[plug] Nasty windows viruses (somewhat on topic, really!)
Jon Miller
jlmiller at mmtnetworks.com.au
Wed Jul 14 22:31:21 WST 2004
If you really suspect a Windows virus, download www.sysinternals.com tdimon and filemon. Run them on the windows PC in question an see what file is running and the port it's using. The file will usually be under C:\windows on W9x or c:\windows\system32 or c:\winnt\system32 on a W2k/Xp PC. In the hkey_local_machine\software\Microsoft\Windows\CurrentVersion\Run
You will usually find the file, just delete the registry setting and the file on the C:\. Also you may want to d/l a good virus scanner to run the across the disk to see if there are other files infected.
Jon
Jon L. Miller, MCNE, CNS, ASE
Director/Sr Systems Consultant
MMT Networks Pty Ltd
http://www.mmtnetworks.com.au
"I don't know the key to success, but the key to failure
is trying to please everybody." -Bill Cosby
>>> cameron at patrick.wattle.id.au 12:27:56 pm 13/07/2004 >>>
Hi,
I recently noticed high CPU usage and network traffic to my desktop at
home without any good reason. Tcpdump showed lots of Samba traffic to
my brother's machine, and said brother couldn't think of a good reason
why. I suspect a Windows virus or trojan or some such, but am at a
loss with regards to what to do about it. I've shut down Samba on my
machine and the server (because they allow passwordless write access
to a lot of stuff that they really really shouldn't -- I will fix this
before turning Samba back on) and have removed network access from my
brother's machine for now.
<Linux content>
So what I really want to know is, how can I find out what files it was
poking around in and for how long it's been going on (presumably by
looking at Samba logs, but I can't find anything equivalent to ftpd's
xferlog or apache's access.log)?
</Linux content>
<maybe Linux content>
How can I find out what the infected machine was running? Should I
use a Linux-based virus scanner to inspect it off a Linux boot disc?
Alternatively, what are good Windows virus scanners? Is there a
better of cleaning up any infections than backing up anything
important, wiping the whole disc (and installing Linux on there :-P)?
</maybe Linux content>
<non-Linux content>
What do Windows viruses/trojans do to machines over SMB? Is this
machine also likely to have been sending out spam too?
</non-Linux content>
Utterly unrelated question while I'm here: is there a flag to rm to
tell it to remove files from directories chmod'ed read-only?
Something like 'rm -rf --try-harder'...
Cheers,
Cameron.
_______________________________________________
PLUG discussion list: plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20040714/f5542e1d/attachment.htm>
More information about the plug
mailing list