How Can This Happen? Recurring Virus

  • Thread starter Thread starter Metalious
  • Start date Start date
M

Metalious

I detected the virus apparently known as w32/pate.b among other names.

I was just into a pretty new install of XP so I figured wtf, I'll just
reformat
and be absolutely sure to get rid of it.

I had just gotten to a new desktop, downloaded a new version of McAfee
Virus7.0 university edition, installed it and brfore I could even configure
it,
I was infected again. And I suddenly had all these infected .RB0 files.

I had not executed anything. It must have been resident on another partition
or drive but I still don't understand how...

Unfortunately, XP defaults to System Restore being on. Could that be it? My
new install was infected by my old SR files? Because a file there was indeed
infected
It was AT3934404494404494.exe or something like that.

I still don't know how it came back after a reformat reinstall though.

Anyway, I turned off Sys Rest and let McAfee clean for about an hour. Then I
did another reformat/reinstall.

It appeared to work. Until today.

300 plus new files were infected. They all had the file extension .RB0.

And McAfee only seems to detect an infection when I open a folder that
contains
one.

This is really bizzare. Did someone take the old Parite b and tweak it out?

Please help

Metalious
 
Metalious said:
I detected the virus apparently known as w32/pate.b among other names.

I was just into a pretty new install of XP so I figured wtf, I'll just
reformat
and be absolutely sure to get rid of it.

I had just gotten to a new desktop, downloaded a new version of McAfee
Virus7.0 university edition, installed it and brfore I could even configure
it,
I was infected again. And I suddenly had all these infected .RB0 files.
Click to expand...

You were connected to the Internet, right??

With all the standard "out of the box" Windows XP security vulnerabilities,
quite possibly with file sharing enabled and perhaps with a blank password
on the administrator account.

Of course you got infected.

The only thing that surprises me is that it took so _long_...

To be safe on the Internet today, while installing a new Windows box, you
have to remember that _no_ "out of the box" installation of _any_ Windows
version is "safe enough" to put on the Internet without a _serious_ round
of security patching __AND__ further system hardening.

Of course, the Catch-22 is that MS will not allow anyone else to distribute
service packs or their security hotfixes, cumulative IE security patches,
security "roll-ups" for various key products/OSes, etc, etc. In other
words, Microsoft _requires_ that you maintain at least one fully patched
"legacy" system so as to be able to get the patches needed for any other
system you may wish to install. If you do not, or "worse" you cannot
because you have just one system (as is typical for many home users and
very small business users) Microsoft effectively requires that you run a
near-certain risk of becoming infected with one or more of the _many_ "bad
things" out and about on the net at any given moment...
 
In Message-ID:<[email protected]> posted on Thu, 16 Oct 2003
Of course, the Catch-22 is that MS will not allow anyone else to distribute
service packs or their security hotfixes, cumulative IE security patches,
security "roll-ups" for various key products/OSes, etc, etc. In other
words, Microsoft _requires_ that you maintain at least one fully patched
"legacy" system so as to be able to get the patches needed for any other
system you may wish to install. If you do not, or "worse" you cannot
because you have just one system (as is typical for many home users and
very small business users) Microsoft effectively requires that you run a
near-certain risk of becoming infected with one or more of the _many_ "bad
things" out and about on the net at any given moment...
Click to expand...

Like having to walk barefooted to the shoe store.
 
Sounded like you've got multiple drives and partitions on your system so
you've blasted one but the buggers skipped partition, or more likely is on
the partition itself.
If it's on a network, I'd check the others and make sure that one of them
isn't a vector of some sort.

Someone really needs to set up some sort of CIA style ten most wanted list
of virus writers.

It's getting to the point where it's just beyond the joke. It's becoming bad
for business.

Regards,

Ka.
 
from the wonderful person Nick said:
You were connected to the Internet, right??

With all the standard "out of the box" Windows XP security vulnerabilities,
quite possibly with file sharing enabled and perhaps with a blank password
on the administrator account.

Of course you got infected.

The only thing that surprises me is that it took so _long_...

To be safe on the Internet today, while installing a new Windows box, you
have to remember that _no_ "out of the box" installation of _any_ Windows
version is "safe enough" to put on the Internet without a _serious_ round
of security patching __AND__ further system hardening.
Click to expand...

You're =pretty= safe if you have your firewall up, your AV running, and
don't have any network shares .. however yes, you do need to go get all
the security patches right smartly. A quick visit to 'shieldsup!' (or
similar) might well reveal some problems.
 
I'm behind a NAT firewall. None of my other boxes are infected. The odds
of someone hacking my box in the less than 5 minutes I was online and
executing
another pate virus I think is really slim. Not impossible, but given the
stated fact
that I had the pate virus in my System Volume restore file I think its far
more plausable
that it was the same infection.
 
buggers skipped partition

?


Ka Khiong Kwok said:
Sounded like you've got multiple drives and partitions on your system so
you've blasted one but the buggers skipped partition, or more likely is on
the partition itself.
If it's on a network, I'd check the others and make sure that one of them
isn't a vector of some sort.

Someone really needs to set up some sort of CIA style ten most wanted list
of virus writers.

It's getting to the point where it's just beyond the joke. It's becoming bad
for business.

Regards,

Ka.


Then
Click to expand...
 
Just for fun, I went and did a grc Sheilds Up. Stealth.

So does anyone else want to make a stab at how this thing executed
itself from another partition or disk, perhaps in the Sys Vol folder?


Metalious said:
I'm behind a NAT firewall. None of my other boxes are infected. The odds
of someone hacking my box in the less than 5 minutes I was online and
executing
another pate virus I think is really slim. Not impossible, but given the
stated fact
that I had the pate virus in my System Volume restore file I think its far
more plausable
that it was the same infection.
Click to expand...
 
Whoops, my bad. Anyway, the reference was back to the days of Monkeys and
Stone. Yes, I'm still dealing with those, if anyone's that bored.
Didn't know he was behind a firewall though. Given the additional info, I'm
in agreement, the restore's infected. Let's just say I've seen this happen
before and that I had to do a lot of ear bashing to stop it from happening
again.

Regards,

Ka.
 
[ snippedy do-dah ]
I'm in agreement, the restore's infected. Let's just say I've seen this
happen before and that I had to do a lot of ear bashing to stop it from
happening again.
Click to expand...

I'm not a Windows user anymore, but I am curious.

If you do a full format, shouldn't the system
restore get deleted?

Where is the system restore located?
 
You can basically do an image of the entire disk and store it somewhere. If
you're with the big boys, you'll store it at a data warehouse of some sort.
Not too sure if XP but with 2000 there's tools available that you could use
to create remote installations. I've used some of them meself but the more
high end stuff is still new to me (working towards a wanky MCSA).

The thing though is that recovery from an image is all fine and good
provided you've got a Virgin copy (as me and this dude used to called a base
image). If not and you're recovering from just an image of a system, then
you better pray that the image is good in the first place.

That's only the beginning, it gets interesting if you're trying to restore
the image on a different hardware configuration.

By the by, which O/S are you using now, Mac O/S X or Linux?

All the best,

Ka.

Jason Wade said:
[ snippedy do-dah ]
I'm in agreement, the restore's infected. Let's just say I've seen this
happen before and that I had to do a lot of ear bashing to stop it from
happening again.
Click to expand...

I'm not a Windows user anymore, but I am curious.

If you do a full format, shouldn't the system
restore get deleted?

Where is the system restore located?
Click to expand...
 
You can basically do an image of the entire disk and store it somewhere. If
you're with the big boys, you'll store it at a data warehouse of some sort.
Not too sure if XP but with 2000 there's tools available that you could use
to create remote installations. I've used some of them meself but the more
high end stuff is still new to me (working towards a wanky MCSA).

The thing though is that recovery from an image is all fine and good
provided you've got a Virgin copy (as me and this dude used to called a base
image). If not and you're recovering from just an image of a system, then
you better pray that the image is good in the first place.

That's only the beginning, it gets interesting if you're trying to restore
the image on a different hardware configuration.

By the by, which O/S are you using now, Mac O/S X or Linux?
Click to expand...

I'm on Linux now.

So I guess that virus writers are now targeting the
system restore for infection.

Maybe the system restore needs to be on read-only
media (CD-ROM).

Safe computing is becoming more and more of a challenge.
 
I doubt they're targeting anything. My own thoughts is that they're playing
Dr Frankenstein. Create an entity, release it and see what it does. What's
being done is extremely childish and irresponsible.

The only real reason why I'm even keeping an eye on viruses these days is to
start the brats from bugging myself and my (former) clients.

Personally, I'd rather see the practice outlawed and legal avenues created
to allow for victims to take out damages against the individuals
responsible.

That's my two cents anyway.

Have a great one,

Ka.
 
Back
Top