Solved

How are these trojans getting in???

Posted on 2004-03-20
11
361 Views
Last Modified: 2013-12-04
Hi,

Since the 13th of March I have been geting trojans detected by Norton AV 2004's auto protect. The trojans seem to arrive at random intervals and vary. The first one was W32.Welchia.B.Worm. Then 6 trojan droppers over the next two days. Backdoor.SDBot.Gen. W32.Randex.AR. Then Bloodhound detected two unknown threats. Then a couple of IRC Trojans and BAT.Trojans.

Sounds to me like someone is determined to get in my system or some program on my machine is downloading trojans. I've looked thoroughly at running processes and cant see anything unusual. Startup areas seem fine too. I have Sygate Personal Firewall enabled and presently the Sygate.com portscan on my machine shows i have stealthed all ports except UPnP(intentional for MSN messenger Aud/Video). Another open port is the telnet port that my router modem stupidly leaves open even when WAN side telnet server is disabled. I have changed the port number of the telnet server in the router settings for security.

Im running XP Pro SP1a.

How on earth could they be getting in?
0
Comment
Question by:ironbut
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 11

Expert Comment

by:YohanShminge
ID: 10641936
Have you checked Sygate's logs? Does NAV give any other info? Could it be email?
0
 

Author Comment

by:ironbut
ID: 10641971
I have cleared the security log recently but Syagate reports port scans at least every few days from various people. I usually dismiss them as casual hackers because of their frequency and nothing bad has been happening up till the 13th. I have Outlook Express always running and checking emails every 3 mins. Outlook is always running too, but not used as an email program. Norton scans any incoming / outgoing emails and i barely ever get spam.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10641973
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 12

Expert Comment

by:trywaredk
ID: 10641983
Sygate is not the only scanner to tell you what to do. Different scanners maybe do a different work.

Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/ 

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan

How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10641996
>I have been geting trojans detected by Norton AV 2004's
>How on earth could they be getting in

Are they getting in, or are you only getting alerts from NAV that they try to get in ?

If so, you can't stop them from trying
0
 

Author Comment

by:ironbut
ID: 10642002
No. They are getting in. I have had some sort of IRC virus placed in my windows\system32\dhcp folder and trojans in my system32 folder.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 125 total points
ID: 10642640
XP- the classic fix for reinfections is the System Restore feature:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Turn it off, then clean your PC with a nice through scan with the latest dats... unplug the network cable for now... then make sure your scanning within Zip and other compressed files, and scaning ALL file types on ALL drives.
After your pretty sure you've cleaned the pc, reboot, scan again. Then if all is clear, enable the windows XP firewall, it does a very nice job of blocking incoming connections. If you want more configurable firewall, get ZoneAlarm it is free and does a fine job at Firewalling- it has the added benefit of process locking/blocking... meaning, if you got infected somehow, and a new process called viri.exe tried to run, ZA would ask you if you would like to allow Viri.exe to access the internet- you would say "NO, and remember this response the next time"- then you can spend your time finding out how to clean that program off, without having to worry about it doing any damage. The process locking/blocking has an advantage over AV, in that it doesn't need a definition other than the name, and checksum of the program... ZoneLab's guys are smart... if you got a virus called system.exe and had permitted the ligit program to access the internet before... this new system.exe wouldn't be allowed because it's file size is different.

Also, use ad-aware or equivilent spy-ware finding program to clean your machine also- in addtion to AV...
Turn off these services:
Remote Registry
Remote Desktop ...
Messenger
Server (only disable this one if you do not connect to other windows machines, or share files or folders)
Then change your passwords as you never know... Rdesktop is a very easy way into XP machines...
GL!
-rich
0
 
LVL 6

Assisted Solution

by:Joseph_Moore
Joseph_Moore earned 125 total points
ID: 10643035
Something else to keep in mind is that if you are getting reinfected by Welchia (a Blaster worm variant), then you need the MS03-039 patch. Go here for info:
http://www.microsoft.com/security/incident/blast.asp

This patch will fix the DCOM/RPC vulnerability that exists. With this being unpatched, it is possible to connect to your system, trigger the exploit, and execute something. that is how Welchia keeps getting in.

You need to patch your system to stop this.
0
 

Author Comment

by:ironbut
ID: 10643566
Rich,
Ive got sygate personal firewall, which does all the stuff you mentioned. One thing that shocked me was that remote registry service was started, so i have disabled it. I have just turned off Sys Restore and will try a full scan in safe mode later. I am on a lan so Server cant be stopped.

Joseph,
Im assuming i already have that patch as i regularly use windows update, but i will see if i can download it anyway.

Btw some of the files i found in windows\sytem32\dhcp...

--- cool.vsx ---

%many 44
%infecttime Tuesday 18/11/2003 21:20:06
%nnick []guio17
%fnick 8
%1p1 213.33.11.*
%1p2 213.33.11.182

--- pamella.jpg ---

ifNotWork.myftp.org
lord.upf.es


Fingers crossed.
0
 
LVL 11

Expert Comment

by:YohanShminge
ID: 10643790
Cool.vsx is created by the Worm_Kines.D (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KINES.D&VSect=T)
Not sure about pamella.jpg, but I doubt its good.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question