Fog Creek Software
Discussion Board




Virus / Trojan Weirdness

Hi

At work I'm running Windows 98 behind a hardware firewall (part of an Ayava phone system). The firewall permits only FTP, SMTP, TIME, DNS, HTTP, POP3, NNTP, and only if intiated from inside the firewall. In particular, IRC and SNMP are blocked.

My machine is on a mixed LAN (Win98/2000/XP) which is set up so each PC can only see a shared folder on the server, and there are no shares on any of the other PCs. In theory an infection on any PC is limited to that PC and the shared folder on the server (which runs a/v software).

My PC has www.grisoft.com AVG antivirus software which updates itself every two weeks, and the last update was on Wed 2nd June. I use outlook express for email, and have enabled showing of extensions for all file types. I know not to run attachments, and to delete executable attachments ("*.scr", "*.pif", "*.txt  .pif" etc etc).

Yesterday AVG resident shield detected a virus while I was browsing the internet. I disconnected from the LAN and the internet, rebooted, ran the AVG scanner which removed the viruses (there were 5). Two were found in the recycle bin (these were .scr files attached to spams I had deleted earlier), one was something called pup.exe and two were .cgi files.

The .cgi files were interesting. They use wsh to set the browser home page to "default-homepage-network dot com" and "smartbotpro dot net" (don't go there). And *after* cleaning off the viruses, I noticed several new files I never installed:

  c:\installer\id53.exe
  install2.exe
  infamous_downloader.exe
  0021-bdl94126.EXE
  CS4P028.exe
  silent.exe
  o.bat

All these (apart from id53.exe) were on the desktop. I deleted all these and checked the \windows\all users\start menu\programs\startup folder was empty (it was). Also I checked the registry startup location (HKLM\ software\ microsoft\ windows\ currentversion\ run keys and id53.exe had put itself there also. So I checked all the run keys (run, runonce, runonceex etc) and removed it from there. After this I rebooted, re-scanned with AVG, searched the registry to ensure id53 had gone and everything is OK.

But I am puzzled how this virus / trojan combination installed itself. The only things I did that were different yesterday were:

- Viewed a spam in Outlook express (it looked genuine and had no attachments)
- Accidentally went to "oogle dot com" instead of google.com.
- Ran a new email list program (e-campaign from lmhsoft.com) to send two emails, both to  myself.

How can these actions install viruses or trojans? And what can I do to stop this happening in the future?

Bill Rayer
Sunday, June 06, 2004

In IE, use Tools->Internet Options->Security tab, select the Custom Level button and disable anything that looks like scripting (Java, Javascript, ActiveX, etc).

Then in Outlook, Tools->Options->Security tab, select the Restricted Sites zone, and select "Do not allow attachments to be opened or saved that could potentially be a virus" (sic)

If you ever really need to save an executable file you'll have to temporarily change the settings, but remember to set them back.

Tom H
Sunday, June 06, 2004

If you've got AVG then enable the email filter for Outlook.

I update AVG nightly.

Simon Lucy
Sunday, June 06, 2004

I don't think MS updates Win98 for security problems anymore, do they? Either way, there was an exploit in the latest IE version a couple months ago that could install code on your system even with scripting and activeX turned off. So if you haven't updated since then, that was probably the culprit.

Otherwise, also realize clicking on links within HTML emails that have virus attachments usually point straight to the attachment (and thus execute it). That's how people get duped, it's not that they click on the paperclip and scroll down to "message.scr" and decide to click it, they see http://www.freestuff.com or whatever underlined so think that's where the link goes. So make sure you have Outlook set to read messages as plain text.

Guy LeDouche
Sunday, June 06, 2004

What you often get are hyperliinks that in fact are pointing to an executable, since the text of the hyperlink is  not the same as the underlying link.

And the social engineers are getting good. One of the latest is an email form abuse@us.gov or something similar informing you that you have been placed on a US government list for surfing kiddy porn sites, and giving one of these false hyperlinks to click on. If I didn't hold the US government in total contempt, I might have been tempted to click on it.

Stephen Jones
Sunday, June 06, 2004


Read the file o.bat.  It ftp's down the other files.  I had a user at our company get hit with the same crap.

Mike
Sunday, June 06, 2004

> What you often get are hyperliinks that in fact are pointing to an executable, since the text of the hyperlink is  not the same as the underlying link

Not if you automatically strip all html from incoming emails you don't :-)

Smug git
Monday, June 07, 2004

I just got hit with the o.bat
it installs install2.exe
cs4p028.exe
silent.exe
o (no ext)
famous_downloader
into the winnt\system32 folder of my NT4 machine

Got this from a pop up from an EZboard message board

Any ideas to get rid of it? Spy Bot and Norton can't seem to get rid of it.

                            Matt

Matt Harris
Thursday, July 01, 2004

I also received several emails from abuse@us.gov and have never visited any innapropriate websites. I't would be interesting to know if this has anything to do with surfing democratic sites? I'm a believer in the right winged conspiracy theory, and only have been surfing and receiving emails from these websites!
Randy Dixon, RN

Randy Dixon, RN
Thursday, August 12, 2004

What is abuse@us.gov? I just recieved this email and have no idea what it is.    

H.Sitton
Monday, August 16, 2004

I noticed the o.bat file and something else on my office computer's desktop yesterday, deleted it, ran the anti-virus, and forgot all about it.  Today, it re-appeared and spawned several (between 8-10) desktop icons, mostly web-browsing 'utilities' and one had a picture of a woman in a bathing suit.  I became alarmed and started uninstalling any unknown programs.  This, apparently, was the wrong answer.. in my research so far, what happened next is not typical.. while uninstalling one of the programs, a few pornographic pop-ups came up which i closed, and then I was told I did not 'have access' to Control Panel, and every program in the add/remove programs was gone.  I re-booted, hoping it was temporary, and the screen for Windows 98 (my work OS) registry popped up.  After going through that and getting to windows, an error message for explorer.exe popped up, leaving the desktop empty.  After several re-boot attempts, in Safe mode, I received the same message.  To make a long story a little less long, I went through hours of hassle as a result.  I don't know the answer, but if you have o.bat, I highly suggest googling some remedies alternate to uninstallation.

lauren k
Thursday, September 02, 2004

*  Recent Topics

*  Fog Creek Home