[GLLUG] Another reason to prefer Linux

Scott Wood treii28 at yahoo.com
Thu Dec 16 19:48:59 EST 2004 

OK, I don't want to start a flame war, but this was just too precious to avoid
passing it on.  I started noticing network traffic the other day that seemed a
tad excessive and could not trace it down to any of my machines.  My housemate
is sharing the comcast connection via a NAT setup, and I quickly discovered
immense amounts of port-scans originating from her machine.  With some more
inspection I became aware that there were external inbound requests initiating
these outbound port scans and a lot of traffic from a sight in russia.  Some
large amounts of spam too - through the firewall and around the NAT mind you!

So anyway - long story short, it turned out to be Backdoor.Berbew.L - a really
NASTY windows backdoor.  Apparently they had not updated their windows updates
since re-installing Windows XP.  So if I wanted the noise, not to mention the
network liability (*ahem* and my pride) restored back to normal levels, it
would be up to me to get this monster out.  It's still not completely fixed due
to some of the insideous ways this thing attacked the system and then turned
around to let other similar nasties in to do more damage.

However, one of the things that it or one of the other trojans it eventually
let in had done was to put some kind of a stub file or wrapper before launching
any EXE files.  I ran norton across the system, but the end result was that
when the stub file was quarantined, nothing would run properly.  I tried
deleting the file, but this just resulted in the windows association for the
'.exe' extension to be screwed up.  And here is the funny part....

So I just fired up the machine and went to run internet explorer.  Of course,
with the .exe extension screwed up, explorer didn't know what to do with it and
reported an error asking me to find a program to run it with.  Of course, one
of the options was to go to the web to ask the microsoft servers for
recommendations.  That generated the following url which speaks for itself:

http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=exe

Gotta love it!

Scott


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250

More information about the linux-user mailing list