I've been bit...I think. (1 Viewer)

[Patrick Sun]

My Windows2000 is complaining that some of the system files have been written over, and ask me for my original W2K install disc. Is this a sign that I've been bit by a virus? Some of m programs don't run anymore (requiring a re-install of them too).

 

[Kevin P]

What did you do last before this stuff started happening? Do you have an up to date virus scanner? If you don't... you should!

Also, what files are claimed to be missing?

KJP

 

[Patrick Sun]

According to my office mate, I've indeed been bitten by a virus, and the way he got things squared away is to install Norton Anti-Virus, so I will do so when I get home today.

There is no indication as to which files have to been copied over, so I'm in the dark on that.

I think I know what small executable caused me this heartache, but I will get it cleaned up ASAP.

 

[Kevin P]

Which executable was it? Did you receive it as an email attachment? I'd like to know... if I know what virus you got I can give you more info on how to clean it up!

KJP

 

[Patrick Sun]

It was probably something I downloaded off Morpheus, not any nasty email virus (I telnet to a shell account to get my email).

 

[AndyVX]

Patrick,

Do you have a virus program installed on your computer? If not, might I suggest that you get one and *always* keep it running in it's auto-protect mode.

There is no sense it not having one nowadays.

Hope you get things all fixed up without too much trouble.

 

[Patrick Sun]

Well, lesson learned!
I was hit with the W32.WEIRD virus.
It appears to try and create backdoors for unscrupulous hackers into your PC which is connected to the internet (with cable modems, that's pretty much a given these days). Luckily the virus doesn't quite execute correctly under Win2K to do its worst in terms of damage. I guess I lucked out in that department, it could have been a lot worse.
I installed Norton Anti-Virus 2001, and after scanning through almost 180,000 files (taking well over an hour or two), it found almost 1200 infected files, and only 6 had to quarentined and deleted.
I had to re-apply the Win2000 Service Pack 2, and re-install a few programs (I'm not out of the wood in that department as it'll take a while to check out all the programs I normally use on a regular basis).
I also deleted the files (which were there!) in that Norton write-up on that link above.
But after 3 hours, things seem to have been returned to semi-normal state of affairs. And, yes, I now have NAV2K running in the Auto-Protect Enabled mode.

 

[AndyVX]

I'm glad to hear you are on the way to recovery Patrick Having a computer that is not functioning properly because of a virus is VERY annoying.

 

[Jon_R]

I just found this section!

Anyway, if you are running the NTFS file system most viruses can't do nearly as much damage as they can in Windows 9x. The reason for this is NT/2k/XP will not allow direct hardware interfacing via assembler code within Windows, it has to go through the proper channels, and if NTFS is your file system its very likely that the virus wouldn't have the proper rights anyway.

Check out the PuTTY ssh client, it is basically a secure telnet session. Telnet sends unencrypted text over the line so anyone could theoretically monitor packets. Not to mention if you are using the win2k telnet.exe you are going to love the better interface of PuTTY. It handles modes and applications, such as bitchx, much better.

Lastly, make sure that Norton is always getting updates as scheduled, I have norton antivirus 2001 on an XP machine, it says its not supported but it is, and now it complains that it wants me to purchase a subscription to the updates, presumably so they get continued revenue from all antivirus software.

Good luck,

Jon

 

[Kevin P]

Pl@ - lucky you have Win2k, a lot of viruses do less damage in that OS than in 98/ME. I wouldn't run without an up-to-date antivirus and firewall. I've never seen the Weird (aka Kuang) virus myself, but I have had my IP scanned by hackers looking for Weird-infected machines to exploit (if you see port 17300 scanned on your firewall, that's what they're looking for).

Make sure to run that Live Update! Lucky for you the virus you got is an older one that is recognized by NAV 2001 without any updates. You could still have a newer virus that won't be recognized until you do the liveupdate, so make sure to run another virus scan after updating.

Jon_R - don't bother renewing that subscription. Instead, pick up the 2002 version, then you get the latest version (XP compatible) and another free year of updates. You can get a CD-only version of NAV (no manual) for $30 at Best Buy and probably other stores as well. Or get Norton Internet Security 2002, which gives you the latest anti-virus plus a firewall, which is a must if you have a broadband internet connection.

KJP

 

[Jon_R]

Ahh.. what internet surfers think about the internet.

Kevin P, you make some very common points but there needs to be a level of clarification here. The reason NT based OS are a little less prone to malicious file destroying viruses is becasue of file system rights and privledges. If one was to run NT with the same file system as win98, that being fat32, then a virus could do nearly the same amount of damage.

The Weird virus is a keylogger, and it opens port 17300 which will send all the things you have typed out to that port. Its used for stealing passwords, credit cards and honestly, just to see what people look at. Hacking isn't all about making millions with stolen credit cards, often its just about a little fun at someone else's expense.

About that firewall comment. Trust me if you run any Windows OS or any Linux install (fresh install no mods) no amount of firewall is going to protect you 100%. The norton firewall is just the old atguard firewall. Atgaurd was an ad blocking firewall before firewalls were trendy. It was never very good. Some amount of protection is better than none I suppose, but if someone really wants what you have, and that is all you got you're in trouble. Network security is a lucrative business.

BTW, my friend works for a major firewall security company spanning 5 continents and they have multiple redundant firewalls becasue no firewall is 100% secure. Keep in mind though, obscurity = security, that being said Joe User on his cable modem is far less likely to be "hacked" than say a university or major dotcom.

Just thought i'd clear that up,

Jon

 

[AndyVX]

Jon_R,
Just wanted to ask you something. What benefits would I get from buying the 'pro' version of Zone Alarm rather than just using the regular free version?
Is the 'pro' version needed for home use?
P.s. Anyone else that knows the answer, feel free to chime in.

 

[Kevin P]

The norton firewall is just the old atguard firewall. Atgaurd was an ad blocking firewall before firewalls were trendy. It was never very good.

Norton may be based on Atguard but I think they've improved it a lot, and it's adds peace of mind and an added layer of protection from hackers. Like car alarms, they don't stop all break-ins but they will often make the hacker look elsewhere for an easier target. These personal firewalls are designed for home users, so they aren't going to provide Fort Knox security, but they're MUCH better than no firewall at all.

For the record, I run a Linux box on my cable modem 24/7 using the packet filter built into the kernel as a firewall. Despite many logged attempts by the script kiddies, no one has gotten in yet. It is certainly safe enough for my needs.

KJP

 

[Hugh M]

hey, I'm not trusting the guy who has been registered for a year exactly, and just found this section... (just kidding)(maybe it has only been here a little while)
I was on a movie trailer site, and NAV 2002 popped up and told me about a virus JS.SEEKER.F and told me it couldn't do anything to it. I can't find any traces of the virus now, but I do know that it is a very old virus (1999) and that I am running XP. MS released a ptach relating to this virus a long time ago, so I'm pretty sure I'm OK. so what do you think? I'll scan the system as well, but it is going to take a while.
by the way if you get the upgrade for NAV 2002 directly from symantec.com I don't believe it is $30. I think less. And I didn't even purchase my qualifying version of NAV 2001. It came with my mobo software. I tried honestly to get 2001 working in XP, but it doesn't really work properly. Even after updating and tweaking.
see my other thread for a nagging question about 2002.

 

[Steve_Ch]

I recommend that if you are on a "fix" wire WAN, such as Cable or DSL or T1, you have as a minimum the following:

1. Virus Scanner (Norton, McAfee, OnTrack...)

2. Trojan Horse Scanner (Cleaner)

3. Firewall (ZoneAlarm, Norton, ....)

I also recommend getting a POP3 email client that's a little bit more robust (such as Poco).

I also recommend getting your stuff (such as above mentioned) from different vendors, so they don't share the same code base and is unlikely that they will have the same bugs.

Personally, all my systems go through a Sonicwall hardware firewall to the net and each system runs ZoneAlarm Pro, Norton, CLeaner as well as RegStart, and I do a full scan for both Virus and Trojan Horse every week. I do not set up my Outlook or Outlook Express, so there is no address book or POP3/SMTP information.

Most of the time when I am just surfing around, I use a laptop that runs a bare W98Lite (which means no IE, no MS HTML engine, in other words, stripped of just about every single piece of MS code that's commonly infected) with Opera as my browser and no email client.

 

[Kevin P]

I was on a movie trailer site, and NAV 2002 popped up and told me about a virus JS.SEEKER.F and told me it couldn't do anything to it. I can't find any traces of the virus now, but I do know that it is a very old virus (1999) and that I am running XP.

Symantec lists this as a Trojan Horse, it's not a virus or worm. In other words, it doesn't spread, it has to be sent to you. I've heard of some anti-virus programs (not Norton) falsely reporting this virus on some websites, so maybe that's what happened here.

If you scan your system, you might find the Seeker in your internet cache, but it shouldn't have affected your system. It doesn't do any damage anyway; it only changes your default home page. In fact, perhaps any Javascript that changes your default home page will be detected as Seeker.

 

[Hugh M]

thanks.