RE: Hacked

["Steve Scholz" <steve () sybari com>]

> From Sophos.

This parasitic memory resident virus is functionally identical to Win32.Parite.a. It differs from Parite.a only in the 
key that it creates in the system registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]

http://www.sophos.com/support/disinfection/pedis.html

1. Disinfecting PE executables in Windows NT/2000/XP/2003
On a lightly infected computer running Windows NT/2000/XP/2003, where no significant services have become infected, it 
may be possible to run SAV32CLI from a command prompt with the -DI switch.

First, check the recovery instructions in the virus analysis for any extra measures you should take before (and after) 
disinfecting. Also, check to see if you need an IDE file. If you do, download it and save it to a floppy disk.

Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a 
SAV32CLI folder on a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the 
disk (on a CD/R or CD/RW close the session).

Now close down all possible programs and services, then open a command prompt.

On Windows NT
Shut down all programs. 
Go to Start|Settings|Control Panel and double-click 'Services'. 
Stop as many services as possible using the Stop button. 
Close and shut down the Control Panel. 
Press the Ctrl, Alt and Del keys at the same time. 
Click on 'Task Manager', then select the Processes tab. 
Select a process and click on 'End Process'. It may or may not end. 
Repeat this for other processes (including the Windows desktop). 
After closing all possible programs go to File|New Task (Run) and type 'Cmd'. 
Close down the Task Manager screen. 
Insert the write-protected disk from which you are using SAV32CLI. 
On Windows 2000/XP/2003
Go to Start|Shut Down. 
Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. 
Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options 
for Windows 2000, press F8". 
In the Windows 2000 Advanced Options Menu, select the third option "Safe Mode with Command Prompt". 
When requested, logon as local administrator. 
When Windows 2000/XP/2003 has started in Safe Mode, insert the write-protected disk from which you are using SAV32CLI. 
At the command prompt type

E:
where E: is the drive in which you placed the SAV32CLI disk.

Type: 

CD SAV32CLI
Now type: 
SAV32CLI -DI -P=C:\VIRUSLOG.TXT
to disinfect all fixed drives.

The command above runs SAV32CLI, which scans all of the directories and files on your PC, including subdirectories. 
Files which the virus has infected are cleaned and a report is made of them in the root of the C: drive. SAV32CLI will 
disinfect all files that can be disinfected.

All other files must be deleted. Some of these were dropped by the virus and need not be restored. Others should be 
recovered from backups.

SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT
This command writes a report to the root of the C: drive. This report can be used to check which deleted files should 
be restored from backups.

In Windows NT when disinfection and deletion have finished, type 'Explorer' to restart the Windows Desktop. 

In Windows 2000/XP/2003 when disinfection and deletion have finished, restart the computer in Windows.

Install or reinstall Sophos Anti-Virus then run an 'All files' scan to check that the virus has gone.

System Restore and Windows XP
Note: This will delete any previously created restore points.

Infected files may be found in the System Restore area in Windows XP. 
Go to Start|Control Panel|Performance and Maintenance. 
Double-click 'System', then select the System Restore tab. 
Click to select the 'Turn off System Restore on all drives' box. 
Click 'Apply'. 
Click 'Yes'. 
Now click to clear the 'Turn off System Restore on all drives' box. 
Click 'OK'. 
Restart the computer. 
If the virus has not gone, contact Sophos technical support.

Infected files may not always be restored to their original state. A file that has been disinfected cannot be 
guaranteed to function correctly. In order to recover files to their original state, they should be subsequently 
restored from backups, new media or a clean computer.



2. Disinfecting PE executables in Windows 95/98/Me
To disinfect PE executables in Windows 95/98/Me and in DOS, use DOS SWEEP with the -DIPE switch.

Download DOS SWEEP, extract the files, and copy them into a C:\Sophtemp directory on your computer. Add any relevant 
IDEs to this folder.

First, check the recovery instructions in the virus analysis for any extra measures you should take before (and after) 
disinfecting.

Before running DOS SWEEP under Windows 95/98/Me, it is vital that you ensure that the virus is not resident in memory. 
For this, you must disinfect in a 16-bit environment under which you can be sure that the 32-bit virus is completely 
paralysed.

On Windows 95/98
Restart the computer in MS-DOS mode.
Note: Starting a Command Prompt (a DOS window) is not enough. 
Go to the Start menu and select 'Shut Down'. Choose the option 'Restart the computer in DOS mode'. This disables the 
virus and provides a safe environment for disinfection. 
On Windows Me
This version of Windows does not allow you to exit directly into MS-DOS mode. You need to create a startup disk and 
boot from that. 
Go to Start|Settings|Control Panel. Click 'Add/Remove Programs', select the Startup Disk tab and click the Create Disk 
button. 
When you have created the startup disk, write-protect it and boot from it. This disables the virus and provides a safe 
environment for disinfection. 

Go to the Sophtemp directory and run DOS SWEEP.

C:
CD \
CD SOPHTEMP
SWEEP C: -PB -DIPE -P=VIRLOGC.TXT
The command above runs SWEEP, which scans all of the directories and files on your computer, including subdirectories. 
Files which the virus has infected are cleaned and a report is made of them.

Repeat this process for other hard drives, (e.g. SWEEP D: -PB -DIPE -P=VIRLOGD.TXT.)

All other files must be deleted. Some of these were dropped by the virus and need not be restored. Others should be 
recovered from backups.

SWEEP C: -PB -REMOVEF -P=REMVLOGC.TXT
Repeat this for all drives (e.g. SWEEP D: -PB -REMOVEF -P=REMVLOGD.TXT). 

Use the log files to identify which of the deleted files should be restored from a clean backup or the original media.

After disinfection, you must restart the computer in Windows. Install/reinstall Sophos Anti-Virus if need be, then use 
it to scan the computer in Windows. This is necessary to ensure that directories that cannot be recognised under DOS 
(those whose names contain illegal characters such as "!" and "?") are scanned.

Run an 'All files' scan. 
Start Sophos Anti-Virus. 
Right-click your hard drive and select 'All files' from the menu that appears. 
Ensure that 'Subfolders' is selected. Then run a scan. 
After you have finished, right-click the drive again and select 'Executables'. 
System Restore on Windows Me
Note: This will delete any previously created restore points.

Go to Start|Settings|Control Panel. 
Double-click 'System' and select the Performance tab. 
Click 'File System' and then click the Troubleshooting tab. 
Click to select the 'Disable System Restore' box, click 'Apply', click to clear the 'Disable System Restore' box, then 
click 'Close'. 
Restart the computer. 
If the virus has not gone, contact Sophos technical support.

Infected files may not always be restored to their original state. A file that has been disinfected cannot be 
guaranteed to function correctly. In order to recover files to their original state, they should be subsequently 
restored from backups, new media or a clean computer.



3. Disinfecting or removing PE executables on other platforms
PE executable files are Windows 95/98/Me/NT/2000/XP programs. On other platforms in the majority of circumstances, you 
should delete the infected files and replace them from backups, new media or a clean computer.

3.1. Disinfecting PE executables in DOS
At the DOS prompt type:
SWEEP *: -DIPE 
Delete any files that could not be disinfected.
SWEEP *: -REMOVEF 
Run a scan to check that all infected files were disinfected or deleted. 
3.2. Disinfecting PE executable files in NetWare
Contact Sophos technical support.

3.3. Disinfecting PE executables in Unix
Use SWEEP with the -di option
sweep -di 
Delete any remaining infected files with the -remove option
sweep -remove 
Run a scan to check that all infected files were disinfected or deleted. 
3.4. Disinfecting PE executables in OS/2
At the command line type:
OSWEEP C: -DI 
Delete any files that could not be disinfected.
OSWEEP C: -REMOVEF 
Run a scan to check that all infected files were disinfected or deleted. 
3.5. Disinfecting PE executables in OpenVMS
Disinfect the infected files by running VSWEEP from DCL using the command line qualifier '/DI'. 
Delete any files which could not be disinfected by running VSWEEP from DCL using the command line qualifier '/REMOVEF'. 
Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution. 
For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus 
for OpenVMS manual.

Note: If problems persist, contact Sophos technical support.



  
 
    © 1997-2005 Sophos Plc. All rights reserved.  Legal | Privacy


Steve Scholz
Corporate Sales Engineer-North America
Sybari Software, Inc.
631-630-8556 Direct
516-903-2464 Mobile

Email:  Steve_scholz () sybari com

MSN IM:Steve_Scholz () Msn com (email never checked) 




-----Original Message-----
From: Mauricio Fernandez [mailto:mfernandez () fdta-valles org] 
Sent: Thursday, April 14, 2005 10:46 AM
To: security-basics () securityfocus com
Subject: Hacked

This morning I found a wwwhack window opened on one of my w2k servers,
antivirus agent was deleted (TrendMicro) and when I reinstall it back, it
found about 4500 viruses named PE_PARITE.B

Now the virus is still regenerating itself creating files on winnt\temp
folder, I saw the task list and stopped all the suspicious process, but
the virus still goes on...

The virus/hacker created a folder named RADMIN, where he copied these
files:
r_server.exe
admdll.dll
hide.reg
raddrv.dll
pro.bat
start.bat

Does anyone knows how to remove this virus and avoid this hack
vulnerability?


Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------