When I first heard about this QB I read it and didn't think much about it until a friend of mine called me late this evening. Apparently while she had been playing Dark Ages of Camelot over the Internet her NAVCE RealTime protection had stopped a file that had become infected. Norton reported it as IRC Trojan and it was the Ocxdll.exe mentioned in the QB. I had her reboot in safemode and do a full virus-scan and drove over to her house. This is what I found: The machine: A Norwegian Windows 2000 Profesional with SP2 and all the security patches as of two days ago through Windows Update (SP3 has not come out yet in Norwegian). IE 6.0 is not installed. It looked pretty much like a default installation with Roger Wilco running and at the time was being used to play Dark Ages of Cameloth. It also had RealPlayer and NAVCE running. Norton being updated daily. The machine got a cable modem connection to the Internet with no firewall. All default ports are open and admin account is neither renamed nor has a password (sigh). Norton had also stopped another file and quarantined it along with Ocxdll.exe, however I deleted it before I remembered to make a copy of it first. (Please remember this is Sunday evening/night on a private home machine). The QB mentions 5 files, of those I found these three: Gg.bat NT32.ini Ocxdll.exe I also found MDM.exe and Taskmngr.exe in the %SystemRoot%\System32 folder and both running. Taskmngr.exe has the description of "Internet Relay Chat Client" and was listening on port 131 but had no connections open. The file info says its mIRC32.exe version 5.7 and is of 442kb size. MDM.exe has the description of "Hides/Reveals application windows", realname being: hidewndw.exe version 1.43. Size 22kb It being late and I got work tomorrow morning I simply forgot to look for these three files also mentioned by the QB: Psexec Ws_ftp Flashfxp Furthermore I also forgot to check for Run keys in the registry/startup folder, but the files mentioned above has now been deleted. This I will probably take a closer look at tomorrow. Most services are now stopped and disabled, netbios turned off, sharing turned off and so on so that the machine itself should not become as easily reinfected. The machine is scheduled to become reinstalled with WinXP in a few days time regardless so not much time was spent strapping it down. It's also turned off :) The QB mentiones that the Guest account might be reenabled but this was not the case here. Should anyone want a copy of the files please send me an mail. - Bernt --- Bronek Kozicki <brokat_private> wrote: > There seems to be an increase of attacks on Windows > recently: > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691> > > Any ideas? > > > B. > > > >
This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 12:18:03 PDT