Viruse killing AV software?

[Baruch]

I upgraded from Win 98 to XP Home today. The upgrade didn't like my
AV or firewall software (AntiVir and Sygate Personal), so I was
unprotected for a while. I also waited too long to install the
various Microsoft patches, thinking that since this was a fresh
install, it would be OK to wait a while. Silly me...

When I tried to install the software (AV and firewall), they wouldn't
work correctly. I went to their respective Websites, did a fresh
download, uninstalled everything, reinstalled, and still no good. The
programs start up and die. Once, it ran long enough to tell me that
it had found a "nachi.b.1 worm". Apparently another name for this is
"welchia".

Then I tried to access McAfee and Symantec, but could not get through
to them - "Cannot Find Server". In fact, almost *any* antivirus
software site was inaccessible.

Any software I had that might give me insight (msconfig, for example)
died right after it started.

Other programs, however, worked fine. I could get to most Websites,
run other programs, whatever. Just security-related stuff.

I tried to ping Symantec and McAfee from the command line, and this is
where it got interesting. Their IP address showed up as 127.0.0.1.
At least now I know why I couldn't access their sites.

I looked at the "hosts" file (on XP Home it's at:
C:\Windows\System32\drivers\etc). It had many entries, which I
produce here:

127.0.0.1 localhost
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

As you can see, many AV companies are redirected to localhost. The
other files in the folder were uncorrupted, and once I fixed hosts I
was able to get to the AV companies without problems.

My questions are:

1. Has anyone encountered a similar situation?
2. Aside from using AV to clean up, and a firewall to keep from
getting reinfected, is there anything else I need to do?

 

[Pepperoni]

http://vil.nai.com/vil/stinger/

I upgraded from Win 98 to XP Home today. The upgrade didn't like my
AV or firewall software (AntiVir and Sygate Personal), so I was
unprotected for a while. I also waited too long to install the
various Microsoft patches, thinking that since this was a fresh
install, it would be OK to wait a while. Silly me...

When I tried to install the software (AV and firewall), they wouldn't
work correctly. I went to their respective Websites, did a fresh
download, uninstalled everything, reinstalled, and still no good. The
programs start up and die. Once, it ran long enough to tell me that
it had found a "nachi.b.1 worm". Apparently another name for this is
"welchia".

Then I tried to access McAfee and Symantec, but could not get through
to them - "Cannot Find Server". In fact, almost *any* antivirus
software site was inaccessible.

Any software I had that might give me insight (msconfig, for example)
died right after it started.

Other programs, however, worked fine. I could get to most Websites,
run other programs, whatever. Just security-related stuff.

I tried to ping Symantec and McAfee from the command line, and this is
where it got interesting. Their IP address showed up as 127.0.0.1.
At least now I know why I couldn't access their sites.

I looked at the "hosts" file (on XP Home it's at:
C:\Windows\System32\drivers\etc). It had many entries, which I
produce here:

127.0.0.1 localhost
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

As you can see, many AV companies are redirected to localhost. The
other files in the folder were uncorrupted, and once I fixed hosts I
was able to get to the AV companies without problems.

My questions are:

1. Has anyone encountered a similar situation?
2. Aside from using AV to clean up, and a firewall to keep from
getting reinfected, is there anything else I need to do?

 

[Guillermito]

1. Has anyone encountered a similar situation?

The type of virus you encountered are called "retroviruses" (*). They
try to fight back anti-viruses or firewall by shutting them down or
uninstalling them, and they forbid connections to security websites
that may correct the problem (information or updates). It's pretty
usual today.

2. Aside from using AV to clean up, and a firewall to keep from
getting reinfected, is there anything else I need to do?

- Avoid clicking on attachments
- Update your OS (especially to correct the RPC windows flaw).
- Use a decent e-mail software.

(*) This was probably an attempt to do an analogy with biological
retroviruses, but these ones have nothing to do with "fighting back".
Viruses like HIV are called this way because they don't follow the
biology central dogma, which defines the normal information flow to
be:

DNA (genome) => RNA (messenger) => Proteins (the real players)

The retroviruses have a genome consisting of RNA and go the other way
round:

RNA (viral genome) => DNA (host genome)

Well. This said, you may see the central dogma of computer virology as
"the antivirus kills the virus". So when it's the opposite "the virus
kills the antivirus", than it's a retrovirus.

 

[Baruch]

On Tue, 6 Apr 2004 00:39:39 -0400, "Pepperoni"

|>http://vil.nai.com/vil/stinger/
|>
Thanks. I tried that, without finding anything...

|>|>> I upgraded from Win 98 to XP Home today. The upgrade didn't like my
|>> AV or firewall software (AntiVir and Sygate Personal), so I was
|>> unprotected for a while. I also waited too long to install the

 

[Baruch]

|>
|>>1. Has anyone encountered a similar situation?
|>
|>The type of virus you encountered are called "retroviruses" (*). They
|>try to fight back anti-viruses or firewall by shutting them down or
|>uninstalling them, and they forbid connections to security websites
|>that may correct the problem (information or updates). It's pretty
|>usual today.
|>
It certainly gave me a run for my money...

|>>2. Aside from using AV to clean up, and a firewall to keep from
|>>getting reinfected, is there anything else I need to do?
|>
|>- Avoid clicking on attachments

Oh, is *that* what does it??? ;-)

|>- Update your OS (especially to correct the RPC windows flaw).
|>- Use a decent e-mail software.
|>
Thanks for the input. I just *LOVE* Microsoft products.

 

[Geese_Hunter]

I upgraded from Win 98 to XP Home today. The upgrade didn't like my
AV or firewall software (AntiVir and Sygate Personal), so I was
unprotected for a while. I also waited too long to install the
various Microsoft patches, thinking that since this was a fresh
install, it would be OK to wait a while. Silly me...

When I tried to install the software (AV and firewall), they wouldn't
work correctly. I went to their respective Websites, did a fresh
download, uninstalled everything, reinstalled, and still no good. The
programs start up and die. Once, it ran long enough to tell me that
it had found a "nachi.b.1 worm". Apparently another name for this is
"welchia".

Then I tried to access McAfee and Symantec, but could not get through
to them - "Cannot Find Server". In fact, almost *any* antivirus
software site was inaccessible.

Any software I had that might give me insight (msconfig, for example)
died right after it started.

Other programs, however, worked fine. I could get to most Websites,
run other programs, whatever. Just security-related stuff.

<snip>
If you are using anything above 98se go to
http://www.grc.com/default.htm
& get shoot the messenger, The DCOMbobulator, & UnPlug n' Pray These
will close known vulnerable ports, also don't use a p2p w/o a p2p virus
scanner that scans the file as it's coming down Like Avast does. Does it
use more resources than AVG, You bet, why because it is actively
scanning (if configured properly) not waiting till it's on your machine
& then try to scan when you run it.

 

[kurt wismer]

I upgraded from Win 98 to XP Home today. The upgrade didn't like my
AV or firewall software (AntiVir and Sygate Personal), so I was
unprotected for a while. I also waited too long to install the
various Microsoft patches, thinking that since this was a fresh
install, it would be OK to wait a while. Silly me... [snip]
My questions are:

1. Has anyone encountered a similar situation?

many people have... in fact, many times many...

2. Aside from using AV to clean up, and a firewall to keep from
getting reinfected, is there anything else I need to do?

read (and apply) http://www.cablemodemhelp.com/xpsurvivalguide.pdf ...
in fact it might even be worth your while to print it out, reinstall xp
and apply these protective settings before reconnecting to the internet
(since that's how the guide is intended to be used)...

 

[Baruch]

Thanks, folks, for all your help. I appreciate it and I'll try to
implement the suggestions you gave me.
-B

 

[FromTheRafters]

Well. This said, you may see the central dogma of computer virology as
"the antivirus kills the virus". So when it's the opposite "the virus
kills the antivirus", than it's a retrovirus.

Nice explanation. It is also noteworthy that when retroviruses
kill an AV, they may breathe new life into old and known to
AV malware. So they are "retro" in more ways than one.