l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2004 Jul 18 13:00

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] [OT] Now I have a virus. Argh!!!!!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] [OT] Now I have a virus. Argh!!!!!

On Sat, Jul 17, 2004 at 04:19:55PM -0700, Peter Jay Salzman wrote:
> Ever have the feeling that you shouldn't have gotten out of bed?
> One of my systems, lucifer, is a dual boot (Debian/win2k).  The only
> thing I use win2k for is to play Serious Sam, Serious Sam Second
> Encounter, and Syberia.
> My wife checks her school email, which is web based.  Apparently, Opera
> can't handle the Javascript, so when lucifer is in Linux, she uses
> Galeon and when lucifer is in win2k, she uses IE.
> We're behind a firewall, and NO ports are forwarded to lucifer.  There
> is no mail service on that machine --- win2k is only booted for a few
> hours a day while I play Serious Sam or Syberia.  The only packets (that
> I know of) that can reach lucifer from the outside world are
> http packets coming back from an ipmasqed request.  The only way to send
> anything to lucifer from the internet is to first ssh into another
> machine to get into the home LAN to begin with.  Anyway.
> I booted win2k to play some Serious Sam, and when the machine booted, a
> window named "hello..." popped up that said:
>    I think there must be something wrong.  Wouldn't you say so?
>             yes / no
> Ominous.  I blinked to make sure I was seeing this right.  I looked in
> all the Start directories to see if there was an application that was
> supposed to run at boot.  Nothing.  Whatever was running was running
> from the registry.  I called up the task manager to look for suspicious
> processes.  Nothing looked out of the ordinary, but then again, I don't
> really know much about win2k.
> The FIRST thing I did was unplug the network cable, in case the machine
> was compromised or was being used as a zombie for spamming or DDOS.  Not
> knowing what else to do, I pressed "yes", agreeing with the question
> that, yes, something was indeed wrong.  Very wrong.  Another pop-up
> window was displayed that said:
>    Then you are far more clever than I originally thought.
> Well, at least whatever it was was being complementary.  At this point,
> I had no idea it could've been a virus or a worm.  As I said, nothing
> can reach this machine.  It didn't occur to me.
> I googled on one of my Linux boxes, and after a little searching, found
> that this is a worm called W32.HLLP.Kindal@MM.  I was able to verify
> some of the claimed changes the worm made to the registry, although I
> couldn't find the file that was supposed to contain the viral code.  I
> saw a mention of it in the registry, and saw the key that has it run on
> boot, but the file itself seems to be missing or isn't showing up.
> Wierd.
> The only way this thing could've gotten onto my system that I can think
> of is by Internet Explorer.  This OS is used for gaming (non-online
> gaming), and checking school webmail with IE and absolutely nothing
> else.  I know that 4 "critical vulnerabilities" were announced for IE a
> couple of days ago, and another 3?  6?  a few days before that.
> Anyway, that's neither here nor there.  I've never had a worm before,
> so I'm new to all this.  What's the standard procedure?  Reinstallation?
> Can "virus checkers" also erase viruses?   What is a good "virus
> checker" for this purpose?

Doesn't sound like a worm to me.  In any event, Id purge the system(its 
windows after all), follow the instructions to rebuild, patch it, and then
load McAffe(sp?) or something like it.  However, as the way IE works, you 
have to be bloody careful where you surf as MS is a tad slow in its patching.
There are several known exploits to IE that don't require much to be enabled.

vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.