Neil, First thing you want to do is unplug that badboy from your network. Then find a good scanner and scan that thing for backorifice or any other remote control type backdoor. Next get ya an updated virus scanning util and clean it. Once you make sure it is clean from viruses have the person copy their important material off of it and format it. Otherwise if you miss something then you could get your whole network infected and then it could be even more fun. I would inform the person who has this pc of the possible risk they are unleashing on your network. I am sure the person who is actually responsible for the pcs would like to know that information. Mike Reeves -----Original Message----- From: Neil Dickey [mailto:neilat_private] Sent: Monday, August 27, 2001 3:11 PM To: incidentsat_private Subject: Identification needed ... I'm new to this list, having been referred to it by the administrator of the Bugtraq general list. In working on a department PC running Win98 late last week, some very strange behavior was observed. The machine has been infected with viruses, worms, and what-have-you several times, and it was time to remove and re-install software associated with Microsoft Office that had become corrupt. The machine apparently did not behave normally during the entire job. Specifically, at one point the screen suddenly went blank and then there appeared a grey rectangle in the middle that occupied about 2/3 of the area. This rectangle slowly "fell over backwards" but not quite all the way. When it stopped moving, it began to "break up" and the "pieces" drifted off the screen. After a moment, the black screen returned to the normal desktop. Scans of the machine with the Command Software virus detection engine and a recent definition file did not turn up anything, but whatever it is may be affecting the function of the scanner. My questions is: Has anyone seen anything like this and know what it may mean? I am specifically interested to put a name on it so that I can find out what sort of threat, if any, this represents to other machines in the network. From the infor- mation I have, I don't have a clue where to start looking. The user doesn't want the machine formatted and rebuilt because it's inconvenient for him at the moment. I'm not in a position to force him to co-operate, as I don't have responsibility for the PCs in our department, but there are other options open to me if there is a significant threat. This is also why I haven't laid hands on the machine, booted from a clean floppy, and scanned from that condition. Thanks for reading this far, and if you have any advice or information I'd very much like to read it. Write to me directly if you wish. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 13:56:35 PDT