an alternate browser for everything else.

Good advice, although in practice there will be other sites that require
IE (ISP/HP/etc). The solution that works for me is to add
http*://*.microsoft.com (and others as necessary) to the collection of
trusted sites and disable scripting from IEs 'internet' zone.

 > Also avoid
 > Outlook/Outlook Express and switch to some other email software.

Later versions of O/E can be set to read all mail as text which solves the
automatic threat although I don't know of any technology that will
completely stop a user hell-bent on opening/running attachments.

I believe later versions of Outlook also have similar functionality.

 > The software recommended by my ISP:
 > ...
 > : Firewall: Zone Alarm free and paid versions from [22] Zonelabs.com
<font color=purple> > 22. <a style='text-decoration: underline;' href="http://www.zonelabs.com/</font" target="_blank">http://www.zonelabs.com/</font</a>>

I most strongly recommend that the advice be amended - a hardware firewall
provides more protection than any software.

Software solutions can only work once the intruder has found your machine.

--
Rover Cars - RIP. Let the asset stripping begin.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

Kerry wrote:
 > Anyone have any ideas apart from the usual disk reformat and load
 > windows again for the upteenth time?

Here are the free tools I use to keep my machines clean:

<a style='text-decoration: underline;' href="http://www.lavasoftusa.com/software/adaware/" target="_blank">http://www.lavasoftusa.com/software/adaware/</a>
Detects and removes

<a style='text-decoration: underline;' href="http://www.safer-networking.org/en/index.html" target="_blank">http://www.safer-networking.org/en/index.html</a>
Detects and removes

<a style='text-decoration: underline;' href="http://www.javacoolsoftware.com/spywareblaster.html" target="_blank">http://www.javacoolsoftware.com/spywareblaster.html</a>
Prevents installation

<a style='text-decoration: underline;' href="http://www.kephyr.com/spywarescanner/index.html" target="_blank">http://www.kephyr.com/spywarescanner/index.html</a>
Bazooka doesn't automatically remove anything but it detects a lot of
things that other programs don't and it gives you directions for manual
removal
--
Red<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

"William Tasso" <SpamBlocked DeleteThis @tbdata.com> wrote in message
news:op.so2mlijqm9g4qz@jupiter.cavern.tbdata.com...

<snip>

 > Software solutions can only work once the intruder has found your machine.

Good side of having software firewall is that when ever something (new)
connects to internet you find out about it. Protection is not good if it's
just inbound (and you have no idea what is trying OUT from your machine),
you have to have way to see outbound connections too, and software firewall
is nice for that.

Modern threats are though very nasty, so even many software firewalls do not
"see" outbound connections because they have been launched through other
processes. For that you need "sandboxing" software, or some firewall that
can detect launches through other processes. Outpost firewall
(www.agnitum.com/products/outpost/) does detect some, and then there's very
nice sandboxing software, Process Guard (www.diamondcs.com.au/processguard/)
that is very useful too.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

On Mon, 11 Apr 2005 19:09:07 +0100, Wÿrm <nomailstodragon.TakeThisOut@north.invalid>
wrote:

 >
 > "William Tasso" <SpamBlocked.TakeThisOut@tbdata.com> wrote in message
 > news:op.so2mlijqm9g4qz@jupiter.cavern.tbdata.com...
 >
 > <snip>
 >
  >> Software solutions can only work once the intruder has found your
  >> machine.
 >
 > Good side of having software firewall is that when ever something (new)
 > connects to internet you find out about it.

A Hardware solution will do that too and will continue to do that long
after the software on the workstation has been crippled.

 > Protection is not good if it's just inbound

Correct.

 > (and you have no idea what is trying OUT from your machine),

well, in (UK) law they do say that ignorance is no defence.

 > you have to have way to see outbound connections too, and software
 > firewall is nice for that.

ok - ymmv, but I'd prefer to be examining the blocked attempts in a
dedicated firewall than picking over the remains of a compromised
workstation.

 > Modern threats are though very nasty, so even many software firewalls do
 > not "see" outbound connections because they have been launchedthrough
 > other processes.

yep and s/w firewalls can themselves become compromised.

 > For that you need "sandboxing" software, or some firewall that
 > can detect launches through other processes.

and then something that can detect when the footprint of an executable or
library has been altered.

versions of netstat have been moded to hide trojan connections.

 > Outpost firewall
 > (www.agnitum.com/products/outpost/) does detect some, and then there's
 > very nice sandboxing software, Process Guard
 > (www.diamondcs.com.au/processguard/) that is very useful too.

defence in depth is a good thing, but users do need to know the strengths
and weaknesses of each tool.

of course there's no defence agaist a user absolutely determined to click
the install button.

--
Rover Cars - RIP. Let the asset stripping begin.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

"William Tasso" <SpamBlocked DeleteThis @tbdata.com> wrote in message
news:op.so23cnxam9g4qz@jupiter.cavern.tbdata.com...

<snip>

 > A Hardware solution will do that too and will continue to do that long
 > after the software on the workstation has been crippled.

true


<snip>

 > and then something that can detect when the footprint of an executable or
 > library has been altered.

Good software firewalls do have that feature. Have been doing that long
time.


 > versions of netstat have been moded to hide trojan connections.

Yes, but those are not only threats anymore. You can do process injections,
dll injections, reqursive requests etc. And sandboxing is good against those
because those bypass way too many software firewalls.


  > > Outpost firewall
  > > (www.agnitum.com/products/outpost/) does detect some, and then there's
  > > very nice sandboxing software, Process Guard
  > > (www.diamondcs.com.au/processguard/) that is very useful too.
 >
 > defence in depth is a good thing, but users do need to know the strengths
 > and weaknesses of each tool.

Yups, and it's more or less race between attacks and defences, if something
gets patched, there's next new thing behind the corner just waiting...

Still in all, I like software firewalls (with hardware ones) and use them
because systems I have are monitored most of the time, so I can see if there
would be any weirdness almost when it happens


 > of course there's no defence agaist a user absolutely determined to click
 > the install button.

heh True. In the end user can cause so much damage just by doing wrong
click. Good example is all those people who still persists to infect system
by opening email attachments. Nasty world, eh.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

On Mon, 11 Apr 2005 15:01:56 +0100, William Tasso wrote:

[putulin]

 > I most strongly recommend that the advice be amended - a hardware firewall
 > provides more protection than any software.

What are you talking about?
Iptables is a "software" firewall and it works quite well.
<a style='text-decoration: underline;' href="http://www.netfilter.org" target="_blank">http://www.netfilter.org</a>

 >
 > Software solutions can only work once the intruder has found your machine.

No so, with Iptables you can easily make you machine look like a black
hole.

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Using this is almost the same as unplugging your network card

--
Tayo'y Mga Pinoy<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

On 2005-04-11 07:41:39 -0400, "Kerry" <kerryww1 DeleteThis @bigpond.com> said:

 > Anyone have any ideas apart from the usual disk reformat and load windows
 > again for the upteenth time?


Ditch Windows completely?

Worked for me - I've not had a virus in 8 years.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

"Ben Jamieson" wrote.

 >Ditch Windows completely?
 >
 > Worked for me - I've not had a virus in 8 years.
 >

You're right Ben, but I'm not in my office where I download all my email and
do most of my work with RH Linux. Only when necessary, I use Windose. Since
I've been away and relying on a Windows pc this will be the third time I've
had to reload it in 5 months.

The main reason I use (need) Windows is because some years back I started a
web site with FrontPage and never got around to changing.

It amuses me that we buy Windows and everyone tells me not to use IE and
Outlook Express. Same with Frontpage, I constantly read people advising
others not to use many parts of Frontpage, use FTP instead, avoid Frontpage
extensions etc etc. Even when I go to Microsoft's site and check their code,
it's not even done using FrontPage. It seems that not even Microsoft use
their own software! I once read they said that they also use *nix at times
"because it's so robust" Is that true?

What sort of a crazy world do we live in when we buy something then go and
replace it with something else that not only works better but is FREE?

Also thanks for all the help. You're right, I'm about to reformat the disk
and so on. I'm also thinking of buy a Mac to sit alongside my Linux box when
I get back to my office.

Kerry<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

On Tue, 12 Apr 2005 00:10:22 +0100, Baho Utot <baho-utot RemoveThis @columbus.rr.com>
wrote:

 > On Mon, 11 Apr 2005 15:01:56 +0100, William Tasso wrote:
 >
 > [putulin]
 >
  >> I most strongly recommend that the advice be amended - a hardware
  >> firewall
  >> provides more protection than any software.
 >
 > What are you talking about?
 > Iptables is a "software" firewall and it works quite well.
<font color=purple> > <a style='text-decoration: underline;' href="http://www.netfilter.org</font" target="_blank">http://www.netfilter.org</font</a>>

works very well

  >> Software solutions can only work once the intruder has found your
  >> machine.
 >
 > No so, with Iptables you can easily make you machine look like a black
 > hole.
 > ...

More to the point you can make your machine a single appliance box and
keep all other machines behind it


--
Rover Cars - RIP. Let the asset stripping begin.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!! 

Kerry wrote:

 > I once read they said that [Microsoft] also use *nix at times "because
 > it's so robust" Is that true?

Microsoft once produced and sold their own version of Unix -- it was
called Xenix. They abandoned that circa Windows NT though.

When Microsoft bought Hotmail back in 1997, Hotmail was of course a
Unix shop, running FreeBSD/Apache web servers, Solaris file servers and
mail servers, but using NT boxes with Microsoft SQL to keep the members
directory.

This was rather an embarrasment for Microsoft, so a few years later they
decided to switch them all over to Windows 2000 and IIS 5.0. There is an
internal Microsoft document detailing the transition here:

  http://www.securityoffice.net/mssecrets/hotmail.html

It doesn't paint a pretty picture for Windows as a server platform. I
believe that some of the criticisms in this report though were actioned
upon in Windows 2003, so perhaps there is hope for Microsoft yet.

PS: Below I've put an interesting quote I found on the Internet some time
ago, but the original URL is now dead, so I'm reposting it for posterity.

| Date: Wed, 8 Nov 2000 20:09:55 -0500
| From: "Michael Lueck" <mlueck RemoveThis @lueckdatasystems.com>
| Reply-To: os2-isp RemoveThis @hethmon.com
| To: aurora-beta RemoveThis @voice.os2ss.com, os2-isp RemoveThis @hethmon.com
| Subject: M$ Must Read
|
| Dr. Frank Soltis, the IBM engineer who has been called "the AS/400's
| Elvis," recently shared a success story during a keynote speech at a
| user conference in Florida. This particular company was in the software
| distribution business and at one point had 23 AS/400s located around the
| world. The company was a very good customer, went from CISC to RISC,
| and was always one of the first to upgrade to new technology, he said.
| Then came the Year 2000 problem, and despite five years of dedicated
| service during a period of great revenue growth, the company decided
| that it was time to move off the AS/400. So in June of 1999, the company
| unplugged its AS/400s and powered up 1200 NT servers it needed to
| replace them.
|
| But things didn't quite go as planned. "They found they couldn't make it
| work," Soltis told the crowd. "Today, one year after unplugging their
| AS/400s, they're back on the AS/400." That company is Microsoft. "They
| viewed that as a point of embarrassment," Soltis said. "We thought it
| was kind of fun....Can you think of a company with greater incentive to
| move to NT, and they couldn't do it?"

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ <a style='text-decoration: underline;' href="http://tobyinkster.co.uk/contact" target="_blank">http://tobyinkster.co.uk/contact</a><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Warning - Potentially Expensive virus!!