#Help Virii Class 09/02/2001
Below is a cleaned up version of the log, I have removed general chatter, and grouped conversations so they will be easier to follow:
I have broken the file into sections as they were presented in the class, which is Text from me followed by questions / discussion on that material
SECTION 1: INTRODUCTION
Class Text [Moby] Howdy Yallz, welcome to an introductory class on virii/Trojans/Security. This class will cover some of the basics of virii/ trojans and briefly touch on computer security.
Please do not message / notice me as I will not respond to private messages during the class, as it is unfair to the others who are attending.
This class is not intended to be a lesson on removing infections, it is for #help users who are wanting to know more about these infections and computer security in general.
and other random channels I just spammed
If anyone is interested in learning how to remove virii or be part of the #Nohack team, ask at the end of the class, and if there is enough interest I will look into teaching some classes.
This class will be very information intense and I suggest opening notepad ** [START] --> [RUN] --> "notepad" ** up so you may jot down notes, and save some URLs which will be valuable to have for reference for both yourself, and the users you are helping.
SECTION 2: DEFINITIONS
Class Text [Moby] First of all some definitions, what exactly is a virus?
A virus is a computer program that attaches itself to host file, and it replicates without the user knowing.
Over the years the number of the more "destructive" virii infections have been decreasing, and have given way to new scripted style virii.
I say "destructive" in the sense most virii nowadays don’t render the computer unusable as did ones like Hemlock, and the CIH virus.
However virii still continue to cause tens of millions of dollars of damage. From a news.com story: “…We estimate $2.61 billion of damage has been done," Samir Bhavnani, a research analyst with Computer Economics, told Reuters. "By Wednesday, the total can reach $10 billion. We see damages growing by $1 billion to $1.5 billion a day until the virus is eradicated.
Most of the more common virii around nowadays exploit security flaws in Outlook and IE to spread, along with relying on users to type commands into mIRC
One recent example of this is the karma trojan, that some of you might be aware of.
The Dalnet Kline team have created a web site http://kline.dal.net/exploits/rolvbs.htm , to test to see if your machine is vulnerable to the technique the karma trojan uses to infect.
All machines running IE that have not downloaded this patch are vulnerable.
Microsoft have released a patch for this vulnerability and it can be found at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-058.asp
Advancements have been made in the virus detection algorithms, and awareness has been increased, but still uneducated users are opening infected attachments and this is the biggest problem.
Questions / Discussion [Sheyna] is there any vulnerability with Netscape?
[Moby] Sheyna a while ago there was one which allowed netscape to act as a webserver thus giving people access to your machine, but this has been patched, and I dont know of any recent netscape holes.
SECTION 3: DEFINITIONS (CONT.)
Class Text [Moby] What is a Trojan and how did it get the name?
A Trojan is the name given to a destructive program that masquerade as a benign application.
The term comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the trojans, ostensibly as a peace offering.
But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy.
What is the difference between a Trojan and a Virus?
Unlike viruses, Trojan Horses do not replicate themselves, but they can be just as destructive.
One of the most insidious types of Trojan is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer.
Many users will see the "Dalnet detected your infected with mprexe.exe get this Cleaner or be akilled" im sure
One example of a trojan is the infamous "Back Orifice." This trojan allows others on the Internet to gain access to your computer and search and manipulate your hard-drive.
Some other common trojans are Sub7, Netbus and an increasing number of mIRC-based trojans such as GTBot and its variants. (Some urls for more information are http://www.nohack.net/subseven.html , http://www.nohack.net/netbus.html , http://home.dal.net/golcor/gtbot/ )
Questions / Discussion [A-nice-friend] Moby, can Trojan Horses be detected and cleaned ?
[Moby] yes, there are several tools we use, ill get to that later
[White`Shark] Moby: Subseven 2.2.x can't be detected by Cleaner
[Moby] White`Shark cleaner gets new definitions all the time, we also use another program called swat it
many .exes are also compacted with .exe compression tools which makes it harder to detect them.
[White`Shark] Moby: DALnet should use a cleaner and make it official...and it should auto update the dat file according to nohack's suggestion
Moby: like Mcafee
[Moby] #nohack staff regularly send virii samples and trojan samples to antivirus vendors
[White`Shark] Moby: but that makes users confuse
[Moby] we have a member of staff that works for Swat IT, and he collects trojans to update their definitions
[White`Shark] Moby: many people use diff. scanners, some detects one as virus, some not
[A-nice-friend] Moby, how destructive are Trojan Horses. Any stronger than viruses?
[Moby] A-nice-friend depends on the trojan, some trojans just allow your computer to be used in a DDoS attack, which isnt desctructive to your machine, but can be to other hosts. others allow full control of your machine
[White`Shark] Moby: Some people gets confused when lamers use net send command to make a fake trojan msg
[Moby] White`Shark nothing I can do about big companies, except assist them by giving them samples.
White`Shark again nothing I can do, people need to be educated about the dangers of running programs, this is how virii spread :(
[White`Shark] Moby: that's what I'm saying.....DALnet should release a virus scanner by there own, which updates from kline.dal.net or from nohack web site
[ihavenofriends] White`Shark koz they all have heaps of time on their hands
because they dont have a family? life? work? right..
[White`Shark] ihavenofriends: not true
[Moby] White`Shark if you want to write the antivirus s/w and maintain a database of upwards of 50,000 virii :) be my guest, but it takes alot of effort, i think our time is better spent helping the big corporates by giving them samples.
[White`Shark] Moby: true...ok I'll quit making comments and let u go on
[A-nice-friend] by the way, Moby do you mean that those people with the Black Orifice, are hackers ?
[Moby] A-nice-friend well yes, Script kiddies is another term, as its very easy to use programs like Sub7 and BO
SECTION 4: VIRUS PROTECTION
Class Text [Moby] How to protect yourself from virii? There are several antivirus packages out there, and different people prefer different brands. Some of the more common ones are Norton, Mcafee, AVP.
Many vendors provide trial evaluations for their products some urls are http://www.avp.ru , http://download.mcafee.com . There is however some totally free antivirus packages including a DOS based one called F_Prot (Good for Boot sector virii, such as CIH and Spaces. It can be FTP’d from ftp://ftp.f-secure.com/anti-virus/free/
For windows there is also a new vendor providing a total free scanner AVG which can be found at http://www.grisoft.com/html/us_downl.html
Virus Companies algorithms and databases definitions mainly search for virii, and fail to find many trojans. This is where programs like the cleaner and Swat it come in.
The Cleaner has been around for along time, and can clean around 4,000 different trojans. However the cleaner is not free, but again there is a 30day trial available.
Swat it however is a completely free trojan scanner, its only relatively new compared to the cleaner but the number of trojans it can detect is rapidly expanding. http://www.lockdowncorp.com/bots/downloadswatit.html
Questions / Discussion [ihavenofriends] jakerz is VET a good virus program
[Moby] ihavenofriends sorry I have never used Vet, so I cannot comment, My theory is you want something that auto scans on files opening / saving from your mIRC, and something that allows easy updates, aslong as its ALWAYS kept upto date that should offer pretty good virus protection.
[Netcodec] jave they updated the cleaner?
[Moby] Netcodec they update the cleaner all the time, there is a program similar to nortons live update called moolive with can get updates for the cleaner.
[cfdiskz] qaz is the best trojan?
[Netcodec] Moby well i use cleaner b4,, and there was no update..
[Moby] Netcodec no update avaliable maybe, cause when you download it, it normally contains the most uptodate definitions
[A-nice-friend] virus is divided into a few groups, boot sector viruses, Common Viruses, Parasitic Viruses and Macro Viruses. what are the differences between these viruses ?
[Moby] boot sector virii as the name suggests hides in the boot sector, so when the person boots from the infected drive it will automatically load into memory without the need of runing any programs, these are the hardest to remove. A program like Fprot for DOS in combination with a clean boot disk ithe only way.
common virii - infect .exe files and when run it loads into memory they replicate through the drive searching for more .exe's / .coms to infect usually storing the code inside the host file.
Parastic Virii .. not sure what you mean, all virii attach themselves to a host file.
Macro virii are onces that exploit weaknesses / scripting abilities in products like Excel / outlook / word ( you wouldnt believe what you can do in Excel)
[A-nice-friend] Moby Macro virii are onces that exploit weaknesses / scripting abilities in products like Excel / outlook / word ( you wouldnt believe what you can do in Excel) [what you mean?]
[Moby] This wasnt answered in the channel, as I missed it (only one of me an heaps of them :P)
What I mean is excel / word offer protection against macros, they by default warn you when opening up a document which contains macros. What some virii do is exploit this and bypass the feature efectively running the macro without your premision.
[A-nice-friend] i mean Parasitic Virii, Moby.
[Moby] A-nice-friend in my opion all virii are parasites
[temptme] I'd call all viruses parasitic, they infect other files - trojans are usually standalone programs, although there's at least one that has a viral component too .. and then you have worms
[Netcodec] Moby u seem to know alot of virus/trojans.. well what do u recommend as protection?
[Moby] Netcodec I recommend an uptodate virus scanner, using the mIRC ignore file types option, keeping up with the latest patches for WIndows at www.windowsupdate.com , and common sense, if you see BritneySpearsNekkid.mp3.jpg.mpg.exe ... Dont run it
[Netcodec] i mean what scanner?
[White`Shark] Moby: Which one is most suggested by nohack?
[Moby] White`Shark to most suggested is AVP or AVG
White`Shark I personally use norton, but thats my companies standard, and i have several trojans it does not pickup.
[White`Shark] Moby: in this issue, I would like to ask why isn't Mcafee and Norton in the list?
[Moby] White`Shark you can get mcafee 30 day trial from http://download.mcafee.com/eval/user-registration2.asp?l=14&o=10&pkgc=229&prdc=27&s=HOME&x=N&img=vscan_6x.jpg&zz=VirusScan&nz=0&comp=391&zfs=4477%2E93+kb
White`Shark and norton from http://www.symantecstore.com/Pages/TBYB/index.html
I personaly dont like mcafee, so I dont recommend it.
[White`Shark] may I know the reason Moby?
[Moby] White`Shark the reason I dont like mcafee was i was infected with CIH, and it still ran, if the .exe was infected it should have some CRC checking on the file integrity so it wont run. I instaleld norton and by the ned of the installation it too was infected, but it said it was, and couldnt continue. Thats my personal reason.
[A-nice-friend] so where can we get Fprot ?
[Moby] the windows version of Fprot can be found @ : http://www.f-secure.com/download-purchase/anti-virus/download/fsav95.exe
and the DOS version at ftp://ftp.f-secure.com/anti-virus/free/
[DaBooS] is it possible to catch an infection just by visiting a web page and not downloading anything?
[Moby] DaBooS yes if your running IE and its unpatched then there are secruity holes in IE's browser that let remote sites access your HD karma trojan is one of these (for more info goto http://home.dal.net/moby/karmafix.vbs i have a removal there.. and it contains some information about it)
[pegs] Does ones like macafee or norton pick up trojans, I thought that was for chats or icq
[temptme] for trojans you are most often better off with a program like The Cleaner or SwatIt
[Moby] pegs some, but as I said above they are not designed to pickup trojans exclusively and thus are fairly weak so its better to use something like swat it.
[A-nice-friend] Moby, in some virii, there are payloads. what does payloads do ?
[Moby] A-nice-friend payloads are the damage viri do, wether it be delete all your .jpgs and .mp3 files as some variants of the ily virus do, or wipe your entire HD
[White`Shark] Moby: and according to ur concern, which one has got most updated and large virii database? no matter it's freeware of paid
[temptme] White`Shark, all av's update regularly - I use norton and still scan at housecall as a backup
[White`Shark] Moby: you might have a technical point of view which I would like to know
[Moby] White`Shark im not sure which has the largest database, but with heuristic scanning algorithms, it might not matter how many viri they say they can detect, as they can get new ones.
I had a variant of Hemlock once, nothing found it except F-prot for DOS, it couldnt remove it but it found it, I physically took my computer to command software where they wrote a specific fix for me :(
SECTION 5: FIREWALLS
Class Text [Moby] Another issue related to computer security is firewalls. Many people do not believe that they need a firewall because they are only on the Internet for a few hours a day and don’t leave their computer unattended while it is connected.
It only takes a few moments for someone to scan your machine and possibly find a security hole in your operating system.
So what does a firewall do?
A firewall filters traffic from the outside to your computer. A correctly set-up firewall will only allow traffic that has been given permission via its rules to communicate.
Depending on the grade of firewall determines how it filters this data, and what types of data is filtered. Firewall prices can range from costing nothing for something such as Zone Alarm to something in the tens of thousands of dollars for a corporate strength firewall such as gauntlet.
Questions / Discussion [pegs] Moby have you seen that the new macafee has a firewall in it?
[Moby] pegs no i havent used it, but i recommend a seperate firewall program that has been around for a while.
[A-nice-friend] Moby, some ppl say that firewall are used to prevent hackers, how true is that?
[Moby] A-nice-friend a firewall filters traffic, its useful to catch programs acting as "servers" on your machine, and peoplel scanning for services on your machine.
so hence it does stop hackers in that regard.
[White`Shark] Moby: thank you...I donno whether you've used the program Lock down pro
[Moby] White`Shark no I havent used it but later Ill give you some urls for more info
[White`Shark] Moby: to me, it's more efficient in setting up firewalls, and it has got so many options like vbs scanner, auto updater,....
[pegs] I tried lockdown, and it totally messed up everything.
[Moby] Who needs a firewall?
In my opinion everyone running a Windows machine on the Internet should have a firewall. Earlier versions of windows that are un-patched are vulnerable to nukes and other such exploits. Even Linux machines should have some sort of ipchains /ipfilter rules, to filter any services running.
[Moby] Also now recent versions of Windows such as ME, and 2K and XP, are starting to run services, which can be remotely exploited.
Machines with 2K and running IIS services, which many do by default, are vulnerable to new exploits about once every few months. Windows XP had a recent vulnerability the first in its kind for a “Home PC”.
This exploit allows anyone to gain access to the machine from the Internet. If you are running XP, and some versions of ME, then you are vulnerable until you are patched.
So what does this mean?
It means that unless your system is up to date with ALL the latest hot fixes then someone might be able to gain privileged access to your machine, and even then there maybe unpublished bugs around that hackers could use.
SECTION 6: FIREWALLS (CONT.)
Class Text [Moby] So what kind of firewall is best for me?
For most people #Nohack Staff recommend Zone Alarm. Why Zone Alarm cause its Free, and its good. Zone Alarm monitors programs connecting out from your computer, which can detect any trojans that connect out rather then ones that wait for someone to connect in.
If a user needs to create more advanced rules then Conseal might be the better option. Conseal isn’t free, but allows you to create separate rule sets for each interface, which is ideal in a tightly controlled home network.
For more information about what #Nohack ops have to say on firewalls go to http://www.fruitloop.net/virushelp/firewalls.html
Questions / Discussion [White`Shark] Moby: Zonealarm can be exploited in port 23
[Moby] i would be glad to look at that
cause I have no reason to think it would nbe listening on a telnet port.
[White`Shark] Moby: http://newdata.box.sk/neworder/zonealarm.txt .....I donno whether this is removed in Zonealarm 2.6
[Chopin_] moby, do you have any rules for conceal that are better than what comes with it?
[Moby] Chopin_ depends on your network at home, and how tight you want to control it.
[Chopin_] i see
[Moby] I suggest placing it in learning mode, when it say detects you ssh'in out, then it will place a rule in. It only places for that specific IP and that local port (ie the strictest rule possible) so this will need to be modified to say allow all local ports ( 1024-60000) and posibly all ips for SSH port, again depending on how tight you want your security you might specifically allow certain IPs only.
SECTION 7: WHAT NOW?
Class Text [Moby] So now I have all this information, what can I do now?
First I recommend that everyone get an antivirus scanner, and possibly also a trojan scanner and scan their machines. It’s a good idea to schedule a weekly scan too. Don’t forget your little brothers and sisters who love to run .exe files they get in mails.
Second look at getting a firewall, this is the last line of defence against trojans and might be the only thing that catches a trojan trying to connect out, if it is not registered in the antivirus software definitions.
Now you have your computer secured you can help others. When people ask where do I get a firewall, which is best, give them the URLs that help them, most people know about www.zonelabs.com but do you know about Fruity’s page that reviews the advantages of each?
If a user needs a Dos based scanner or even an online scan, you can give them a URL, you can help them fix their machine quickly and easily.
I would just like to note that while I am encouraging giving users information how to get these products, I am in no way encouraging people to assist in the manual removal of virii.
If a user removes a wrong file or removes a wrong registry entry it may have severe consequences for their machine, rendering it in operatable.
Hence all users who need help removing a specific virus or people who need a manual removal should be sent to #Nohack.
SECTION 8: SIGNS OF INFECTION
Class Text [Moby] What are some signs a user is infected?
The most obvious signs of an infection on IRC, is a user is auto sending a file upon joining a channel. Also if a user spams for a website, this website might have the karma trojan from which the user got infected.
Other spam bots from infected mIRC’s have a bit more intelligence and actually start an a/s/l conversation before spamming a site or sending a file.
A user might be infected with a trojan, if they experience weird things on their computer, such as mouse moving by itself, text being typed without their knowledge, CDRom ejecting, etc etc.
So what should I do with an Infected user?
If the user is sending a file or spam messages on join, its best to immediately kick the user with an appropriate kick message like one of these examples:
You’re *infected* please type /remote off (for *Help* msg me, join #nohack or visit www.nohack.net and download their *cleaner*
You are sending an advertisement and need to /join #nohack for help removing it then come back to #help if you have more questions
You seem to be spamming a website, if you are not doing this, then you may have a virus so type /partall and join #nohack for further instructions
Each of these messages tell the user why they have been kicked. Since most people come to #help for assistance in removing this virus in the first place. Then it says to join #Nohack for more help, everything they need to remove the virus.
Sorry to other channels but this was for #help staff ... replace #help with your channel :P
If there is no one in #Nohack and the user messages you back, we have a script which can be used to remove the common DECODE virii at www.fruitloop.net/nohack/SpamClean.zip.
If the user is sending a file, its best to kick the user with a message saying the name of the file they are sending. I see many people join #nohack cause they were told, and they have no idea why they are there.
Even if in their status there is hundreds of DCC sends. Newbie users just want to chat, and have no idea about all these extra messages coming up usually.
SECTION 9: CONCLUSION
Class Text [Moby] Here are some useful sites you might want to jot down, for future reference
Online virus scan http://housecall.antivirus.com
Online trojan scan http://info-x.co.uk/tscan.stm & http://grc.com/default.htm
How to disable VBS scripting http://www.cknow.com/vtutor/vtkillscript.htm
Information about the /con/con bug http://www.microsoft.com/technet/security/bulletin/fq00-017.asp
The Cleaner http://www.moosoft.com/cleaner3.exe or http://www.technet.nm.net/~puppet/cleaner3.exe
This concludes the class for today. I hope you all learnt something new even if it was just one thing. If you all go help just one user with the knowledge you have learnt from today then I have been successfully in this class.
A few of #help staff have been curious about #Nohack, and wanting to learn more about trojans. This as I said before was a brief class from a #help helpers perspective.
If people would like to have a greater understanding of virii, trojans anything security related then I can (time willing) run another class or a series of classes (more like it).
Note any classes of this type would be for a person thinking of being an #Nohack helper, and would cover in detail the removal tools and the manual removal methods for several command virii & trojans.
I trust everyone enjoyed the class, and donations in the form of cases of beer, will be greatly appreciated
Questions / Discussion [Coolkill] ..or .ls * & .expl in #nohack :)
[Moby] yes good point in #Nohack we have a bot VScan ... common removal tools can be found by .expl string ... ie .expl sub7 or .expl firewall .... to see a listing of commands use .ls
[Sheyna] a good way to test your firewall or computer port vulnerability is at http://grc.com ... some programs are shields up and leak test
If anyone has any questions please catch me online using the nick Moby or email me at : Jabba_Jones@hotmail.com
Thanks for your time.
Moby #Help Sop, #Nohack & #ShellHelp Aop