|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
5 |
 |
Members:
0 |
 |
Total:
5 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 01/30/2004 10:08 AM |
|
| What is it
A new worm - which is network aware - is now spreading throughout organizations. This one spreads via network shares as well as other mechanisms. It's suspected that it's being injected into networks using either the ICQ software, KaZAA, Bugbear or by previously infected MYDOOM or MYDOOM.A machines. Once a machine is infected with MYDOOM any process can be run on it.
This worm is particularly dangerous from a security point of view because it spreads through a network and infects numerous machines quickly. It then sits there silently and logs keystrokes and passwords to a file - essentially keeping track quietly of everything you do. It specifically targets login accounts and passwords.
How do I know if I have it
On a Windows NT/XP/2000 box you can hit Ctrl-Alt-Delete and run the task manager. Once the task manager is running go to "running processes" and look for the file NTOSA32.EXE (you can sort processes by name by clicking on the top of the NAME column). If you have the process - the virus is live on your network. Assume that it may have infected every single PC in your net, including Windows based servers (this may or may not be true, but it's the safest assumption). Alternatively download and run latest signatures for your system and scan your PC.
For windows 9X/ME you need to examine the registry to determine if you have the virus (do Start/Run/MSCONFIG.EXE and see if the entry "Osa32" = "NTOSA32.exe" exists in the Startup group), or try running the cleanup tool and see if it detects it on one of your systems.
What do I do
To prevent the worm from spreading, a properly configured firewall and personal firewall will assist in not becoming infected, along with updated anti-virus software. Do not accept executables via icq, file sharing systems such as KaZAA, Bugbear, etc. Also placing passwords on the administrative accounts for each PC will prevent this and other similar viruses from spreading.
If you have the virus and there is more than one machine on your network, cleanup can be complex:
DO NOT turn on any machines that aren't already infected while connected to the network or you'll expose them to the virus.
You must first download the cleanup tool and the latest virus signatures from Norton, McAfee's Stinger or some other virus vendor.
If you cannot download the cleanup tool or reach the site of your favorite antivirus vendor, you may have the MYDOOM virus. Clean that first (see former emails).
Then copy the cleanup tool onto all the systems on your network.
Then DISCONNECT ALL SYSTEMS from each other or from the internet if you don't have a firewall (unplugging the cable in the back is effective at this).
Disable System Restore on Windows ME/2000/XP machines (see this links for ME: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam
Or this link for XP/2000:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
Run the cleanup tool, reboot, and run the cleanup tool again until it declares your system clean.
Scan the computer thoroughly. Do not reconnect the system until ALL SYSTEMS have been scanned and declared clean.
BE SURE TO RE-ENABLE System Restore (see links above) when you are done. System Restore is a valuable tool that should NOT remain off.
Reconnect systems to the network only once all systems are clean. Do NOT reconnect systems that are not known as clean
Change the passwords on every single account in your system. You don't know which ones have been logged and/or compromised. This includes all administrative accounts.
Additional resources:
Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.anig.html
McAfee: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100990
Trend Micro: No info as yet
Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=38118
This concludes this viruswarning notice.
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St. Ste B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|