Netbus paranoia
I was chatting to someone called "Gravedigger" on ICQ - He sent me 2 files, which I virus scanned (Landesk V5.03, pattern file updated Nov'99). The first file was the Netbus trojan, the second was an executable video from his webcam, which Landesk reported clean, so I ran it - It was a video of him waving to his victims as he hacked their PCs (if they'd run the executable with Netbus). Very cool, very funny but VERY annoying.
I reported him to the authorities, copied the files to floppy for evidence (& deleted them) & updated my scanner pattern file.
Now for the weirdest bit: To test the new pattern file, I scanned the floppy & it showed up clean, as did the copy of the files in the Recycle bin.
The scanner still works (I tested it on another infected floppy). My PC is showing no signs of unusual disk or modem activity, so I'm not under attack at present. I can't see anything in the Registry startup bits that might be Netbus (tho' I'm not very familiar with the registry).
Now for the questions:
Would Landesk Realtime protection clean the files as they were being copied?
Is the latest version of the pattern file defective?
Could the video file contain another virus/trojan that hid the Netbus one?
Is there anywhere I can send the files to, to have them checked?
Thanks in advance
I reported him to the authorities, copied the files to floppy for evidence (& deleted them) & updated my scanner pattern file.
Now for the weirdest bit: To test the new pattern file, I scanned the floppy & it showed up clean, as did the copy of the files in the Recycle bin.
The scanner still works (I tested it on another infected floppy). My PC is showing no signs of unusual disk or modem activity, so I'm not under attack at present. I can't see anything in the Registry startup bits that might be Netbus (tho' I'm not very familiar with the registry).
Now for the questions:
Would Landesk Realtime protection clean the files as they were being copied?
Is the latest version of the pattern file defective?
Could the video file contain another virus/trojan that hid the Netbus one?
Is there anywhere I can send the files to, to have them checked?
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your comments, but I'm still worried about why my scanner (now using a January 2000 pattern file) doesn't detect the Netbus trojan since I updated it. I will contact Norton (who update the pattern files) about that.
Mrbreeze - Point taken about Netbus being a trojan, not a virus.
1) Gravedigger told me the files were funny video clips. I didn't run the trojan, I ran the video executable. My scanner reported it clean, but I'm now concerned it may have a later virus in it than my (November'99 - Now updated to JAnuar ) pattern file could detect.
2) I reported Gravedigger to ICQ tech support, to at least get him booted off the service. The UK Computer Crime squad will take action against hackers if they have evidence, which is why I copied the files & chat logs to floppy.
3) I may be dumb but I'm not doing anything sinister!
Dennis-
Are you saying the video file(412Kb)doesn't contain a player and therefore cannot be harmful, even if it is a .exe?
I've never had to disinfect a Windows 98 PC before, so I would appreciate some guidance, e.g. how do I get 2.2Mb of pattern file onto a diskette so I can boot from a clean floppy & scan?
Mrbreeze - Point taken about Netbus being a trojan, not a virus.
1) Gravedigger told me the files were funny video clips. I didn't run the trojan, I ran the video executable. My scanner reported it clean, but I'm now concerned it may have a later virus in it than my (November'99 - Now updated to JAnuar ) pattern file could detect.
2) I reported Gravedigger to ICQ tech support, to at least get him booted off the service. The UK Computer Crime squad will take action against hackers if they have evidence, which is why I copied the files & chat logs to floppy.
3) I may be dumb but I'm not doing anything sinister!
Dennis-
Are you saying the video file(412Kb)doesn't contain a player and therefore cannot be harmful, even if it is a .exe?
I've never had to disinfect a Windows 98 PC before, so I would appreciate some guidance, e.g. how do I get 2.2Mb of pattern file onto a diskette so I can boot from a clean floppy & scan?
http://www.walruscomputers.com/
This site has an online virus scanner that can scan any drive you tell it to.
As I stated before Netbus is a program even though so many use it for wrong reasons it was designed for remote administrative functions. If your definition isn't recognizing it I would strongly recommend another scanner.
Dennis can answer for himself but I think it is safe to say that he was not saying the video could not be harmful but more specifically it could not do what you were asking which I would have to agree with.
Putting 2.2mb onto a floppy is of course not possible. Only if you could compress the data into 1.44 could you put it onto a floppy. There are ways to format it to hold 1.68 or so but I don't think that really is the problem.
Scanning the disk you put the original files onto or scanning your entire machine can be done without the boot from disk.
Mrbreeze
Oh BTW since Dennis posted his response as a question you need to evaluate the answer and either accept it or reject it. As long as it is still posted the question is locked and others can't see it to offer any input they might have.
This site has an online virus scanner that can scan any drive you tell it to.
As I stated before Netbus is a program even though so many use it for wrong reasons it was designed for remote administrative functions. If your definition isn't recognizing it I would strongly recommend another scanner.
Dennis can answer for himself but I think it is safe to say that he was not saying the video could not be harmful but more specifically it could not do what you were asking which I would have to agree with.
Putting 2.2mb onto a floppy is of course not possible. Only if you could compress the data into 1.44 could you put it onto a floppy. There are ways to format it to hold 1.68 or so but I don't think that really is the problem.
Scanning the disk you put the original files onto or scanning your entire machine can be done without the boot from disk.
Mrbreeze
Oh BTW since Dennis posted his response as a question you need to evaluate the answer and either accept it or reject it. As long as it is still posted the question is locked and others can't see it to offer any input they might have.
tfewster,
<<Are you saying the video file(412Kb)doesn't contain a player and therefore cannot be harmful, even if it is a .exe?
If the file is, indeed, and executible, then it can be most anything. However most true video files rely on a codec of some sort in order for them to be played. An example would be XYX.AVI.
If what he sent you was a gif display or something else, into which was imbedded a trojan and if that display arrives in its own container (executible) and could wreak havoc on a system.
If you are using Norton, and its database is current, it should have fund the trojan and isolated it.
Mrbreeze, I posted a response in the form of a proposed answer to a specific group of questions. I did not ask any questions.
<<Are you saying the video file(412Kb)doesn't contain a player and therefore cannot be harmful, even if it is a .exe?
If the file is, indeed, and executible, then it can be most anything. However most true video files rely on a codec of some sort in order for them to be played. An example would be XYX.AVI.
If what he sent you was a gif display or something else, into which was imbedded a trojan and if that display arrives in its own container (executible) and could wreak havoc on a system.
If you are using Norton, and its database is current, it should have fund the trojan and isolated it.
Mrbreeze, I posted a response in the form of a proposed answer to a specific group of questions. I did not ask any questions.
Wrong word "posted his response as a question"
Should read "posted his response as an answer"
Sorry Mrbreeze
Should read "posted his response as an answer"
Sorry Mrbreeze
"Would Landesk Realtime protection clean the files as they were being copied?"
You can't "clean" netbus, it is a program and it has code to make it work so cleaning isn't really possible.
"Is the latest version of the pattern file defective?"
That doesn't seem likely
"Could the video file contain another virus/trojan that hid the Netbus one"
'Is there anywhere I can send the files to, to have them checked?"
Since Landesk is what you scanned them with that would be your first contact. Any security company would want a look at them if there is code there that they have no defense against.
Now a couple questions for you. You say you scanned them the first time and your software said that one was Netbus, the other was clean. Then you copied them to floppy, ran the scan again and both were clean.
1) Why would you run a program that you received from a stranger, scanned for virus', found it positive but run it anyway.
2)You say you copied it for evidence, and gave it to the authorities..who are the authorities.
3)What are you really doing?
The reason for continious updates on virus definitions is because crackers are constantly writing and rewriting code. As one set is defeated they write another to exploit and bypass the fix.