How are these trojans getting in???
Hi,
Since the 13th of March I have been geting trojans detected by Norton AV 2004's auto protect. The trojans seem to arrive at random intervals and vary. The first one was W32.Welchia.B.Worm. Then 6 trojan droppers over the next two days. Backdoor.SDBot.Gen. W32.Randex.AR. Then Bloodhound detected two unknown threats. Then a couple of IRC Trojans and BAT.Trojans.
Sounds to me like someone is determined to get in my system or some program on my machine is downloading trojans. I've looked thoroughly at running processes and cant see anything unusual. Startup areas seem fine too. I have Sygate Personal Firewall enabled and presently the Sygate.com portscan on my machine shows i have stealthed all ports except UPnP(intentional for MSN messenger Aud/Video). Another open port is the telnet port that my router modem stupidly leaves open even when WAN side telnet server is disabled. I have changed the port number of the telnet server in the router settings for security.
Im running XP Pro SP1a.
How on earth could they be getting in?
Since the 13th of March I have been geting trojans detected by Norton AV 2004's auto protect. The trojans seem to arrive at random intervals and vary. The first one was W32.Welchia.B.Worm. Then 6 trojan droppers over the next two days. Backdoor.SDBot.Gen. W32.Randex.AR. Then Bloodhound detected two unknown threats. Then a couple of IRC Trojans and BAT.Trojans.
Sounds to me like someone is determined to get in my system or some program on my machine is downloading trojans. I've looked thoroughly at running processes and cant see anything unusual. Startup areas seem fine too. I have Sygate Personal Firewall enabled and presently the Sygate.com portscan on my machine shows i have stealthed all ports except UPnP(intentional for MSN messenger Aud/Video). Another open port is the telnet port that my router modem stupidly leaves open even when WAN side telnet server is disabled. I have changed the port number of the telnet server in the router settings for security.
Im running XP Pro SP1a.
How on earth could they be getting in?
Have you checked Sygate's logs? Does NAV give any other info? Could it be email?
ASKER
I have cleared the security log recently but Syagate reports port scans at least every few days from various people. I usually dismiss them as casual hackers because of their frequency and nothing bad has been happening up till the 13th. I have Outlook Express always running and checking emails every 3 mins. Outlook is always running too, but not used as an email program. Norton scans any incoming / outgoing emails and i barely ever get spam.
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
http://www.onctek.com/trojanports.html
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
Sygate is not the only scanner to tell you what to do. Different scanners maybe do a different work.
Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/
One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/
Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2
Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan
How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/
One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/
Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2
Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan
How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
>I have been geting trojans detected by Norton AV 2004's
>How on earth could they be getting in
Are they getting in, or are you only getting alerts from NAV that they try to get in ?
If so, you can't stop them from trying
>How on earth could they be getting in
Are they getting in, or are you only getting alerts from NAV that they try to get in ?
If so, you can't stop them from trying
ASKER
No. They are getting in. I have had some sort of IRC virus placed in my windows\system32\dhcp folder and trojans in my system32 folder.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Rich,
Ive got sygate personal firewall, which does all the stuff you mentioned. One thing that shocked me was that remote registry service was started, so i have disabled it. I have just turned off Sys Restore and will try a full scan in safe mode later. I am on a lan so Server cant be stopped.
Joseph,
Im assuming i already have that patch as i regularly use windows update, but i will see if i can download it anyway.
Btw some of the files i found in windows\sytem32\dhcp...
--- cool.vsx ---
%many 44
%infecttime Tuesday 18/11/2003 21:20:06
%nnick []guio17
%fnick 8
%1p1 213.33.11.*
%1p2 213.33.11.182
--- pamella.jpg ---
ifNotWork.myftp.org
lord.upf.es
Fingers crossed.
Ive got sygate personal firewall, which does all the stuff you mentioned. One thing that shocked me was that remote registry service was started, so i have disabled it. I have just turned off Sys Restore and will try a full scan in safe mode later. I am on a lan so Server cant be stopped.
Joseph,
Im assuming i already have that patch as i regularly use windows update, but i will see if i can download it anyway.
Btw some of the files i found in windows\sytem32\dhcp...
--- cool.vsx ---
%many 44
%infecttime Tuesday 18/11/2003 21:20:06
%nnick []guio17
%fnick 8
%1p1 213.33.11.*
%1p2 213.33.11.182
--- pamella.jpg ---
ifNotWork.myftp.org
lord.upf.es
Fingers crossed.
Cool.vsx is created by the Worm_Kines.D (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KINES.D&VSect=T)
Not sure about pamella.jpg, but I doubt its good.
Not sure about pamella.jpg, but I doubt its good.