OH crap... virus or trojan, please help!

[invitro]

Ok some stupid freak named Zulti send me an E-Mail, with a subject of hm.

It had a file attachment with it about 7kb in size, and i was STUPID enough to run it. When i did my send and recived light on my modem started working, and then stoped after 4 seconds. YES UH OH!!! I dont know what it did, its not a trojan because i looked everywhere possible to find any remaining traces, and its not a virus. Im guessing some kind of program that sends all my password on the other #$%^&!@ side of the world. I was wondering if anybody else got this email because it was on my ISP account and my hotmail. Maybe because i have them both listen on my ICQ info.

i dont know what to do now, did anybody else get this attachment? If u want a copy tell me.

If u got any suggestions how to find where it send out to, please let me know. I checked netstats and there were no connections listed but my firewall said 3 connections were sent out. I checked the IP's and they were wwp.icq.com and some other service, so it might of not been from the file. Who knows, HELP PLEASE!



!!!

[gfk]

Disconnect your computer from the internet (or unplug your network card if that's what you use).

Then, get hold of Norton Anti Virus 2000, click on 'live update' to update it's virus definitions (it currently recognises close to 50,000 viruses). Do a FULL system scan - it will even scan ZIP files for viruses etc.

It WILL pick up any trojan horse programs as well as viruses. You should also keep any eye on the amount of data transferred TO and FROM your PC when connected to the net. If the amount of data sent significantly exceeds the amount of data received, then it definitely needs further investigation.

You might also search your system (using 'find files and folders') for anything created on your system since you launched that program.

If you're certain that the program you received DID cause your problems, then you should report it to his e-mail provider, be it Hotmail, Yahoo or whatever else.

Computers are temperamental enough at the best of times, without sad losers trying to screw your system up 'just for fun'. They should all have been drowned at birth.

[gfk]

One more thing - DON'T BROADCAST YOUR E-MAIL ADDRESS!

Don't show it on ICQ, don't show it on your messageboard signatures. If you want anyone to know your e-mail address, you can tell them individually.

[Paul282]

Hi,

Send it my way pls

[email protected]

If it's a script like the love bug I should be able to tell you what it did, if it's an exe or com file... I'll take a look anyway

[invitro]

Thanks im going to do that. I havent found any problems yet, but my TD light flickers from time to time. This is obviously not normal!!!!!!!

Anyways, thanks for the replies.

[Disconnecting]

[Paul282]

It's an exe so it's difficult to tell... I'm not a cracker so there's limited info I can get from it.

It's a windows app
It calls wsock32 so it's likely to have sent something.

I have a clean system at home, I might try running it with a packet sniffer to see what it's sending... if that's binary data then I won't learn much but I will learn where it's sending to, and how it identifies itself etc.

Not sure if I'll have time for a bit though, I'll let you know if I learn more.

Are you sure it isn't just a patch? being patch.exe?

[jeba]

Hi!
What is the difference betwn a Virus & a trojan?
Jeba.

[okiedokie]

A trojan is also a virus but it hides itself in another program. like the trojan horse of the greek times.

[invitro]

Virus infects files and might do damage depending on the user, Trojan horse is a backdoor that allows other users to delete things of your computer, or hides itself to send out or steel data.


I know its called patch.exe, but i know my in and out light was blinking when i ran it, and also... i havent asked for any paches from anyone, and com'on.. the guyses name was Zulti from a hotmail account that dosent exist anymore, how suspicious is that.

Anyways, thanks for looking at the file.. i appriciate the help, im really curious of what the file sends out so i can intercept whatever course it might lead to. If it did send out passwords or such information i want to be able to see what, when where so i can take appropriate action.


Thanks for all the replies

[Paul282]

I just found out that my packet sniffer software doesn't run under win2k and their website is down/gone...

when I get my NT box back up and running I'll give it a try.

Sorry dood

Paul

[Wes]

hey - send me that .exe - i love screwing virus writers over by finding their email address and mail-bombing them... or anyone who already has it, open it up in notepad or wordpad (both come with windows) and search for .com, .net, etc...if the program was sending passwords or sensitive info, it would have to send it to an email address, right? if u find an address (usually hotmail), post it up here so i can mailbomb the hell outta him. If it's an aol address though, forget it...

What you could do is goto neworder.box.sk and download a trojan hunter, and let it scan all of your ports (while u're on the internet) and if there's a trojan ready to send or recieve data (in other words active and running) it will find it.. but they only search for the most famouse trojans, if it's a home made one (like the one I'm making right now) then u'r bet is to probably do what the other guys are telling u..

[Paul282]

Originally posted by Wes
hey - send me that .exe - i love screwing virus writers over by finding their email address and mail-bombing them... or anyone who already has it, open it up in notepad or wordpad (both come with windows) and search for .com, .net, etc...if the program was sending passwords or sensitive info, it would have to send it to an email address, right? if u find an address (usually hotmail), post it up here so i can mailbomb the hell outta him. If it's an aol address though, forget it...

Tried that, no email or urls.

[nitrolic2]

OK THIS IS WHAT YOU DO:

GET A PROGRAM THAT CAN SCAN PORTS AND SEE WHICH ONES ARE OPEN RUN THE PROGRAM!

THEN RUN THE PORT SCANNER

RUN THE damn TROJAN AND SEE IF IT OPENS ANY NEW PORTS IF IT DOES - GET THE EMAIL IT CAME FROM AND POST IT UP HERE I BET A FEW VB PROGRAMMERS WOULD LIKE TO DO SOME VB VIRUS WRITING! HHEEHEHE!

IF THATS TOO MUCH TO DO MAKE SURE THAT YOUR ISP SETTINGS are set to: Dial this connection for any internet connection request or something like that (varies from ISP to ISP) As long as it dials when a programm that has to connect to the internet trys to connect

run the damn trojan and if ur connection comes up then its a trojan - so here what could have happened:

1)THE BASTARD STOLE YOUR PASSWORDS - CHANGE THEM ALL (MAKE THEM GOOD for ex:ihatenj&ilove2%milk)

2)The BASTARD got your IP and or HOSTNAME so that he can try to use netbust or subseven to hack you later(dont worry he still has to get a trojan on your computer ( a trojan that works with netbust or subseven etc...)) - (get an antivirus (norton) norton will detect all popular trojans(netbust subseven etc...)

3)HE UPLOADED THE TROJANS FOR SOME POPULAR HACK LIKE Backorific or netbust etc... look for strange files i think the netbust trojan has the icon of a satelite dish (like in the channels thing) - look for strange files and get an antivirus!

MAKE SURE HE IS NOT ONE OF YOUR FRIENDS PULLING A JOKE ON YOU IF IT IS KICK HIS ASS (!!!HARD!!!)

DONT ASK ME WHERE I KNOW THIS FROM!

BY THE WAY DID IT COME WITH AN OCX control? LIKE WINSOCK?

[nitrolic2]

YOU WILD GHOST WRITING A TROJAN EH?

How do you get it to connect to your pc with out an ocx (no winsock) If you do can you tell me what it is Thx!

[Paul282]

It's a tiny 7k exe, it makes calls directly to wsock32, shell, eser32 and kernel32. There seems to be one error check routine with a messagebox displaying an alert, there isn't much else I can see without running it.

and like I said, my packet sniffer's dead at the moment. Otherwie I'd check what it sends and where it sends to.

Originally posted by nitrolic2
YOU WILD GHOST WRITING A TROJAN EH?

How do you get it to connect to your pc with out an ocx (no winsock) If you do can you tell me what it is Thx!

uhh.. you don't have to use Winsock.ocx you can use it thru API.. hey forget API I got another way to include the ocx into the exe file... enuff said.. no more comments from the developer untill it comes out..... BTW it will come out to teach you how to make trojans.. I don't know if someone already did something like this but this will be simple to teach people on how to write trojan viruses... But rest of the info when I release the file, I'll post it up here..

oh and I"m adding a function into it to send me the IP address of the guy thru ICQ.. hehheheheheh!!

[invitro]

No i dont think this stupid program opens any ports, unless it uses a different protocol other then UDP or TCP, because i looked at netstats right when i ran it, and nothing.

If i find the email or any clue of who it was, ill be sure to post it up here!!!!!

>


Thanks guys,

O yeah, and i made a trojan hunter already... dosent detect anything.


Allthought ports 137, 138, 139 are open. Both TCP and UDP.
Theres also a 1067 or something like that open 2 all the time. Those ports have been open there for a long time and i checked on my startup registry and win.ini for any starting up files and there WAS 1 that said it was from some company to monitor some bs, and they said their not a trojan horse blah blah... so i removed it, but those ports up there are still open.

Any ideas how to close that ^&%* up?

Thanks!

[Paul282]

Port 1067 is a worry as it's outside the standard range. Something might have left it open though.

Is it still open after a reboot?

if so...
Try writing an app that binds that port! maybe the culprit app will crash or better still throw an error at you when it can't bind it's port.

[invitro]

Yes it does appear after reboot.

Hmm, very good idea of writing an app.
Ill try to crash it right now!

I dont know about the 137,8,9
their all open for TCP and UDP.

I think thats kind of odd.

[invitro]

Allright i think what the port was.
It was my SBLive autoupdate that booted when the computer booted.

It has now been removed. But im still puzzled about the 130's.

Whats port 139 for anyway...
Oh yes, and for those who are worried about trojan and such, visit my website (WHEN IS DONE)

Cause im gonna be giving away some software for free that i made, like trojan scanners, port listeneres and other good stuff I made.


[Edited by invitro on 06-21-2000 at 12:54 AM]

[REM]

You might want to get a task lister to check to see if a suspicious program us running hidden in the background. You may be able to find your problem. Another thing I would say is to check your registry startup keys:

Look under the following keys for suspicious file names. Your trojan could be starting everytime windows boots:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Also, the program may use a re-mailer (or 10 of 'em) that are in Russia or the Phillipines, so even if you did get the email address, it would be hard to get the right one. Anyway, most people in this situation would link to Hotmail's SMTP server. Very foolish, as Microsoft can rip open your acount at any minute and see what you're doing, but on the plus side, their SMTP Server is one of the most reliable on the net.

WildGhost, my Project X program detects if their is an active net connection, then e-mails a users network password, their username, the station time, the IP Address of the machine, the Ethernet Address and much more via Winsock API email to my hotmail account Just a bit of fun.

Anywayz, I hope you get it sorted. BTW, you might want to invest in Norton Internet Security 2000. It monitors all connections and watches for the transfer of sensitive data out of your PC (so your kids can't give out your credit card info, or address etc) Might be worth the investment.

Laterz

REM

[invitro]

Thank you REM.
IVe already looked in my startup registry and there is nothing there. I havent gotten the list of all the running programs on my machine yet, but i will do so soon.

I will look into Norton Internet Security 2000
Thanks again for all the posts!