Re: Windows 98 box is 'owned'

[Paul Kurczaba <paul () myipis com>]

We had a client who had a similiar issue. We ran McAfee's stand-alone tool "Stinger", and found that the files "Adobe 
Photoshop crack.exe", "Smashing the Stack.txt.exe", and similair were copies of a virus/worm running on the system. 
Stinger was able to remove the virus. Your Mom's computer was probably running slow because it was sending out a 
million copies of the virus.

The following is a link to McAfee's Stinger tool: http://vil.nai.com/vil/stinger/. Note that Stinger is not a full 
anti-virus scanner. It just identifies and removes the real nasty and high volume worms/viruses. For complete, 
"on-access" protection, I recommend McAfee/Network Associates' VirusScan Enterprise. The copies of McAfee VirusScan 
that you would buy at CompUSA or Best Buy, require you to pay a $20 yearly subscription fee. The Enterprise version of 
VirusScan, available at www.nai.com, comes with an optional perpetutal subscription, which lasts forever :)

For forensic tools, I would look at Sysinternals' (http://www.sysinternals.com/ntw2k/utilities.shtml) "RegMon", and 
FileMon.

I would also install ZoneLabs ZoneAlarm firewall (www.zonelabs.com).

-Paul

----- Original Message -----
From: Darren Kirby <bulliver () badcomputer no-ip com>
To: security-basics () securityfocus com
Sent: Wed, 29 Sep 2004 23:03:49 -0400
Subject: Windows 98 box is 'owned'


> Hello all,
>
> I am writing this on behalf of my Mom. She was complaining that her computer 
> was sluggish, and that her HD space was getting used up faster than it 
> should. So I went over and fired up my trusty Linux live cd and had a look.
>
> Anyway, I found a directory right in C: named 'Downloads', and inside were 
> about 50 or so files, which were all warez, porn, windows exploits and 
> cracker 'howto's. Quite obviously this computer is owned, and is being used 
> as a warez server. I deleted the files, booted win, but they reappeared after 
> about 10 minutes. The strange thing is that these files are ALL 29k, and all 
> have filenames like:
>
> Adobe Photoshop crack.exe
> Smashing the Stack.txt.exe
> Eminem - full album.mp3.exe
> Office 2003 full.exe
> ...
> On further inspection I found an identical directory at C:/windows/Downloaded 
> Program Files/. God only knows how many trojans and other nasties are 
> sprinkled around...
>
> So I yanked the power cord out of her adsl modem, and told her not to plug it 
> back in unless she was checking her mail. Bad advice for sure, but try 
> telling your mom that her computer is rooted by punk kids and it is too 
> cracked to have safe internet access at all. Seems that a complete OS 
> reinstall is in order, but it seems to me that if they can own her box once 
> they can own it again just as easy, which leads me to this list...I would 
> like to try some investigating, and try to figure out where the backdoor is, 
> what exactly they are doing...and of course how to prevent it.
>
> Some background on myself...I am a Linux sysadmin, and have a great deal of 
> experience with UNIX operating systems...however, I have never run a windows 
> box, and have only used one in the 'point-and-drool' sort of way. So I really 
> know nothing of how the underlying OS works (or doesn't...). 
>
> So I guess I am just asking for some opinions of the situation, and perhaps 
> some links to docs about this type of attack, and how to prevent it. Also, 
> any software along the lines of chkrootkit or other forensic tools, but for 
> windows would be a big help.
>
> TIA
> -d 
> -- 
> Part of the problem since 1976
> http://badcomputer.no-ip.com
> Get my public key from 
> http://keyserver.linux.it/pks/lookup?op=index&search=bulliver
> "...the number of UNIX installations has grown to 10, with more expected..."
> - Dennis Ritchie and Ken Thompson, June 1972