Thread: Infected! Are You?

  1. #1
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544

    Infected! Are You?

    I accidently navigated to my temp directory and got a virus scan message. Infected file found, aolfix.exe. Research reveals this to be the QHosts trojan.

    Luckily, due to the design of the virus and the fact that I use my computer as a restricted user meant no damage was done, no settings changed, etc.

    The annoying thing about this is that my virus scanner is updated daily and I had the patch (MS03-040, KB828750) that fixes the vulnerability that the trojan exploited to install itself installed within 24 hours of release.

    In other words, I was infected before the patch and before the virus scan definitions came out.

    It turns out that the trojan was out in the wild for at least three days before virus scan updates/patch was released.

    It seems, that now even if you are diligent in installing patches and updating virus scanners it is impossible to use Microsoft products without getting infected.

    On another issue, there are rumours that there is still a code execution vulnerability in DCOM, even after the two recent updates. Get ready for blaster V2.

    Has Microsoft lost it? They seem to be unable to keep up with fixing the holes in their code as they are discovered. Worse, they do not inform users of vulnerabilities until a patch is released. Unfortunately, this is too late.

    Was anyone else hit by this? Check your temp directory for aolfix.exe.

    Appendix A.
    IE Patch:
    http://www.microsoft.com/windows/ie/...50/default.asp

    QHosts details:
    http://www.esecurityplanet.com/alert...le.php/3086611

  2. #2
    PC Fixer-Upper Waldo2k2's Avatar
    Join Date
    May 2002
    Posts
    2,001
    the reason they don't keep up is they rush products out too quickly. There would have been no need for sp1 so quickly if they had tested more completely...at least xp isn't as bad as ME.
    PHP and XML
    Let's talk about SAX

  3. #3
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    It appears the exploit code has been availiable since the 21st August:

    http://www.k-otik.com/exploits/08.21.M03-032.php

  4. #4
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    Malheureusement une faille critique (qui n'a aucun rapport avec MS03-040, et qui fait partie de la gamme MS Unpatched) existe toujours dans Windows Media Player et Internet Explorer : Le problème se situe dans la Madia Barre qui permet la lecture de fichiers media sans quitter le browser, la faille est liée aux pages d'erreurs et leur interprétation par la barre. Cette vulnérabilité peut être exploitée afin de télécharger et exécuter un fichier malicieux via une simple page html.
    Quick translation. An unpatched exploit exists in IE/Windows Media Player. This will allow remote code to be run on a user's computer just by browsing to a malicious site.

    The exploit has been tested under WinXP/IE6 SP1 with Windows Media 8. It doesn't seem to work on my system with WM9.

    Bulletin (in French):
    http://www.k-otik.com/news/10.08.WMPlayer.Alerte.php

    Test exploit:
    http://www.k-otik.com/WMPLAYER-TEST/

    Solution:
    Disable Active Scripting.

  5. #5
    Registered User
    Join Date
    Feb 2003
    Posts
    265
    There are dozens of 0day exploits for winblows. The RPC alone has 2 new ones in the last week completely unpatched that work on all versions of windows. The worms get created by the script kiddies who dont have a clue how to code, so it takes them a while to figure out how to get it to spread itself. I give it less than a month before we get another Mescalin worm. (Blaster was forseen by security experts the day the exploit was distributed, and since they knew there would soon be a worm using it, the not-yet-existing worm was named Mescalin. AV people name it whatever they feel like. They are morons. Generally they seem to have a 3+ month backlog of viruses to determine the signature for, and a SIGNIFICANT percentage of malware is still undetected by AV scanners)

  6. #6
    PC Fixer-Upper Waldo2k2's Avatar
    Join Date
    May 2002
    Posts
    2,001
    Has anybody else been hit with a huge wave of emails with subjects using the returned mail heading? I haven't sent anything out, and I know i dont' have a worm sending to a bogus address...so I'm sure they're fake and therefore i don't trust them. Does anyone know of what they might be?
    PHP and XML
    Let's talk about SAX

  7. #7
    Registered User
    Join Date
    Jan 2002
    Posts
    552
    Thats why I browse the internet with my IE settings on the most restrictive possible. Only "trusted sites" do I allow to run scripts, activeX, etc.
    C Code. C Code Run. Run Code Run... Please!

    "Love is like a blackhole, you fall into it... then you get ripped apart"

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Trojan horse generic
    By crvenkapa in forum Tech Board
    Replies: 8
    Last Post: 06-04-2007, 08:49 PM
  2. My Computer is infected, don't know what to do
    By SourceCode in forum Tech Board
    Replies: 20
    Last Post: 03-05-2005, 05:10 PM
  3. My Appologies
    By Witch_King in forum A Brief History of Cprogramming.com
    Replies: 20
    Last Post: 09-21-2001, 06:07 PM
  4. Nimda
    By Unregistered in forum A Brief History of Cprogramming.com
    Replies: 53
    Last Post: 09-20-2001, 02:04 PM