Hacked In Half an Hour

A cautionary tale:
I finally had time to set up my new Demon Home500 ADSL yesterday.
Things didn't go too well initially with the modem/router I was using,
so I messed about with various settings, including turning Sygate off
(!) temporarily.

Still no joy, so I resorted to the supplied Alcatel USB modem. For
once I (foolishly) follwed the instructions and turned off my
anti-virus prog prior to installation.

Eventually I got things running after a call to Demon tech support
(0871, but at least they answer straight away!) - I'd just got host
name and ADSL login confused.

So then I was up and running but suddenly the whole PC seemed to slow
down and internet access was like dial up. I looked at the LAN monitor
and vast amounts of data were going out and not much coming in.

So I re-enabled Sygate rapid and discovered a nasty little Trojan (or
was it a worm?) trying to dial out. It was called iexplore32cb.exe in
the system32 folder.

I hadn't been on any dodgy sites - just Google and some tech support
sites.
So watch out! It doesn't take long to get hacked when you are
unprotected! All in less than half an hour.

I think it also shows the value of a software firewall, which others
were saying wasn't necessary in this NG recently. At least it shows if
something is trying to phone home and the name of the program.

Gelf

Gelf wrote:
> I hadn't been on any dodgy sites - just Google and some tech support
> sites.
> So watch out! It doesn't take long to get hacked when you are
> unprotected! All in less than half an hour.
>

Is you PC fully patched?
Because if it was not then you did well lasting half an hour. Better than
the average in fact.
http://news.zdnet.com/2100-1009_22-5313402.html

You had best reformat.

--

..

On Sun, 21 Nov 2004 14:50:38 +0000, Vigil <(E-Mail Removed)> wrote:

>You had best reformat.
Why? I have deleted the executable from a DOS boot disk. Do you know
some more about this Trojan?
Gelf

Gelf <(E-Mail Removed)> wrote in news:lcc1q010kdaupu4o70o7a5nih81v6ubkht@
4ax.com:

> Why? I have deleted the executable from a DOS boot disk. Do you know
> some more about this Trojan?

Run Adaware, Spybot S&D and if you're up to it HiJackThis. Trojans these
days mostly consist of more than one file. Many have a hidden and
obfuscated "dropper" which launches different processes. If you kill the
process it has launched and delete that executable then it just makes
another one.

On one hand, most of them can be gotten rid of with some work if you know
what you're doing. Sometimes they break things though and it is more
effective to give up and start again.

I personally have found a combination of the above three programs and
Avast! Antivirus normally cleans off any machine (one exception recently
which I think was because the user had been trying to delete stuff himself
and deleted the wrong thing..)

--
Colin
*Drop DEAD from the email address to reply*

On Sun, 21 Nov 2004 15:18:54 +0000, Gelf <(E-Mail Removed)> wrote:

>On Sun, 21 Nov 2004 14:50:38 +0000, Vigil <(E-Mail Removed)> wrote:
>
>>You had best reformat.
>Why? I have deleted the executable from a DOS boot disk. Do you know
>some more about this Trojan?

The previous poster was just being facetious. Either that or he's one
of the zealots. Ignore him.

On Sun, 21 Nov 2004 15:18:54 +0000, Gelf wrote:

>>You had best reformat.
> Why?

It's the only way to be sure :-)

--

..

Vigil wrote:
> On Sun, 21 Nov 2004 15:18:54 +0000, Gelf wrote:
>
>
>>>You had best reformat.
>>
>>Why?
>
>
> It's the only way to be sure :-)
>

This is true.

If you had a Trojan on your system, any kind of additional malicious
software could have been secretly installed on your PC before you
removed the Trojan.

This new software may not show up in AV scans.

Therefore, it is recommended that to be sure of a clean system, reformat
and reinstall the OS.