Page 1 of 3 123 LastLast
Results 1 to 15 of 32

Thread: Virus, Trojan?

  1. #1
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536

    Virus, Trojan?

    I got this returned mail notification but I never sent anything to google. And I don't have an infection that I know of. Anyone know what this is?

    The original message was received at Tue, 20 Apr 2004 00:14:20 -0700
    from dslam112-53-59-81.dyndsl.zonnet.nl [81.59.53.112]

    ----- The following addresses had permanent fatal errors -----
    <press@google.com>
    (reason: 554 5.7.1 Message from 81.59.53.112 rejected because document.pif is infected with W32/Netsky.D@mm)
    (expanded from: <press@google.com>)

    ----- Transcript of session follows -----
    ... while talking to corprouter1.corp.google.com.:
    >>> DATA
    <<< 554 5.7.1 Message from 81.59.53.112 rejected because document.pif is infected with W32/Netsky.D@mm
    554 5.0.0 Service unavailable

    ----- Message header follows -----

    X-Relay-IP: 81.59.53.112
    Return-Path: <lynchknot@(edited)>
    Received: from google.com (dslam112-53-59-81.dyndsl.zonnet.nl [81.59.53.112])
    by Google Production Mailgate with ESMTPo id i3K7EIYl014390
    for <press@google.com>; Tue, 20 Apr 2004 00:14:20 -0700
    Message-Id: <200404200714.i3K7EIYl014390@smtp.google.com>
    From: lynchknot(edited)
    To: press@google.com
    Subject: Re: Re: Thanks!
    Date: Tue, 20 Apr 2004 09:14:17 +0200
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0012_0000377B.00006B78"
    X-Priority: 3
    X-MSMail-Priority: Normal

    ----- Message body suppressed -----
    Last edited by lynchknot; April 22nd, 2004 at 17:34 PM.

  2. #2
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    The virus spoofed your address...or Googles.

    Click here for the virus characteristics.
    Last edited by rik; April 22nd, 2004 at 18:21 PM.

  3. #3
    all bets are off... TZ Veteran SupaStar's Avatar
    Join Date
    Jul 2002
    Location
    Australia
    Posts
    1,680
    I agree with rik...this is happening all over the place. Possibly both addresses were spoofed and it is also unlikely that they were even sent from your machine!!

  4. #4
    Titanium Member efc's Avatar
    Join Date
    Sep 2002
    Location
    North Central Arkansas
    Posts
    2,329
    The Screen Savers featured a segment showing how hackers gain control of your computer and hide the fact from you. This is recommended reading. Download VICE_Bin.zip to scan for the possibility.

    Download
    Linux Mint Debian Edition

  5. #5
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    VICE_Bin.zip?

  6. #6
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    so running that did nothing

    so did i get trojaned?

    can someone enlighten me on what i've just run?
    Last edited by egghead; April 23rd, 2004 at 04:25 AM.
    ------------------------------------------------------------



  7. #7
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    huh? running what?

  8. #8
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    Quote Originally Posted by lynchknot
    VICE_Bin.zip?
    ------------------------------------------------------------



  9. #9
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    I have no idea what VICE_Bin.zip is.

  10. #10
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    i am asking what VICE_Bin.zip is cause I ran it and it didnt do anything.

    it has a .sys file in it and a driver.ini file and a console.exe


    it must be some type of trojan and I am going to format unless i get more info on what that file was.
    ------------------------------------------------------------



  11. #11
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    I'm going to try this:

    Mirror 1:
    http://files.avast.com/files/eng/aswclnr.exe


    Description:
    avast! Virus Cleaner is a free tool that will help you remove selected worm infections from your computer.

    List of known worms
    avast! Virus Cleaner is currently (in version 1.0.167) able to identify and remove the following worm families:

    Win32:Badtrans [Wrm]
    Win32:Beagle [Wrm] (aka Bagle)
    Win32:Blaster [Wrm] (aka Lovsan), variants A-F
    Win32:BugBear [Wrm], including B variant
    Win32:Ganda [Wrm]
    Win32:Klez [Wrm], all variants (including variants of Win32:Elkern)
    Win32:MiMail [Wrm], variants A, C, E, I-N, S, T
    Win32:Mydoom [Wrm] (variants A-B, including the trojan horse)
    Win32:Nimda [Wrm]
    Win32:Opas [Wrm] (aka Opasoft, Opaserv)
    Win32:Scold [Wrm]
    Win32:Sircam [Wrm]
    Win32:Sober [Wrm], including B variant
    Win32:Sobig [Wrm], including variants B-F
    Win32:Swen [Wrm], including UPX-packed variants
    Win32:Yaha [Wrm] (aka Lentin), all variants

    Important notes


    During the scanning process, it is highly recommended not to start any applications. As already pointed out, some worms will start automatically when any other application is started.

    Turn off any resident (on-access) antivirus protection before running avast! Virus Cleaner.

    To work correctly, the Cleaner requires administrator privileges when running on Windows NT/2000/XP/2003 operating systems

  12. #12
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    Quote Originally Posted by egghead
    i am asking what VICE_Bin.zip is cause I ran it and it didnt do anything.

    it has a .sys file in it and a driver.ini file and a console.exe


    it must be some type of trojan and I am going to format unless i get more info on what that file was.
    According to EFCs post it seems to be some kind of cleaner or scanner file for detecting hidden intrusions...

  13. #13
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    I searched google for that but could not find anything.

  14. #14
    Techzonez Governor Super Moderator Conan's Avatar
    Join Date
    Apr 2002
    Location
    Philippines
    Posts
    4,343
    Quote Originally Posted by egghead
    so running that did nothing

    so did i get trojaned?

    can someone enlighten me on what i've just run?
    http://www.rootkit.com

    VICE is a new tool to detect user mode Win32 API hooks and kernel mode hooks. It comes complete with a nice user interface thanks to Greg Hoglund. The user mode detection can take some time, but be patient. It is worth it. Also, if you want to add more checks to the kernel, just extend driver.ini.

    VICE You will need the Microsoft .NET Framework to run because of the GUI.
    .NET Framework


    Warning
    This software is brand new and is known to throw some false postives, especially with the user-mode rootkit detection. If you scan your system and it informs you that you have a rootkit infection, you may not have a rootkit infection, but instead a false positive - so relax - it would be helpful if you post the results that you obtain so the authors can improve the detection algorithm. Most important is the address of the hook, and the name of the DLL that is performing the hook.


    Known User API False Positives
    shim.dll
    setupapi.dll
    comctl32.dll (Usually seen with Outlook running)
    sfc_os.dll and sfc.dll (Used for Microsoft Windows File Protection)
    adsldpc.dll

    Known Kernel False Positives
    1. IRP's hooked by a file in the sytem root directory named ntoskrnl.exe
    2. Functions hooked by vsdataant.sys (Only if you have Zone Alarm)

    Happy Hunting!
    Jamie Butler

    VICE has been tested on 2000/XP, but it should run on NT and 2003.

  15. #15
    Titanium Member efc's Avatar
    Join Date
    Sep 2002
    Location
    North Central Arkansas
    Posts
    2,329
    Conan has provided all of the information that I am aware of. The only thing that I can add is that I saw a demo on The Screen Savers where bios processes were attacked by a hook. The process disappeared from the screen. It was still running (capable of doing bad things) yet no longer visible to the user.

    Vice detected the malicious processes and allowed them to be deleted.

    If you ran Vice and nothing happened, your system was clean. If you have a problem, the processes will show up in the bottom window.
    Linux Mint Debian Edition

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •