Help with securing your PC/network against dangerous programs and email annoyances
Hacker/Back Door Programs -
Viruses & Worms -
Spam -
Spyware -
Email Junk/Hoaxes -
Junk Faxes
What are back door programs?
How can I check my PC right now?
ARCserve Backup Agents
Removal Programs
Back Orifice and NetBus
There are two major hacking programs in use now: NetBus and Back Orafice(BO).
These programs do have a legitimate use in network security and analysis, but
they can easily be used to snoop your PC at work or at home through your Internet
connection. These programs can be disguised as harmless programs. These are often
those goofy programs or screen savers people send through e-mail. When you click
on the executable file in the email and watch the pretty fish swim across your
screen, you have unwittingly let a "Trojian Horse" program onto your system. These
programs a burried deep in the system files, often hidden from detection or
cloaked at as a harmless file. When you log onto Internet, these programs force
TCP ports open and allow virtually anyone with BO or NetBus administrator programs
to detect your PC and access your files.
I was lucky enough to have a co-worker infect my PC with one of these programs so
I could try to find it and disable it. Detecting these programs is fairly easy,
removing them is more difficult, but not impossible! I had the advantage of knowing
that this program was somewhere on my PC at the time. I have since written some
batch files that help detect these programs and placed them in my Start-up folder
so they will search for them everytime I log on.
Detection
Check your PC right now!
Open a DOS prompt.
Type: NETSTAT -A and hit < ENTER >
If there is any activity on port 31337, you have Back Orafice installed.
If there is any activity on port 12345, you have NetBus installed.*
*These are the default ports for these programs, they can be configured for other ports!
If either of these ports(or any other suspicious ports) are active, Telnet to yourself
(localhost) at that port number. If you connect or a password window opens, you've been infected.
Copy and paste this into Notpad and save it as "hack_check.bat"
@ECHO OFF
ECHO This batch file checks for hacker programs loaded on your PC.
ECHO First it will give you list of active TCP/IP and UDP ports.
ECHO If port 31337 is active you have Back Orafice loaded.
ECHO If port 12345 is active you have NetBus loaded.
pause
CLS
ECHO Looking for NetBus TCP port
ECHO If infected, you will see a port listing for 12345
netstat -a | find "12345"
pause
CLS
ECHO Looking for Back Orifice TCP port
ECHO If infected, you will see a port listing for 31337
netstat -a | find "31337"
pause
CLS
ECHO looking for the Back Orifice Executable
ECHO If infected the file will be found
DIR "C:\WINDOWS\SYSTEM\EXE~1"
pause
CLS
ECHO Looking for changes in the registry key
ECHO This will create a file called "BOCHECK.TXT"
ECHO Open the file and look for suspicious line like @="EXE~1"
REGEDIT /E .\BOCHECK.TXT HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
pause
CLS
ECHO Looking for changes in the registry key
ECHO This will create a file called "NBCHECK.TXT" if NetBus is loaded
ECHO no file will be made if not.
REGEDIT /E .\NBCHECK.TXT HKEY_CURRENT_USER\Patch\Settings\ServerPwd
CLS
@ECHO ON
EXIT
|
ARCserve
A less stealthy program, but never-the-less useful in hacking is ARCserve.
ARCserve is supposed to be used to back up PCs over a network, but can
easily be used as a backdoor program. The problem is that this program
looks like a lot of other junk that comes with your computer. You might not
notice it because it is "backup" software. ARCserve can copy all the files in
your hard disk in less than 15 minutes and is almost invisible when it is running.
If it has been loaded on your system, it will show up in the Start Menu.
Use the ARCserve uninstall or Windows remove program to get rid of it. If you
have the ARCserve agent loaded on your PC for other reasons, be warned that anyone
with the ARCserve manager software can do an "Auto-detect" and find your PC if it
has an agent. The agent may be disabled when not in use.
Links that will help with Backdoor/Trojan detection and removal
WebAttack Internet Tools
Virus Contol and Anit-Hacking
Netbus trojan virus(Proland Software)
NetBus and NetBuster
How to remove BO by hand
Current: W32/Blaster
W32/Mydoom@mm
What are viruses, how do they work?(howstuffworks.com)
Viruses and worms
Viruses through email
Viruses through Downloading
Protection and Detection
Research Viruses(ca.com)
Commentary on Windows and Viruses
Viruses Hoaxes(HoaxBustersHome.com)
Case example of removing a virus manually: The Gone.scr Virus
Microsoft wont admit it, but they a have a huge security flaw in Win2000
which makes it vulnerable to the
Blaster virus.
If you are running Windows 2000 and get an SVCHOST.EXE Application Error
when you use a dial-up connection you probably have the
Blaster virus. If
you go to Microsoft Support and search for "SVCHOST.EXE Application Error" you will come up empty.
When you get this error, open Task Manager and you should see msblast .exe in the program list.
Download the McAfee/Network Associates Stinger program which
will clean out Blaster and other virues and run it.
You will note that after you clean the virus, SVCHOST.EXE is still broken. You need to load a patch to
fix it
here.
This link may not be current, Microsoft moves these often without providing redirects. Click
here to search for additional links.
Avoid openning unscanned attachments. Delete emails with attachments
from persons you don't know. If you've got it, then
get stinger.exe to remove it.
Stinger 1.9.7 and the 4319 DATs will both require that infected Systems
be rebooted to achieve complete removal of W32/Mydoom@mm.
The shimgapi.dll file is injected into the EXPLORER.EXE process if
the system has been rebooted after the infection has occurred. In this
situation, a reboot and rescan is required to remove this DLL from the
system.
McAfee information.
Both Norton(Symantec) and McAfee
have
free/trial downloads of anti-virus packages that will eliminate most viruses.
Norton Virus Removal Tools
McAfee Free Scan
A new virus hit Outlook email on 12.04.01. It's called
"gone.scr" and infects the Outlook address book through an
email attachment masked as a screen saver program.
Double-clicking the attachment infects the PC.
The virus then uses email addresses in the outlook address book
to forward the virus and message to more people in your name.
The program sits in C:\WINDOWS\SYSTEM and is hidden. The program
is constantly running and accessing Outlook. Under these conditions it cannot
be deleted.
Also, the virus creates a registry key which launches the program on boot. The
program also recreates the registry key if it's deleted or renamed.
In order to disinfect, the program and registry key must be deleted and this
cannot be done while Windows is running.
Follow these steps:
- Restart in DOS mode or to a boot disk
- On the command line type:
ATTRIB -R -A -S -H C:\WINDOWS\SYSTEM\gone.scr
- Hit ENTER
- On the command line type:
DEL C:\WINDOWS\SYSTEM\gone.scr
- Hit ENTER
- Restart the PC
- Go to Start, Run and type REGEDIT, click OK
- Find the key(by expanding the folders):
HKEY_CURRENT_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{C:\windows\system\gone.scr}
- Select this key and delete it
- Also go to Start, Find and do a search for "gone.scr",
There may be copies in temp folders.
- Emtpy the Recycle Bin
- Delete any emails with the attachment
- Empty the Outlook Deleted Items folder
Read about KnujOn, a new way of dealing with
junk mail.
Spyware "infects" your PC but does not have the same intent
as a traditional virus. Spyware usually collects information
from your cookies for advertising purposes, launches pop-ups
and changes your default homepage. If your startup web page changes
and you reset it but it changes back on reboot, you may
have spyware.
Some spyware is legitimate, meaning it is part of something you intentionally
downloaded. For example, you may have installed RealPlayer. RealPlayer
checks your version for updates and upgrades and prompts you when
new versions are availible. They also launch popups for advertising.
However, you are getting their product for free and if you uninstall it,
the spayware goes away too.
The not-so-nice ones are very hard to get rid of sometimes. There are
many free programs that can help:
SpyBot - Search and destroy
Spyware Blaster
Hijackthis
CWShredder
Xupiter
A recent example is the Xupiter toolbar. Keeps reseting your homepage to Xupiter.com, adds
a toolbar and launches popups. Use these instructions:
pchell.com to remove it, then send an email
to help@xupiter.com, support@xupiter.com, and dnsadmin@tucows.com telling them you
do not like their spyware advertising tactics.
fastsearch.cc
What a pain this one is. Sets registry keys for startup pages to
http://%69%6e%2e%77%65%62%63%6f%75%6e%74%65%72%2e%63%63/%2d%2d/?%79%64%74%66%73.
Why? The % followed by numbers and letters are
hexidecimal numbers. %69 = i, %6e = n, etc. The entire string
decoded is: in.webcounter.cc/--/?ydtfs, this page redirects your
browser to fastsearch.cc(.cc is Cocos Islands).
The reasons: for one, you cannot put the % in your web blocking list. Then, your browser keeps resolving to
fastsearch.cc, but if you search your harddrive, cache and registry "fastsearch.cc" wont come up.
This is called obfuscation.
This was apparently caused by CWS.Tapicfg a variant of the
CoolWebSearch. It's named so because
CoolWebSearch.com was one of the first ones to use it.
SpyBot, spywareblaster, and HijackThis did not clean it out but
CWShredder
did get it.
After you have cleaned out webcounter.cc or fastsearch.cc send and email to:
Helen Bauer - webmaster@fastsearch.cc and Katsuji Yoneyama - webmaster@webcounter.cc
expressing your disgust at their advertising tactics.
To reduce the risk of spywear infection, load
Spyware Blaster
which will block specific spyware packages and also increase the security on
your browser settings, specifically blocking or prompting for stylesheet downloads.
More Info:
Information Kit: Spyware
Whatis.com
spychecker.com
cexx.org
grc.com
spywareinfo.com
Spyware forum
Much of the spam out there falls into the category
of Junk/Hoaxes/Chain-letters. Namely they ask you
to "foward the email to 10" people or something. The best
way to fight this kind of junk is NOT to foward it.
Read more:
CIAC Hoax Pages
Urban Legends
How to Hoax-Proof Yourself
Junk Faxes
Junk faxes were around for a long time before email
and the Internet came into common use. Unfortunately,
they have become a computer problem as well since
many companies use desktop faxing software. In
general, junk faxes are also an annoying business
problem. Some people feel powerless to stop the
waste of toner, paper and loss of legitimate fax-line
time, but there is much that can be done to fight
junk faxes. According to the Federal Communications
Commission (FCC), companies can only fax you if they
have an "established business relationship" with you.
In addition to the FCC regulations, junk faxes are
also the concern of the Federal Trade Commission (FTC)
for slightly different reasons. While the FCC covers
the possible illegal communications issues involved
with junk faxes, the FTC covers the privacy issues.
Read more.
Junk faxes were around a long time before before email
and the Internet came into common use, but they have become
a computer problem since many people use desktop faxing
software. In general it also an annoying business problem.
There's a lot you can do to fight junk faxes. According to
the FCC companies can only fax you if they have
an "established business relationship" with you. So, when you
get one of these junk faxes research the company that sent it
and then email, write, call, and fax back to them that they
do not have an established business relationship with you.
If they continue to fax you after that, file a complaint against
them with the FCC.
How track the companies that are faxing you:
Before you can begin fighting back, you have to find out who is faxing you.
Phone companies will not provide account information
for toll-free numbers(reverse lookups). There are some
reverse lookup web sites, like
http://inter800.com.
Unfortunately, the companies that send junk faxes
will often not be found in the listings. Another
option is conducting a general Internet search for
the number, the company’s website may be returned or
some other information about the junk fax senders.
My advice is not to bother with the "remove me from
the database” phone number usually provided on the fax.
The “removal” number will often be eternally busy or
disconnected. In some cases they will sell your name
and number to someone else after you have requested to
be removed. In the worst case they will even attempt
to sell you something when you call to be removed.
Call the business number, the number they provide if
you want to buy what they are selling. Ask for their
company name, mailing address, phone number and any
other information.
Another tactic to block the numbers user to send junk
faxes. Most fax machines and desktop fax packages
have the ability to block incoming numbers. The
Telephone Consumer Protection Act of 1991 requires
that the identity of the sender to be clearly displayed
on the fax. Do not throw away any junk fax. Place all
the faxes in a file for future use.
Complain directly to the company faxing you
Call, email, write, and fax the companies.
Be sure to include the following in any letter or
conversation:
1. A request that they not send you faxes
2. A request that they remove your number from their list,
3. Remind them that you do not have a business relationship with them
4. Remind them that Federal law prohibits them from sending faxes to numbers they do not have a prior business relationship with.
If you can discover their fax number, fax their junk
back, with your request to be removed form their lists.
I recommend sending back 3 pages for each page they
send you, meaning if they fax you two pages, send them
back six. Be sure to keep track of the companies and
numbers you have complained to incase they continue
to fax you afterwards.
File complaints
Filing complaints on-line have been made simple.
Fill-out form 475
and provide as much information as you can on the
company faxing you. While the FCC may receive
thousands of these complaints and my not take any
action for some time, you may inform the junk fax
senders that you have filed complaints and will
continue to do so. Starting in January 2005 there
will be more FCC regulations covering junk faxes,
making it harder to for the fax senders to remain
anonymous.
It is also important to note that faxes are covered
by “do-not-call” lists the same way telemarketing
calls are. If your number is on a do-not-call list in
your state, you can also file a complaint in this
context at www.donotcall.gov. You may also register
for the
do-not-call list at this site.
References:
Junk Fax Law
Sample Demand Letter to Mail to a Sender of a Junk Fax
Federal Communications Commission
FTC "Do Not Call"
More Articles:
Junkfaxes.org
stopjunkfaxes
consumerwatchdog.org
Junkbusters.com
