We help IT Professionals succeed at work.

README.EXE virus active download site

Analog_Kid
Analog_Kid asked
on
I use a dial up internet connection with a 56k modem and a dynamic server assigned IP address. Recently I have been getting the following alert; The firewall has blocked Internet access to your computer (HTTP) from 208.187.191.94 (TCP Port 1906) [TCP Flags: S]. A Whois lookup didn?t help much, so I decided to point my browser to that IP and see what I could learn. Immediately a download was initialized. The file was a worm virus called README.EXE. I?m still getting the alerts days later. How do I report this activity, and to whom???
Comment
Watch Question

Commented:
There is not much you can do about it.  The virus/worm is called nimda, it's out there and actively scans computers on the internet for port 80 (http).  That means it's looking for web servers.  and if you go to the ip it came from it will download the virus to your computer.  for more info go to www.sans.org or www.eeye.com for a tool.
Even on dial up home PCs you will see regular random attacks.  Generally these are either automated probes looking for vulnerable systems, or worms such as nimda. It is best to ignore them.

If its a worm then as you found out, it may have other ways of getting into your system, ie the browser.

If its an automated probe then generally more specific attacks will come 24-48 hours later by which time you should have a different dynamically assigned IP address.

Keep your firewall software turned on (Looks like ZoneAlarm) and don't allow your system to act as a server to the internet.

Author

Commented:
Thank you for your input, folks.
So that?s it - do nothing? Is there no accountability? Surly there must be something the average Joe can do to curtail this kind of activity. Don?t the ISPs have an abuse hotline or something? Wouldn?t they want to terminate the account if a user is hacking or infecting other systems?
What I really want to learn is how to discover the required information to report the (presumably illegal) activity, rather than just ignore it.
Best simple tool (that I have tried so far) to find out who is at the other end is neotrace express.  Freeware from:

http://www.neoworx.com/products/ntx/

As to reporting them, good luck.  If it really is a local user on the ISP then you may be able to convince them to take action.  Far more likely

a) It is a machine that has been hacked and is being used to hide the true origin.  You need help from a government agency to follow up the sort of trail that this entails.

b) It is a worm and the attack is automatic and self propagating.  An ISP will generally have picked this up and will be working to clean up machines where this is a problem.

We only bother to follow up on on really heavy attacks, often from an educational location, really to let the admins know that we have blocked them and that their machines have probably been compromised.

Also bear in mind that many of these attacks are coming in from Eastern Europe, India, South Korea etc.  Is it worth the effort.

You took the red pill.  Welcome to the real world.

Author

Commented:
>>You took the red pill.
What in the world does that mean???

Commented:
It's a reference to a line in a popular movie.  Also, tracing the address is not much help as this is not the address of the person that is attacking you.  It could be the address of a computer that is mistakely infected with a worm, it could be the address of a machine that a hacker on another computer is talking through or remotely managing, or it could simply be a spoofed address.  All of these are very common but believe me the readme.exe is only one thing and that is Nimda virus/worm.  Which means people that are attacking you don't know it.  So there is not much you can do as they are not attacking you with malicious intent.  you could possibly get your ISP to block it but that won't help as you will rarely get attacked from the same IP address twice.  Sorry, I don't mean to bring bad news but there is nothing you can do.  Thats why you have a firewall, to block this kind of traffic.

Author

Commented:
Thanks again, iwalsh. Forgive my ignorance. Could you tell me what is a spoofed address?

Author

Commented:
Thanks again, iwalsh. Forgive my ignorance. Could you tell me what is a spoofed address?

Commented:
basically the only way you know what the ip address is of a machine that is talking with you is by the data they sent you.  it is listed in data who the source IP address was.  One method of attacking is to say your ip address is something it's not.  This is getting easier by the day and will become insanely easy (and popular) with the wide spread adoption of windows xp by home users.  One reason they do that is to attack you without you knowing it another technique would be to attack a server you might want to talk to with a DoS attack so that he is too busy to answer then put a man in the middle attack and answer for all traffic that comes to that server.  That is a much more complicated attack but it gives a an idea.  There is a program called Nmap that can spoof ip addresses, it can run vulnerability scans, that flood your box insanely fast with thousands of connections from completely different spoofed IP addresses for each connection.  It can bring even the best firewalls that can only handle so many connections to it's knees in under 10 minutes.  There's not much you can do to stop that.  What really needs to be done is to have providers put anti-spoofing ACL's on there routers.  That way the only ip addresses that can be used would be ones that are from a certain network.  making it much easier to track down after it happens.

Author

Commented:
Thanks again, iwalsh, for your comments. I remember reading about this at GRC.COM (The Shields-Up guy). I'm content to ignore the constant firewall warnings and go about my business. I'm certainly not prepared to learn all about this just to satisfy my curiosity.
Please find my new question titled 'Points for iwalsh88'.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.