TEN SIGNS YOUR COMPUTER OR WINDOWS 98 IS INFECTED!
In the case today, as in several similar recent cases that I saw, the PC was a name brand PC about 3 years old, running Windows 98, and hooked up to the net via DSL. Other than Microsoft Office and Napster, not much else was even installed on the machine.
Sign #1: Windows 98 and a permanent 24 hour per day connection to the Internet.
Windows 98 is an open door for hackers. If you leave your computer on and connected 24 hours a day, expect problems.
As the machine booted Windows 98 and I clicked past the login prompt, the desktop appeared. Normal. Then Outlook Express came up automatically. Hmmmm, maybe normal? I tried to click on Internet Explorer but Outlook Express grabbed the focus away from the mouse (i.e. it made itself the top window again). Not normal! A blank message appeared and text started typing into it. Definitely not normal!
Sign #2: Your email editor has a mind of its own and starts composing emails by itself.
I immediately powered down the computer and realize it was infected by something. The only way Outlook would do these things on its own is if some script was controlling it. This is a common sign of a compromised computer.
I booted the machine up again, same symptom. Outlook Express started composing a new email. I managed to kill the process only to see another message appear. An error saying that a file in C:\WINDOWS\FONTS could not be found. It was a common font name but with a .VBS (Visual Basic Script) file extension. Yikes!
Sign #3: .VBS files being in places they should not be!
I narrowed this down to a mysterious entry in the Startup menu. In addition to the usual Microsoft Office link, there was a mysterious entry with a rather random name. I navigated into the C:\WINDOWS\StartMenu\Programs\StartUp folder and found a hidden file with a .VBS extension. Not normal.
Sign #4: Hidden .VBS files with funny names.
The way to find these is to click on the Start button and select Search. Or press Win+F on your keyboard. Search for all files of the form *.VBS (type it in exactly like that), select all local drives, and then click Search Now. Very few such files should appear, and they should have very short somewhat sensible names. If the names are gibberish (like KJLERPZ.VBS) or appear to be other file names with .VBS added (such as README.TXT.VBS), immediately select and DELETE these files. If the file icon is drawn somewhat grayed, it means that the file is hidden, a definite sign of bad intention. Legitimate programmers do not hide executable files!
Now, the way that hackers get a virus onto your Windows 98 computer in the first place is in one of two ways: you're stupid enough to open up an email from an unknown source and run the attachment (which is often a .VBS file disguised as a naked picture of a famous tennis player or some such distraction). And presto, you're infected. Or, you are running Windows 98 and you share our your hard disk to the world.
This is easy to do and most people do not even know their hard disk is wide open. If you use the Web Publishing Wizard and set up a small web site on your machine which you let other people access, you're sharing out your hard disk. Or, in this case, the person was a Napster user, again, sharing out the hard disk.
Sign #5: A shared boot disk
The easiest way that a hacker plants a virus on your machine is they check if your hard disk is shared out, and if so, they look to see if your Windows installation is on that drive (i.e. it is your boot disk), and if so, they plant the virus directly into your Windows installation directory.
The way to check if you are sharing out your hard disk is very simple. Bring up the Windows Explorer (by double clicking on My Computer, or by pressing Win+E) and look at the icons for the disk drives. Look for the little hand, as shown below:
That is the hand of some dirty little scumbag hacker in a foreign country stealing your files. Most people put their Windows installation on the C: drive. So you should NEVER share out your C: drive. If you are doing that, IMMEDIATELY, NOW, go right click on the C: icon, click Sharing, and click the Do not share this folder option!
At this point I checked for a very common virus that infected Windows 98 computers 3 years ago using this security hole. It's called QAZ or W32.QAZ virus, and was one of the first ones that I started seeing. And yes, quite stupidly, every Windows 98 machine that I hooked up to a cable modem got infected this way until I realized the problem. Within minutes, as soon as one machine was infected, a dozen other PCs were immediately infected.
The way you find this virus is very simple. You press Ctrl+Alt+Del (in Windows 98 or Millennium, not in Windows NT or 2000) and look at what programs are running. You may see that some common Windows application, such as Notepad, is shown to be running. That's odd, you didn't run Notepad today. There is not even a Notepad window on the screen. Yet NOTEPAD.EXE is running. How strange.
Sign #6: Programs that you didn't launch are running
So you navigate into the C:\WINDOWS directory and find that NOTEPAD.EXE doesn't have the same time stamp as the other Windows programs. In the case of Windows 98, the Windows files will all be dated 5-11-1998. Yet NOTEPAD.EXE is dated more recently. You also find a file called NOTE.COM which is dated 5-11-1998.
As it turns out, NOTE.COM is the real Notepad program. The NOTEPAD.EXE is actually a Trojan horse, posing as Notepad, and in fact if you run NOTEPAD.EXE it simply runs the NOTE.COM program and Notepad appears. It all appears to work normally, yes what the Trojan NOTEPAD.EXE is doing is communicating with a hacker's server and giving it information about your machine.
Sign #7: the file NOTE.COM is in your WINDOWS directory
Now do you see how simple this attack is? A hacker scans the Internet for machines. He finds yours. He checks for a shared drive. He finds your C: drive wide open. He goes into your C:\WINDOWS directory, renames NOTEPAD.EXE to NOTE.COM, plants the infected NOTEPAD.EXE in its place, and simply waits for you to load up some text file and start the party. In fact, this is even more automated, as NOTEPAD.EXE itself does the scanning (that is how your other home computers get infected) and even tells Windows to run Notepad the next time you reboot the machine so that the hack is activated simply by you turning on your computer.
While in the WINDOWS directory, take a look at the other files. Normally, the C:\WINDOWS directory itself should have very few executable programs (i.e. EXE files). Most of Windows actually lives in the C:\WINDOWS\SYSTEM directory.
However, a certain type of virus creates bogus .EXE files, with bogus looking names, and copies data about your machine into those files and encrypts the data. Then at some opportune moment the data is copied over the Internet to that dirty little scumbag hacker in some foreign country.
Sign #8: lots of bogus looking .EXE files in the WINDOWS directory
On this machine, there were hundreds of bogus .EXE files, all with bogus names like PZMQSJ.EXE, and all about 70K to 100K in size. Listing the files by date, I saw that they spontaneously appeared several months ago, and a new such file was created once every few hours. I could tell exactly the day that this virus took control on the machine, and I could tell exactly on which hours of which days this person had the computer turned on.
At this point it was very clear that the machine was infected by numerous viruses and had been for many many months. I began the slow task of disinfecting a computer with over 13000 files on it. I delete all the bogus .VBS files I could find, all the bogus .EXE files I could find, and went to reboot the machine. The machine would not shut down! Every time I clicked on Shut Down, Windows simply returned back to its desktop.
Sign #9: Windows will not shut down!
EXPLORER.EXE itself (the Windows shell) was infected. Potentially everything typed in or clicked on got sent to the outside world.
Sign #10: You haven't run Windows Update in years!
I did one more thing, and that was to run Windows Update. Just for the hell of it. How out-of-date was this machine? My question was answered in a few second. Windows had not been updated in over 2 1/2 years. Not one single security patch issued by Microsoft since early 1999 had been applied. This machine was a wide open playground for hackers.
Here is the sad thing: the owner of this computer told me that this mysterious behavior had been happening for some time and they simply put up with it. The automatic launching of Outlook Express, the inability to shut down the machine, the strange error messages about missing .VBS files, and other mysterious behavior.
The owner just assumed that Windows 98 was acting up, and that perhaps buying a new computer would fix the problem. At this point I started banging my head against a wall crying out "Why? Why? Why don't people get it that the answer is not to buy a new computer?"
If your computer is acting up, don't run out to CompUSA and spend $2000 on a new system just so that you can re-infect yourself with all the dirty viruses you placed on your older computer. Consider the other possibility that your computer is crawling with viruses and that some dirty scumbag hacker is stealing your files.
No comments:
Post a Comment