The file was an exe file, 307kb. I have not executed
the file, but that character says the file is a system file---his
exact words were "system file...u delete it thru add/delete prog...u
try to remove it...i am already in control". I did not believe him, and
I thought that since i have not executed the file,(i have deleted the
file now) my system will not be harmed.
But moments later a midi file started playing on its own, and my
start menu started opening and closing on its own. I immediately
pressed the reset button, and although my system is working fine
right now, his last words have scared me. He said my hard-disk will
get formatted 48 hours from the time i took the file from him.
Sir, please tell me what to do. I have a lot of work stored on my
hard-disk, and if something happens to it, it would be disastrous for
me. I don't know what to do. Is it technically possible? I mean, i
haven't executed that file, and yet my system went haywire at that
time. will i loose my data? he said, like i mentioned before, "system
file". Please do respond as soon as u get this message, as i am in a
quandry. Please do help me. I have used mcaffee virusscan, but it
shows no infection.
yours sincerely,
elided
PS. According to his threat, i have 48 hours left. I have changed my
system date, and time. will it help if i keep changing it, to confuse
the virus, if one does exist in my system?
Bruce's reply to this email:
- On 25 Oct, elided wrote:
- Bruce,
Can you please help. It seems like BO or something like that.
- We can hope so.
- Can you respond directly and cc to me?
- Will do.
- [munch]
- Dear Dr. Mehta,
I have corresponded with u before. I need your help urgently this time. A
certain obnoxious character transferred a file into my computer thru ICQ,
saying it was the latest version of winamp, but it was a virus. The file was
an exe file, 307kb. I have not executed the file, but that character says
the file is a system file---his exact words were "system file...u delete it
thru add/delete prog...u try to remove it...i am already in control".
- That's entirely possible, unfortunately. Depending upon the other
provisions taken by your attacker, he may be ``in control'' even
while you are not connected to the net, may be able to cause your
computer to dial into the net at any time, probably already has your
dial-up password, and could pretend to be you, as he attacks VSNL,
as well - making it look like it is YOU doing the attacking.
Deleting the file may be as simple as (from DOS) typing...
attrib -s winamp.exe
del winamp.exe
but it is a bit unlikely that those operations will fully clean your
system.
- I did not believe him, and I thought that since i
have not executed the file,(i have deleted the file now) my system will
not be harmed.
- Not necessarily true. If the file was executed without your
intervention, by exploitation of a security hole already present
in Windows, it may have installed something which you have not yet
deleted, nor even found.
All of this is completely logical. Anxiety will work against you,
so please attempt to become calmer. An intrusion like this is
usually a shock to anyone. The attacker cannot adapt his attack
during times that you are not connected to the net. He COULD,
however, have copies of both your message to Dr. Mehta, and to
this reply.
- But moments later a midi file started playing on
its own, and my start menu started opening and closing on its own.
- These sound like typical Back Orifice tricks performed by an
attacker while you are connected to the net. In a way, it is
fortunate that the attacker so exposed himself. It would be just
as easy for him to snoop on you, without letting you know about it.
If you have a microphone plugged into your soundcard, he could
listen to your room, while you are connected to the net, if you
have a camera installed, he could also watch, all without your
knowledge. If this is indeed Back Orifice, everthing on your
Hard Drive has already been exposed to him. He could have copied
or modified anything.
- I immediately pressed the reset button, and although
my system is working fine right now, his last words have scared me. He said
my hard-disk will get formatted 48 hours from the time i took the file
from him.
- That is possible. Especially with it already the 26th of the month,
CIH virus, and variations on it, already prevalent. If you have a
soft-upgradeable BIOS, it could also destroy the mother-board of your
machine (or all usability of the machine, if it is a laptop). Other
software, besides that virus could have also added this capacity - e.g. a
Back Orifice ``Buttplug'' plugin.
I do not mean to scare you unduly here. It is necessary that you
understand the possible risks, so that you can identify what has
happened, whatever happens, and be ready to consider alternatives
and extra precautions to prevent this from happening again.
- Sir, please tell me what to do. I have a lot of work
stored on my hard-disk, and if something happens to it, it would be disastrous
for me. I don't know what to do. Is it technically possible?
- Yes.
- I mean, i haven't executed that file,
- What you actually mean is that you have not DELIBERATELY executed
that file. Unless your version has all of the latest security
patches, AND those patches are fully effective, and the attacker
has not found a previously unknown bug to exploit, you cannot be
sure that you did not inadvertently execute that file. Remember
the file you question might not be the file that is causing the
emergency. It could be a decoy.
Back Orifice, for example, could be installed on your system, without
your cooperation, through a signed Active-X control, through
exploitation of a buffer-overflow bug in a Microsoft E-Mail program,
or an older (before v4.06) version of Netscape, through an HTML
attachment to a message received with Eudora, with any but the latest
version of Eudora, and IE set as an ``opener'' for HTML messages.
These are just a few of the ways that you could ``cooperate'' with
an attacker, without your deliberate act, to give him a foot-hold on
your system. The ``signed Active-X control'' attack has been
demonstrated on a security site in Israel, and is one for which the
only considered solution is to not allow Active-X to run. With
Windows-Java, some security may also be compromised, as it is only
certain that the original specifications have not been followed.
Perhaps the Sun Microsystems court case against Microsoft will expose
more information.
If Back Orifice is installed on your system, you need to remove it,
remove anything which would cause it to be re-installed, and remove
its invocation from the Registry. It will NOT show in the Control-
Alt-Delete task-list. If it does, it is probably a false entry, and
killing that program would not close the real thing.
In addition, If it _is_ Back Orifice, it could send an ICQ or IRC
or E-Mail or Usenet message every time you log onto the net, to
notify the attacker of your new connection address. These can happen
without your cooperation, and without normal IRC or ICQ or E-Mail or
Usenet software installed on the system. If this is the case, any
time you spend on-line at the moment potentially increases your
danger.
- and yet my system went haywire at that time. will
i loose my data? he said, like i mentioned before,
- If your system went ``haywire'' - without your cooperation,
SOMETHING is there that does not belong. You MAY loose or
already have lost your data, or you MAY be able to rescue it. The
threat could be false, or some oddity of _your_ system, might prevent
it being successfully carried out, even if you do nothing. I would
not rely upon that last item, though, if I were you.
- "system file".
- The term ``System File'' as applied to Windows95/98/NT and even
earlier versions of Windows, has a rather indistinct meaning. It
could mean that the ``system'' attribute has been set, which was
also available in DOS. If that is the case, that attribute must
be turned off before a truly successful deletion can be done.
(as above)
It could mean that it has been added to your StartUp group, in
the Start Button menus, and/or Registry. It could also mean that
some kind of modification has been attached to a normal file, or that
a normally executed file has been replaced with a trojan substitute.
It could mean that the file actually causing problems is a .vxd or
.dll It could mean MANY things.
This is one of the problems with cryptic configuration files like the
Windows95/98/NT Registry, and to a slightly lesser extent, .ini file
on previous versions of Windows. It is quite likely that you do not
know what SHOULD be starting up automatically, hence even if you look
the right place, you will be unable to determine something which has
been added by any somewhat skilled attacker. The default name for
Back Orifice, for example is ".exe" (noname executable), but that
name can be altered at install time to any other name. The file
does not even have to be in your windows directory.
- Please do respond as soon as u get this message, as
i am in a quandry Please do help me. I have used mcaffee virusscan, but it
shows no infection.
- VirusScan _must_ have the latest signature files, and even then, is
like any anti-virus software, always playing ``catch-up''. The
problem is not with the virus protection software manufacturers.
They produce a valuable bandage for a severely under-designed and
insecure operating system.
http://guide.vsnl.net.in/tcpip/columns/alt_os/
http://guide.vsnl.net.in/tcpip/columns/security_internet/
DO NOT take the time on-line NOW to look at these web pages. This is
for your later consideration.
- yours sincerely,
elided
PS. Accordding to his threat, i have 48 hours left. I have changed my system
date, and time. will it help if i keep changing it, to confuse the virus, if
one does exist in my system?
- Changing the system date is probably a good precaution, not sure to
be effective. If indeed, a trojan such as Back Orifice, or virus
has been installed on your system, it can maintain a time-lapse
without your permission, and not directly using the exact system
date. It is possible, but slightly less likely, that setting-back
the date will trigger the very damages you are attempting to prevent.
I would STRONGLY suggest that you collect diskettes, shut down. Stay
off line, and when you start up again, use the function key to
reboot to DOS only (which will disallow Windows programs from
running). Use the old DOS copy command to copy files that you MUST
NOT LOOSE, to diskettes. If they are too big, and you have
previously installed file splitting or compression tools (like pkzip)
use them. Unfortunately, unlike many alternatives to Windows, there
are no compression and splitting utilities which are part of the
``standard'' installation for commandline use.
Mark those diskettes as suspicious backups. You cannot be sure
that they will not themselves become infected with a virus. You
cannot be sure that the files you place on them have not been
already modified. You will not wish to place them in the diskette
drive again, until you are sure you have a fresh system with the
latest signatures for VirusScan, or have chosen a more secure
alternative operating system, and begun to learn to use it.
After saving the datafiles, and beginning again to breathe, I would
suggest that you reboot in Windows, open the files containing crucial
data, and save them in an ``interchange format'' (usually an
``Export'' option on the ``File'' menu), placing your essential data
on diskette in a format that is not dependent upon the program which
created them. For example, from MS-Word, you may save in RichText.
From Excel, perhaps comma-delimited or tab-delimited files. Ideally
these are files that you could view the contents of using only DOS
Edit with or without Windows running. Each of these will depend
upon the veracity of the program to truly save the information
contained, and not discard essential information. Excel, for
example, may preserve actual data values, but discard formulas. You
may wish to print a copy of information in these files while you do
this.
Ideally, what you would do now, is boot from the clean DOS system
diskette which is write protected, and has been write protected since
you first got your latest system installed. But it is unlikely that
you have created such a diskette. That would have quite exceeded the
normal precautions taken by people, and if you had done this, you
would be unlikely to still be so disturbed about this attack. That
diskette would have a copy of (e.g.) pkzip for MS-DOS installed on
it, in addition to copy, DOS edit, and likely format and fdisk. But
it is too late now to prepare that way for the current emergency,
using only your own machine.
There is no guarantee that this will be fully effective. It is
possible that pointers have been altered to already corrupt files.
If you are unable to positively identify what has been installed,
you really need to go back and re-install everything from the copies
you made of original installation software. Then upgrade it with
the various patches and service releases you have since added. But
do this AFTER rescuing data you must rescue.
If you have access to another system, known to be ``clean'' (not
just THOUGHT to be clean), create a diskette as described above
on that system, and use fdisk and format from booting _that_ diskette
to completely clear the hard drive, before re-installing everything.
That diskette should be write-protected before it is ever inserted
into your diskette drive.
I do not have a good understanding of your experience, at this point.
It may be that you will need to find a local expert to assist you.
Bruce Gingery
Advanced Integrators, LC <URL: http://gtcs.com/ai/>
Cheyenne, Wyoming, USA
The Second Incident
Dear Sir,
On the 27th of October I received small messages on my screen saying you are
being hacked by Dr_amer (or something of that kind)...Then my computer
restarted ...I connected and proceeded to change my password..in telnet..
I logged into it..went to option 6 but it said insufficient
privileges...password not changed:cannot access protected password
entry...
When I went to check my usage time (option 9) and it said 05:00:01
I don't know if this was the time left...but I consider that impossible as my
account was renewed about two weeks ago for a 500 hrs account...
I would like to ask your help in this matter and also if there is anyother way
in which we can change the password.
I think you are aware of the urgency of this matter and I will be highly
obliged if you could reply as soon as possible.
Your's sincerely.
vsnl user - name elided
for vsnl user - name elided
|