Re: Backdoor.IRC.Flood.E & Backdoor.Dvldr

Here's an update on what transpired, etc.

The machine was a Windows 2000 Professional PC.

There was no file sharing software on this machine such as KaZaa, etc. and she doesn't use any chat groups or chat programs at all.

Her internet connection is via Dial-up

The user was logging in as Administrator, with no password (very dangerous thing to do!)

After becoming bogged down by the Backdoor stuff, she also got infected with a variant of the lovgate virus. This particular virus brought the machine to its knees. Very little would function correctly once it became infected with this one.

I cleaned the lovgate virus and did a backup of all of her critical data, then partitioned and formatted the drive.

The OS and apps were then reinstalled and the machine was setup with 2 user accounts. The Administrator account, which now has a strong password (something other than 123456 or "password"), and a user account for her, which is passworded and is a member of the Power Users group (on the local machine... the machine is not on a network).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

She has been instructed as to how to login using her password and seemed to be OK with the fact that she has to actually login to the machine.

A software firewall has also been installed.

These steps should prevent all of this mayhem from happening again.

Passwords, especially for Administrator accounts, are critical to the security of these machines!

>>> NC Agent <NC_Agent@kueppers-familie.de> 06/20 12:01 PM >>>
Hello,
Could you please give us some more information on the type of setup you are running :
What type of OS are you running?
Is the infected machine connected to a network? What level of internet connection does it operate? Do you have any security features enabled (apart from the virus scanner)? Do users chat over IRC, or use filesharing programs (Kazaa, WinMX etc) at all?
Having this information would help us get a better iodea of how the virii may be reinfecting.

Kindest of regards,

Hamish Stanaway

-= KoRe WoRkS =- Internet Security / Absolute Web Hosting Network Owner/Operator
Auckland
New Zealand

http://www.koreworks.com/ 
http://www.webhosting.net.nz/ 
http://www.buywebhosting.co.nz/ 

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

>From: "Curt Snow" <csnow@westerlyhospital.org>