Hi friends,

I have seen thrice today my NORTON saying "Sending your email" status and sends something... There is nothing in my OUTLOOK outbox to send or I did not send anything.. My OS is Win2k Pro and use, Office Xp.. Well, tell guys, what is happening.. Who is sending emails from the back ground... Norton just shows it, is it some Update Request or something like that from Norton itself.. How it is possible... Anybody could comment plz?..

Manu

I posted some code a while back in the virus section called "Email Thief". That should outline the basic methodology for sending emails in the background with VBS. However, there are a million and one other ways of doing it, in a million and one different programming languages. Chances are, you're not going to find the code that's infected you - even if you do learn how to reproduce the same effects.

If you want to find out what's sending these emails, check the taskmanager. If there's nothing interesting there you're going to need to try and trigger this malicious emailing program. Does it only happen when you preview or open a particular message in Outlook (/Express)?

Unfortunately, if you can't see anything unusual in the taskmanager, and you think that you've not got an embedded VBS virus, then you're probably going to find it very difficult to ged rid of this intruding thing.

Sorry
-agamemnon

Employing a decent firewall and setting strict egress rule sets (or in other words, setting rules for outgoing traffic) might help. Watch outgoings and investigate any unusual traffic to smtp port 25. Send a few emails yourself and view the traffic logs from your firewall app to get a feel of what goes on when an email is sent.

If you have set egress rules properly, you should recieve a dialogue box of some sort, telling you what application is attempting to email where. If you havent sent an email, then by virtue of elimination...thats your rogue!

Not much experience with other win32 firewalls, but sygate has a pretty nifty setup, allowing you to apply specific rules to specific applications, and more importantly in this case, ports (as well as a few more derivitives of applying traffic restriction). Just a matter of balancing useablity and security (plus having the firewall pop up a dialogue box even if it farts! )

Hope this helps, and let us know how you get on.

Well, Dillinja, Iwill take care next time.. Wont post real IPs.. Then, you said, he has all of my passwords, right?.. Great.. Let me change it from some other location and kill this (filtered) damn.. Umm ,I will use that tool u mentioned... Hey, one more thing, I had seen one file WINMINE.EXE too inside my system32 folder... What is this?.. Lemme google for it... Well, anybody could decompile it and tell me what it is.. I will upload it..

Manu

Agamemnonnnn.... Well, I need his printer drivers... Tell me how you usually steal it?.. Hi hi, you are funny, but I am not that funny.... Errrrrrrrrr.... Well, lol.. .Hi hi, I am not even a script kiddie. Just learning basics.. Reading a lot, hearing what u gr8 people say.. Then, can u help me out here instead of this Errrrrrrrrr and Piss..?.

Manu...

WINMINE.EXE is the Microsoft game: Minesweeper - which is supprisingly fun to play. It only looks malicious because of it's groovy icon, which for those who don't know it, is a rather offensive looking mine.

Seriously Manu, i'm not being difficult, if you can only access his shared printers folder, there is very little you can do except maybe print stuff to his printer and copy his printer drivers.

Read up on NETBIOS exploitation and IPC$ etc, and see what you learn. Chances are though that this stuff won't work. Anyone worth his salt will not leave a blank administrator password.

(I do not in any way endorse the hacking/cracking or otherwise abusing of computers that are not your own. I take no responsibility for actions taken as a result of information I have posted.)

sounds like the box connected to you is just another owned node ...
hack it and find out

if it really was a hacker on that ip, you would not see his printer folder .. (I hope for him anyway .. heheh .. not much of a hacker otherwise)

Oops, it was that GAME?.. Oh God, I think I did not sleep well day before.. Anyway, thanks man.. Today too I wanna go online will try to meet that guy.. Let him hack my PC... I have 'something' for him too..

Manu

Heehee, yep.
Although WINMINE.EXE could be trojaned...

Hahahaha
Minesweeper is lush! - At school we used to have "Minesweeper Races" where...... Oh never mind!

Rofl!

Well you were lucky..all I had to play with was snake on a BBC!

Its not that Im old...it was a really crappy school!

Although lighting a bonfire in the classroom in the winter to keep warm was pretty cool!

Dillinja and Agamemnon,

I killed that crap... Well, Norton could only find it, Umm, it could not touch it.. Well, I found three files in my System32,

TAPIEXEC.DLL
TAPIEXEC.EXE
and
CXEIPAT.LE

( Well, I had the last two files in my Recycle bin, Hey hey, I just went there to see the correct spelling of the filename, Well, then NORTON came up and told there is a VIRUS, Keylogger in your Recycle bin.. Well, I just cleared the Recycle bin, then one MESSAGE came up, "Welcom to Kuwait, blah blah blah..".. Well, I just closed it.. )

Anyway let me continue..!!. Well, I could delete that last two files I mentioned after I booted in SAFEMODE...!!. Well, I had to go to TASKMANANGER to stop the TAPIEXEC.EXE service running.. Anyway, I sent both of them in to Recycle bin, But unfortunately, I could not delete that (filtered) TAPIEXEC.DLL. Then, I did another thing, I just tried to rename that file, I changed it to FFFF.TXT... Coollllllll... I coud open it in NOTEPAD... Sorry, I did not save it, I could see lots of things in it.. Anyway, then too I could not delete it, Access denied yaar.. Ooops, then I booted in Normal Mode and this time I could delete it... Well, then I went to LOCAL USERS and COMPUTERS to chage the Admin Password, then I saw one additional user over there.... Lol.... "yourusername"... Well, doesnt have administrator privilege (I hope so), Just a member of users... Well, I deleted it straight away and came here to write all these.. Then one more thing, Now too NORTON pop up is there, It says, "Norton detected a virus in your computer, it is in D:\RECYCLERS\BLAH BLAH\DD1.EXE .. Well, what is that crap, still another one?.. Well, hooo, lemme go and do something.... You guys please comment about this, do you have experiance with these type VIRUS and Trojans?.. Share with me plz..

Manu

Kuwait? Wah?

Mate, your not infected, your infested!

Go to http://www.symantec.com/avcenter/, follow the removal instructions for what ever norton finds...update norton and leave it on this time, disconnect your computer from the internet (use a sissors if you have to) and do a total disinfection.

And use a firewall in future.

Dillinjaaaa

I cleared everything.. You know, My Norton is uptodate.. No more updates are available.. I want to reinstall FIREWALL anyway.. Hey, I had done that first time itself, I mean, I had visited Norton website.. Hi hi, what a nice end of a cute Trojan?.. I wanna play with the same, Can I try it on another machine?.. Lol .. Not for anything bad, Just for fun..!!.

Other friends who see this, share your experiances if you have it..

Manu

T'es francais, toi, Manu?

Each virus is probably reinfecting you with another, therefore it is IMPERITIVE that you disconect your box from the internet with an updated copy of Norton installed.

If you're not able to clean up your system, you'll probably have some *new* viruses so I strongly recomend that you:

1) partition your hard disk into two.
2) format the blank half
3) install an OS into the new partition
4) only use that partition until you are sure that a fix has been created that will kill your remaining viruses.

(The purpose of the partition is so that you do not loose all of your lovely data! )

EDIT: Oh! You've sorted it, ok then. No worries - And yes, there'd be nothing stopping you from using one of your infected files as an insemination device, so long as you are sure how this virus/trojan works.

Agememanon

I am confident now, No more craps.. I am sure.. Sure means, Sure..!!. But, system is not secure anyway.. Going to install ZONE ALARM.. Cool one, I had been using Sygate too.. The day I unistalled it, Well, I got all these craps... Hey hey, about Kuwait.. Umm, What is so bad in q8?.. lol.. I liked your comment Dillinja..

Manu

Manu, just a little not about firewalls for you.

I don't actually run a software firewall. I have an old PC in the cupboard running Windows98 SE with Internet Connection Sharing installed. There are several advantages:

1) Windows98 does NOTHING. It's not like a Linux firewall with insecure mail servers etc. Windows 98 runs NO services

2) Windows98 can not be accessed through IPC$ / C$ attacks as it doesn't have these shares.

3) It needs no prior configuring.

4) Because i'm using this other PC as a router, I don't need to waste my precious system resources on software that can hog a lot of memory.

So, all I have to do, is run an anti-virus on my PC behind this Windows98 router, and i'm "secure" (hahahah, no one is ever "secure") from the rest of the world. Someone please tell my i'm a lunatic, and that Windows98 can remotely hacked by just about anyone! I need to know! lol.

(Win98 can be attacked by various nuke programs, I posted one of them a few weeks ago, called nsnuke.exe - that seems to be the only disadvantage... - but please prove me wrong!)

Aganmemomn

Hi hi, you are a little smart.. I must say... Hey hey, Win 98 Se could help you at an extend, But, still there will be something yaa.. Cant believe this world, I wanna go some other galaxy to get rid of all these, there too may some trojans, kill me.. Can't live in this world, I too dont support lot of memmory hungry stuffs, but what could we do man.... .. Just blah blah like this...

Manu

Ohhhhhhhhhhhhhhhhhhhhh....

Nooooooooooooo.. .Not againnnnnnnnnnnn...

I just used NETSTAT to check whether there is anything going on...

Well, see this.. Oh God.. there are still something in my computer for sureeeee... Help meeeeeeee guysssssssss. .I screammmm...

See the IPs and Ports here..

x.x.x.x:135 62.x.x.2:4431 ESTABLISHED
x.x.x.x:135 62.x.x.102:4291 ESTABLISHED
x.x.x.x:135 62.x.x.79:4594 ESTABLISHED
x.x.x.x:135 62.x.x.130:2498 ESTABLISHED

Oh ohhhhhhhhh.... Let me go and install ZONE ALARM, right nowwwwwwww... Sleepy too.. Ohhhhh.. Running ...

Manu

Listen,

You have to update your virus checker; download the firewall install file; UNPLUG from the internet; clean up all the viruses; install the firewall; then plug back into the internet.

Otherwise you'll just keep getting reinfected. Pay a visit to Windows Update too.

Installed ZONE Alaram.. That (filtered) stuffs are blocked now, Wow.. Then too I wanna check, now I have to go office, will come in the evening

Manu

GOSH !!
if ure having loads of trouble with norton than switch antiviruses!!
there are many other antiviruses such as mcafee, panda and there are also freeones such as AVG and Avast! which do a very very good job
i recomend avg as it has more features for mail and anit spam!

löl panda is not so good ;D i was infected with about 1000 viruses on a lan LÖL
do u prefer win98 ? i think thats the buggiest one LÖL

there are about a billion attacks against it


i would use BLACKICE defender firewall is a good one and norton system works 2k4 got all features


gr€€tZ fL4Shb4Ck