Notepad.exe overwritten with malware

[* * Chas]

I was attacked by a hijacker program while surfing the web.

I'm running Win98SE IE 5.01 SP3 with all of the updates. I
run Kerio 2.15 behind a NAT router, AdSubtract 2.55 and
updated NAV 2002 (only on this system for E-mail scanning).

My Notepad.exe file was replaced with a 4KB file. A copy of
the same infected file was placed in the C:\Windows\System32
Folder and another copy of the same file renamed Setup1.exe
was placed in the C:\Temp Folder.

Kerio 2.15 stopped the attack and I was able to locate and
manually remove the infected files and replace Notepad.exe.

I checked my system with Updated versions of NAV, F-Prot,
Sybot S&D, Ad-Aware, The Cleaner and Pest Patrol but nothing
showed up as malware.

The bad files contain the lines:

Content-Length:200 HTTP/1.0
Host: GET -.exe217.116.233.119/help/guide.exeRSDS
d:\Projects\01.05.04\jokke\loader.exe\Release\loader.exe.pdb

Loader.exe is associated with various spyware and trojan
programs.

It looks like I caught the bugger before it could call home
and infect my system.

I sent the bogus Notebook.exe file to Symantec and I'm going
to send a copy to other vendors.

Has anyone else run into this?

 

[Beauregard T. Shagnasty]

Quoth the raven * * Chas:

I was attacked by a hijacker program while surfing the web.

I'm running Win98SE IE 5.01 SP3 with all of the updates.

How come you haven't updated to IE 6.0 SP1 ? You are about five years
behind the times here, with all the security holes that old browser has.
http://home.rochester.rr.com/bshagnasty/tips.html#browsers

Better yet, switch to a /modern/ browser such as Mozilla, Firefox, or
Opera and almost all of your problems will go away. Assuming you
practice Safe Hex in the meantime.

 

[FromTheRafters]

I sent the bogus Notebook.exe file to Symantec and I'm going
to send a copy to other vendors.

Has anyone else run into this?

I guess that means nobody else has... ;o)

Did you get an answer from the vendors yet?

Also, I was wondering if it is even possible to get that old version
of IE/OE to be secure. I seem to remember some vulnerability for
that that was only addressed by upgrading to a newer version.

 

[Arthur A. LeGasse]

I guess that means nobody else has... ;o)

Did you get an answer from the vendors yet?

Also, I was wondering if it is even possible to get that old version
of IE/OE to be secure. I seem to remember some vulnerability for
that that was only addressed by upgrading to a newer version.

As far as I can tell MS has continued to upgrade IE 5.0.

I'm running 5.01SP2 on my Win98 systems and IE5.01SP3 on the Win2k boxes.

IE 5.01 seems to be more stable and has less problems and vulnerabilities
the IE 6! Same goes for Win98 vs. Win2k and XP vulnerabilities. Hackers
don't seem to write malware to go after Win98 as much as for the later,
"more secure" operating systems.

Chas.

 

[FromTheRafters]

As far as I can tell MS has continued to upgrade IE 5.0.

I'm running 5.01SP2 on my Win98 systems and IE5.01SP3 on the Win2k boxes.

IE 5.01 seems to be more stable and has less problems and vulnerabilities
the IE 6! Same goes for Win98 vs. Win2k and XP vulnerabilities. Hackers
don't seem to write malware to go after Win98 as much as for the later,
"more secure" operating systems.

Chas.

Thanks, Chas. BTW, I never was able to get InCtrl4 to work correctly,
but InCtrl5 came in real handy. Thanks again.

 

[Jason Wade]

[ snippedy do-dah ]
Hackers don't seem to write malware to go after Win98 as much as for the
later , "more secure" operating systems.

Win98 doesn't have RPC exposed on the internet. Win98 doesn't create a
hidden admin share of c:\ , making the root directory "open for business."

Winxp - the first spread eagle operating system

That's why hackers love to fsck it so much.

 

[* * Chas]

t...

Thanks, Chas. BTW, I never was able to get InCtrl4 to work correctly,
but InCtrl5 came in real handy. Thanks again.

Good! InCtrl4 works great with Win95, 98, NT4 and maybe ME
who cares). It wont work with W2k or later MS OSs.

 

[* * Chas]

message

[ snippedy do-dah ]
Hackers don't seem to write malware to go after Win98 as much as for the
later , "more secure" operating systems.

Win98 doesn't have RPC exposed on the internet. Win98 doesn't create a
hidden admin share of c:\ , making the root directory "open for business."

Winxp - the first spread eagle operating system

That's why hackers love to fsck it so much.

Another problem that I have with W2k and XP is when a
program crashes ( or heaven forbid, the OS crashes), it
usually takes at least 5 minutes to get the system back.

Relaunching the munged program frequently results in it
crashing again. I can 3 finger salute or hit the reset
button and have Win98 restarted and up and running again in
2-3 minutes!

 

[* * Chas]

I was attacked by a hijacker program while surfing the web.

I'm running Win98SE IE 5.01 SP3 with all of the updates. I
run Kerio 2.15 behind a NAT router, AdSubtract 2.55 and
updated NAV 2002 (only on this system for E-mail scanning).

My Notepad.exe file was replaced with a 4KB file. A copy of
the same infected file was placed in the C:\Windows\System32
Folder and another copy of the same file renamed Setup1.exe
was placed in the C:\Temp Folder.

Kerio 2.15 stopped the attack and I was able to locate and
manually remove the infected files and replace Notepad.exe.

I checked my system with Updated versions of NAV, F-Prot,
Sybot S&D, Ad-Aware, The Cleaner and Pest Patrol but nothing
showed up as malware.

The bad files contain the lines:

Content-Length:200 HTTP/1.0
Host: GET -.exe217.116.233.119/help/guide.exeRSDS
d:\Projects\01.05.04\jokke\loader.exe\Release\loader.exe.pdb

Loader.exe is associated with various spyware and trojan
programs.

It looks like I caught the bugger before it could call home
and infect my system.

I sent the bogus Notebook.exe file to Symantec and I'm going
to send a copy to other vendors.

Has anyone else run into this?

I sent copies of the "Notepad.exe" file to Symantec and
F-Prot. They both responded back that they could not detect
any malware in the file -BS!

I isolated and renamed the file.

For the past several weeks, F-Prot has been detecting the
file as W32/Sillydl.dl. Hijacker?Adware? Parasite? Trojan?
Some kind of Malware....

Norton still doesn't detect any problem with the file - DOH!

I only use Norton on one system, my E-mail box.

 

[null]

For the past several weeks, F-Prot has been detecting the
file as W32/Sillydl.dl. Hijacker?Adware? Parasite? Trojan?
Some kind of Malware....

It's a downloader Trojan (downloads other files). Here's a Project
VGREP hit:

http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=w32/sillydl.dl&product=0

Upload the file for av scanning by KAV and others mentioned here:

http://www.claymania.com/anti-virus.html

to get "second opinion" scans.


Art
http://www.epix.net/~artnpeg

 

[* * Chas]

It's a downloader Trojan (downloads other files). Here's a Project
VGREP hit:

http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=w32%
2Fsillydl.dl&product=0

This is a great site, thanks.

I have enough protection on my system: NAV, F-Prot,
Ad-Aware, SpyBot, The Cleaner, Pest Patrol, AdSubtract and
IE Paranoid Settings plus I have a file change monitor that
I use when I'm on the web.

I caught the critter before it could get too far. It over
wrote Notepad.exe, put a copy in C:/Windows/System32 and put
another copy with a different name in another folder.

I do a lot of searches on metallurgical technology for my
work and frequently end up in Eastern European web sites. I
catch some kind of trash at least once a month.

 

[null]

http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=w32%
2Fsillydl.dl&product=0

This is a great site, thanks.

I have enough protection on my system: NAV, F-Prot,
Ad-Aware, SpyBot, The Cleaner, Pest Patrol, AdSubtract and
IE Paranoid Settings plus I have a file change monitor that
I use when I'm on the web.

I caught the critter before it could get too far. It over
wrote Notepad.exe, put a copy in C:/Windows/System32 and put
another copy with a different name in another folder.

I do a lot of searches on metallurgical technology for my
work and frequently end up in Eastern European web sites. I
catch some kind of trash at least once a month.

Well, I do a lot of surfing and never get hit with anything. See my
web site for suggestions.


Art
http://www.epix.net/~artnpeg

 

[* * Chas]

Well, I do a lot of surfing and never get hit with anything. See my
web site for suggestions.


Art
http://www.epix.net/~artnpeg

Maybe you just don't go to enough porn sites! ;-)

 

[null]

Maybe you just don't go to enough porn sites! ;-)

Seriously, I go to all kinds of sites to see if there's anything that
affects Mozilla (with Java Script enabled). Havent found anything at
all yet.

Maybe you mean subscribing, downloading and running shit? If you do
that, no software "protection" is going to save your butt


Art
http://www.epix.net/~artnpeg

 

[* * Chas]

Seriously, I go to all kinds of sites to see if there's anything that
affects Mozilla (with Java Script enabled). Havent found anything at
all yet.

Maybe you mean subscribing, downloading and running shit? If you do
that, no software "protection" is going to save your butt
Art
http://www.epix.net/~artnpeg

Na, I'm running through a NAT/Firewall Router, I run through
a gateway, I use Kerio and I'm very paranoid about what I
sign up for or D/L.

A lot of great technical work was done at the universities
in Russia and former East Bloc countries during the 80's and
90's. It's searching those sites that I get hit. When you
sleep with dogs, you get fleas!

It's mostly adware attacks and browser hijackers that I've
been hit with: Lop, Xupiter and so on. Sh*t Happens!

I run regular backup to a SCSI tape drive and do frequent
Ghost images plus I back up my data to a fairly secure
machine.

I've tried Opera and Mozilla but found them buggy in the
past. I have Opera on my sheep dip PC but there's thinks
that I don't like about the interface. I'm going to give
Mozilla a try again and also FoxFire.

I've only ever had 2 viruses: in 1995 a week after the first
Word Macro Viruses were announced, I found that I had both
of the first variants.

NAV, Central Point and McAfee etc. didn't have a clue at the
time. I switched to Dr. Solomons and used it as my main AV
up until the bitter end. I've also always used 2-4 other on
demand scanners for backup. I can't afford the possibility
of sending an infected file to a client.

I frequently receive infected Floppies and E-mails from the
people that I correspond with around the world. They are
mostly Excel Macro viruses. I work with .PDFs when ever
possible to limit risks.

Thanks for the suggestions. I wasn't really asking for
advice, just reporting an event. Your web site is great
BTW!

 

[null]

Na, I'm running through a NAT/Firewall Router, I run through
a gateway, I use Kerio and I'm very paranoid about what I
sign up for or D/L.

A lot of great technical work was done at the universities
in Russia and former East Bloc countries during the 80's and
90's. It's searching those sites that I get hit. When you
sleep with dogs, you get fleas!

It's mostly adware attacks and browser hijackers that I've
been hit with: Lop, Xupiter and so on. Sh*t Happens!

That's because you use IE I never get hit with any of that junk.

I run regular backup to a SCSI tape drive and do frequent
Ghost images plus I back up my data to a fairly secure
machine.

I've tried Opera and Mozilla but found them buggy in the
past. I have Opera on my sheep dip PC but there's thinks
that I don't like about the interface. I'm going to give
Mozilla a try again and also FoxFire.

FireFox. Do give them a try. They've come a long way!

I've only ever had 2 viruses: in 1995 a week after the first
Word Macro Viruses were announced, I found that I had both
of the first variants.

NAV, Central Point and McAfee etc. didn't have a clue at the
time. I switched to Dr. Solomons and used it as my main AV
up until the bitter end. I've also always used 2-4 other on
demand scanners for backup. I can't afford the possibility
of sending an infected file to a client.

I frequently receive infected Floppies and E-mails from the
people that I correspond with around the world. They are
mostly Excel Macro viruses. I work with .PDFs when ever
possible to limit risks.

Thanks for the suggestions.

You got them whether you asked or not

wasn't really asking for
advice, just reporting an event. Your web site is great
BTW!

Hope it's helpful. I basically put up an outline of basic info I wish
I had when I first started with Windbloze.


Art
http://www.epix.net/~artnpeg

 

[* * Chas]

That's because you use IE I never get hit with any of

that junk.

I just installed Mozilla 1.7 on my sheep dip system. I'm
real impressed with it! They've come a long way.

 

[* * Chas]

<snip>

FYI Not a big deal, but NAV finally detects W32/Sillydl.dl.

F-Prot has been detecting it for the past several weeks and just for yuks,
I ran a 1999 version of Dr Solomons that I still have on one old system
and it detected it!!