Security Basics mailing list archives
RE: Hacked
From: "Steve Scholz" <steve () sybari com>
Date: Thu, 14 Apr 2005 14:37:14 -0400
From Sophos.
This parasitic memory resident virus is functionally identical to Win32.Parite.a. It differs from Parite.a only in the key that it creates in the system registry: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] http://www.sophos.com/support/disinfection/pedis.html 1. Disinfecting PE executables in Windows NT/2000/XP/2003 On a lightly infected computer running Windows NT/2000/XP/2003, where no significant services have become infected, it may be possible to run SAV32CLI from a command prompt with the -DI switch. First, check the recovery instructions in the virus analysis for any extra measures you should take before (and after) disinfecting. Also, check to see if you need an IDE file. If you do, download it and save it to a floppy disk. Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session). Now close down all possible programs and services, then open a command prompt. On Windows NT Shut down all programs. Go to Start|Settings|Control Panel and double-click 'Services'. Stop as many services as possible using the Stop button. Close and shut down the Control Panel. Press the Ctrl, Alt and Del keys at the same time. Click on 'Task Manager', then select the Processes tab. Select a process and click on 'End Process'. It may or may not end. Repeat this for other processes (including the Windows desktop). After closing all possible programs go to File|New Task (Run) and type 'Cmd'. Close down the Task Manager screen. Insert the write-protected disk from which you are using SAV32CLI. On Windows 2000/XP/2003 Go to Start|Shut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option "Safe Mode with Command Prompt". When requested, logon as local administrator. When Windows 2000/XP/2003 has started in Safe Mode, insert the write-protected disk from which you are using SAV32CLI. At the command prompt type E: where E: is the drive in which you placed the SAV32CLI disk. Type: CD SAV32CLI Now type: SAV32CLI -DI -P=C:\VIRUSLOG.TXT to disinfect all fixed drives. The command above runs SAV32CLI, which scans all of the directories and files on your PC, including subdirectories. Files which the virus has infected are cleaned and a report is made of them in the root of the C: drive. SAV32CLI will disinfect all files that can be disinfected. All other files must be deleted. Some of these were dropped by the virus and need not be restored. Others should be recovered from backups. SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT This command writes a report to the root of the C: drive. This report can be used to check which deleted files should be restored from backups. In Windows NT when disinfection and deletion have finished, type 'Explorer' to restart the Windows Desktop. In Windows 2000/XP/2003 when disinfection and deletion have finished, restart the computer in Windows. Install or reinstall Sophos Anti-Virus then run an 'All files' scan to check that the virus has gone. System Restore and Windows XP Note: This will delete any previously created restore points. Infected files may be found in the System Restore area in Windows XP. Go to Start|Control Panel|Performance and Maintenance. Double-click 'System', then select the System Restore tab. Click to select the 'Turn off System Restore on all drives' box. Click 'Apply'. Click 'Yes'. Now click to clear the 'Turn off System Restore on all drives' box. Click 'OK'. Restart the computer. If the virus has not gone, contact Sophos technical support. Infected files may not always be restored to their original state. A file that has been disinfected cannot be guaranteed to function correctly. In order to recover files to their original state, they should be subsequently restored from backups, new media or a clean computer. 2. Disinfecting PE executables in Windows 95/98/Me To disinfect PE executables in Windows 95/98/Me and in DOS, use DOS SWEEP with the -DIPE switch. Download DOS SWEEP, extract the files, and copy them into a C:\Sophtemp directory on your computer. Add any relevant IDEs to this folder. First, check the recovery instructions in the virus analysis for any extra measures you should take before (and after) disinfecting. Before running DOS SWEEP under Windows 95/98/Me, it is vital that you ensure that the virus is not resident in memory. For this, you must disinfect in a 16-bit environment under which you can be sure that the 32-bit virus is completely paralysed. On Windows 95/98 Restart the computer in MS-DOS mode. Note: Starting a Command Prompt (a DOS window) is not enough. Go to the Start menu and select 'Shut Down'. Choose the option 'Restart the computer in DOS mode'. This disables the virus and provides a safe environment for disinfection. On Windows Me This version of Windows does not allow you to exit directly into MS-DOS mode. You need to create a startup disk and boot from that. Go to Start|Settings|Control Panel. Click 'Add/Remove Programs', select the Startup Disk tab and click the Create Disk button. When you have created the startup disk, write-protect it and boot from it. This disables the virus and provides a safe environment for disinfection. Go to the Sophtemp directory and run DOS SWEEP. C: CD \ CD SOPHTEMP SWEEP C: -PB -DIPE -P=VIRLOGC.TXT The command above runs SWEEP, which scans all of the directories and files on your computer, including subdirectories. Files which the virus has infected are cleaned and a report is made of them. Repeat this process for other hard drives, (e.g. SWEEP D: -PB -DIPE -P=VIRLOGD.TXT.) All other files must be deleted. Some of these were dropped by the virus and need not be restored. Others should be recovered from backups. SWEEP C: -PB -REMOVEF -P=REMVLOGC.TXT Repeat this for all drives (e.g. SWEEP D: -PB -REMOVEF -P=REMVLOGD.TXT). Use the log files to identify which of the deleted files should be restored from a clean backup or the original media. After disinfection, you must restart the computer in Windows. Install/reinstall Sophos Anti-Virus if need be, then use it to scan the computer in Windows. This is necessary to ensure that directories that cannot be recognised under DOS (those whose names contain illegal characters such as "!" and "?") are scanned. Run an 'All files' scan. Start Sophos Anti-Virus. Right-click your hard drive and select 'All files' from the menu that appears. Ensure that 'Subfolders' is selected. Then run a scan. After you have finished, right-click the drive again and select 'Executables'. System Restore on Windows Me Note: This will delete any previously created restore points. Go to Start|Settings|Control Panel. Double-click 'System' and select the Performance tab. Click 'File System' and then click the Troubleshooting tab. Click to select the 'Disable System Restore' box, click 'Apply', click to clear the 'Disable System Restore' box, then click 'Close'. Restart the computer. If the virus has not gone, contact Sophos technical support. Infected files may not always be restored to their original state. A file that has been disinfected cannot be guaranteed to function correctly. In order to recover files to their original state, they should be subsequently restored from backups, new media or a clean computer. 3. Disinfecting or removing PE executables on other platforms PE executable files are Windows 95/98/Me/NT/2000/XP programs. On other platforms in the majority of circumstances, you should delete the infected files and replace them from backups, new media or a clean computer. 3.1. Disinfecting PE executables in DOS At the DOS prompt type: SWEEP *: -DIPE Delete any files that could not be disinfected. SWEEP *: -REMOVEF Run a scan to check that all infected files were disinfected or deleted. 3.2. Disinfecting PE executable files in NetWare Contact Sophos technical support. 3.3. Disinfecting PE executables in Unix Use SWEEP with the -di option sweep -di Delete any remaining infected files with the -remove option sweep -remove Run a scan to check that all infected files were disinfected or deleted. 3.4. Disinfecting PE executables in OS/2 At the command line type: OSWEEP C: -DI Delete any files that could not be disinfected. OSWEEP C: -REMOVEF Run a scan to check that all infected files were disinfected or deleted. 3.5. Disinfecting PE executables in OpenVMS Disinfect the infected files by running VSWEEP from DCL using the command line qualifier '/DI'. Delete any files which could not be disinfected by running VSWEEP from DCL using the command line qualifier '/REMOVEF'. Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution. For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS manual. Note: If problems persist, contact Sophos technical support. © 1997-2005 Sophos Plc. All rights reserved. Legal | Privacy Steve Scholz Corporate Sales Engineer-North America Sybari Software, Inc. 631-630-8556 Direct 516-903-2464 Mobile Email: Steve_scholz () sybari com MSN IM:Steve_Scholz () Msn com (email never checked) -----Original Message----- From: Mauricio Fernandez [mailto:mfernandez () fdta-valles org] Sent: Thursday, April 14, 2005 10:46 AM To: security-basics () securityfocus com Subject: Hacked This morning I found a wwwhack window opened on one of my w2k servers, antivirus agent was deleted (TrendMicro) and when I reinstall it back, it found about 4500 viruses named PE_PARITE.B Now the virus is still regenerating itself creating files on winnt\temp folder, I saw the task list and stopped all the suspicious process, but the virus still goes on... The virus/hacker created a folder named RADMIN, where he copied these files: r_server.exe admdll.dll hide.reg raddrv.dll pro.bat start.bat Does anyone knows how to remove this virus and avoid this hack vulnerability? Mauricio Fernández S. IT Manager Tel. 591- 445-25160 Fax. 591- 441-15056 mfernandez () fdta-valles org www.fdta-valles.org Cochabamba - Bolivia --------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- Re: Hacked, (continued)
- Re: Hacked Nathaniel Hall (Apr 14)
- Re: Hacked Valentin Höbel (Apr 14)
- Re: Hacked xyberpix (Apr 14)
- Re: Hacked Alen Capalik (Apr 14)
- Re: Hacked Matan Peled (Apr 14)
- RE: Hacked lista (Apr 14)
- Re: Hacked Etapien (Apr 15)
- Re: Hacked matt donovan (Apr 18)
- RE: Hacked Joshua Berry (Apr 14)
- RE: Hacked Jason DeCamp (Apr 14)
- RE: Hacked Steve Scholz (Apr 14)
- RE: Hacked Conlan Adams (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- RE: Hacked Mauricio Fernandez (Apr 14)
- Re: Hacked Donald Voss (Apr 14)
- RE: Hacked Paul Marsh (Apr 15)
- RE: Hacked Louie (Apr 18)
- RE: Hacked (...still cleaning) Mauricio Fernandez (Apr 19)
- Re: Hacked (...still cleaning) Thierry Zoller (Apr 20)
- Re: Hacked (...still cleaning) Matan Peled (Apr 20)
- RE: Hacked Louie (Apr 18)