On that special day, Theresa (Terrie), (
[email protected]) said...
Nortons reported it as "Trojon Horse -
IRC/Backdoor.sdbot.25.al and IRC/backdoor.sdbot.43.bq.
Again, you omitted *where* they have been found, although this
information is *important*.
You may install a system from scratch, it is totally clean, then you go
and visit a web site that isn't kosher, and suddenly you find dangerous
content on your hard disk. "Malware", ie viruses, worms, trojan horses,
adware and spyware can come from *many* places.
But the situation can still vary, according to *how* the system had been
installed.
First scenario:
An XP as it was in the beginning, no Service Pack or Patches applied, no
online updates: - the first thing that will happen is, you get a message
that the machine will shut down in 60 seconds, with a timer window, and
the computer reboots.
That happens because there are still worms wandering through the net,
which make use of weaknesses in the RPC/DCOM and lsass services, trying
to overwrite important RAM portions and install themselves. If they use
the wrong one of two infection methods, the shutdown will occur. If you
don't see a shutdown message, they were successful, and have infected
your computer.
The same and even more weaknesses (the jargon calls them
vulnerabilities) are abused by various infected/trojanized mails, web
sites, messages, and so on. Within days, your computer is a host of
masses of bad software, which often is using your machine as a platform,
to attack more victims for more infections of more internet users.
Second scenario:
The XP was installed with the above in mind, so the first thing after
installation was NOT TO GO TO THE INTERNET, instead to install Service
Pack 2, from a reliable source (clean download by a safe machine,
computer magazine cover cdrom), and activation of the ICF (by now it has
a new name, I still don't know it), the Internet Connection Firewall.
With that one active, the machine goes online, and first does the
Microsoft Update, for anything that might have been published after SP2
(there are already new patches to be applied).
*Then* the rest of the internet can be accessed.
There are still (malicious, or manipulated by hackers) sites which try
to use the ActiveX of Internet Explorer, or JScript, or Javascript, to
place software on your computer, without asking your consent. But if you
have IE set to high restrictions, they fail. The only thing that
happens, is while reading an internet site, the "text" of a website is
written to the Temporary Internet Files (TIF, a kind of cache), but when
calling for execution, said execution is denied.
Result: Your anti virus scanner can see dangerous content in your TIF,
but it was never run, your machine is sane.
It depends on what of these two scenarios you actually have set up,
whether the sdbot has gained control over your machine, or not. This is
why I asked for the *location* of the found files.
If they are identified within the C:\sumthing\Temporary Internet
Files/sumthing, you are safe. Just clear the cache (should be possible
by accessing the properties of the Internet Explorer), and you are done.
But if they are found within C:\Windows, C:\Windows\System32\, or
C:\Windows\System32\sumthing, your machine is already controlled by
external actions, and *no longer yours*. If the latter is the case, the
only solution is, to format again, install, and
create the scenario 2, as I described it, *literally*
The reason behind this is: As soon as a *trojan* has gained control, it
can do everything with your computer. Just to make sure that the control
won't be lost, it might download and install even more instances of
itself, under different names, and lots of "brethren".
Removing one trojan means only that there is one less on your machine,
it doesn't mean, that all trojans are gone, only that specific one found
by Norton or (insert your favourite AV scanner).
Read my message in the alt.comp.virus board about the "eGreeting" card.
This is a good example for how such things can happen. Note that
Kaspersky initially could not identify the trojan executable, and called
it something like "OK". Only some days later, when other people also
sent samples, and the specialists had finished the analysis, Kaspersky
could describe this specific trojan.
This is the main problem of the system: "Malware" writers are sending
their attacks as fast as possible; and only after one of the attacked
ones, who is wary enough, and has the experience to find the dangerous
file, and copies it and sends it to the antivirus companies, these
companies get the knowledge about the existence of the malware; and only
then they can start working on it, which will take its time.
They might be as fast as lightning, yet the malware writer is *always*
in advance of them. There might be only a few hours between detection
(which means at least several hours, if not days, between *creation* and
*detection* have already passed by) and first update of the antivirus
program signature, but it may well be too late, as the spreading of the
malware is *fast*, so that many are hit even before the AV companies had
a chance to react.
The only way to avoid infections is: keep your XP patched up to the
teeth, and don't click on links in mails, don't allow boxes that may be
appearing while you are surfing to sites, to download *anything* that
you didn't ask for, because they want to *install* something.
Certificates don't mean anything, I could set up a certificate just as I
please, and still you don't know whether my program is harmless or
dangerous to your computer.
An even better way is: Don't use the Internet Explorer firsthand, as it
is the main target for trojanized web sites, while they mainly don't
bother to go through the same procedures for a different web browser,
just in case one of the rare Mozilla or Netscape or Opera users might
drop in.
So use the latter ones, they are free (although the free Opera might
display some ads by itself, but they are rather unobtrusive), to avoid
homepage hijacks *for sure* - that is, until now. You never know if
finally someone tries to exploit them too. So keep your eyes open for
information about security holes within them, too. Yet there are way
less loopholes within them, which gives you some kind of relative
safety.
And for mails, open them in text only mode, so that dangerous HTML code
won't be run within Outlook Express. There have been OE variants, that
would execute code when only previewing the mail (all version of IE5/OE5
except for OE5.5 with SP2), which was abused by several series of mail
worms. This should be over by now, but reading the mail only in text, is
even safer.
Or try a different mail program.
www.pmail.com offers Pegasus, which
will read every message as text, no matter which commands are hidden in
the HTML, but its usage is quite different from OE; you'll have to get
used to it. Eudora is another free mail program, if you choose the
"light" mode -
http://www.eudora.com/download/
This is what I can tell you about how to deal with malware generally;
but as you still didn't tell what *really* happened to the files found,
especially *where* they were found on the computer, I can't tell *how*
they came in. And if they did harm. i can only give you a general link
about how to treat them
And how some variants work
To keep them off your computer, do as I told you. And don't open IRC in
such a way that everyone can download something on your computer without
your even knowing. Use a different IRC client that isn't vulnerable.
http://www.trillian.cc/downloads/
understands various messengers, including IRC, AIM, MSN, ICQ, Y!M. You
need to install the latest patch, though, to run it safely.
You might also try
http://gaim.sourceforge.net/about.php
the developers are aware of security issues, and if one turns up, react
immediately. It seems they still don't support file transfers, which
might be good against sdbot attacks.
I hope this will help you to keep your computer safer. And read Art's
page about "safe hex". It will help you a *lot*, because it is written
in an understandable language.
http://www.claymania.com/safe-hex.html
It is invaluable. Read it. Apply it.
HTH
Gabriele Neukam
(e-mail address removed)
