im getting this warning from my norton antivirus often in the last few days...only i have no clue why!
im not vulnerable to any rpc stuff, and there is no file with such a name in that dir as the warning dialog claims!
i also dont have any open shares!
so where does that virus come from?
Full Version: Weird Virus Warning- Plz Help!
| CODE |
| http://www.littlewhitedog.com/download-file-7.html |
k, tried that, it scanned my c:\ drive and didnt find anything!
so why that warning?
so why that warning?
| QUOTE |
| so where does that virus come from? |
Method Of Infection
If it attempts to spread via KaZaA, emule, overnet, irc, ftp, http (and so on) it may pick possible file-names from a long list of names, especially pertaining to cracked software and pornography, in order to try to entice people into running the file. (maybe thats why its in your download folder
)If it attempts to spread through open shares (like admin$,c$,D$,printer$,ipc$) it may try some password-protected shares using its own list of common user-names and passwords.
some variants are also able to use bruteforce technieks to get your passwords
systems not patched against the DCOM RPC vulnerability or the RPC locator vulnerability.
| QUOTE |
| k, tried that, it scanned my c:\ drive and didnt find anything! |
Norton may have moved the file to some secure folder to prevent it from being executed. When you scan your C:\, the secure folder is excluded from the virus scan.
| QUOTE |
| so why that warning? |
Maybe the system restore function of windows is enabled and the gaobot service is restored every time windows trys to start it and discovers the file is missing. That's why the warning keeps returning.
Greatingz Jacco
thx for the reply jacco!
one last question : on the screenshot, u can see the file name is only a string of numbers...whats thats all about?there is no file like that in the folder!
also im very cautios what files i execute, so no free_porn.exe and stuff
one last question : on the screenshot, u can see the file name is only a string of numbers...whats thats all about?there is no file like that in the folder!
also im very cautios what files i execute, so no free_porn.exe and stuff
| QUOTE |
| one last question : on the screenshot, u can see the file name is only a string of numbers...whats thats all about? |
The virus uses random numbers as file name to avoid detection by antivirus software
| QUOTE |
| there is no file like that in the folder! |
Maybe your norton is configured to automaticly delete infected files
greatingz Jacco
nope, it only denies access!
but why in that folder? i only put files i get from trusted webpages there....how would it get in there?
but why in that folder? i only put files i get from trusted webpages there....how would it get in there?
| QUOTE |
| i only put files i get from trusted webpages there....how would it get in there? |
If you are using Internet explorer 6.x and you have the internet secuity option set to medium you could have been victem of an exploid;
if a request for a file upload/execution is send by a website it opens a dialogbox asking you if you would like to open the file or if you would like to save it to the disk.
if 201 request for a file upload/execution are send by a website and 200 dialogboxes asking you if you would like to open the file or if you would like to save it to the disk are open the 201st file will be downloaded and executed without prompting you the dialogbox
I know there is some tricky vb or javascript code arround for hiding the 200 opend dialogboxes
sulutions:
* set the security option of internet explorer to High
* wait for a Microsoft patch
* only visit trusted webpages
| QUOTE |
| but why in that folder? |
Because it is the folder you have last used for saving downloads. Internet explorer uses that folder by default
greatingz Jacco
If you don't need the admin shares, you can easily disable them by setting / creating some registry keys.
How to Permentaly Remove Admin Shares (otherwise they will get recreated on a normal reboot):
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer for servers
Name: AutoShareWks for workstations
Type: REG_DWORD
Value: 0
Both D_WORD's (AutoShareServer / AutoShareWks) need to be adding and/or modified to the above value.
Ciau...
digitalk2003
How to Permentaly Remove Admin Shares (otherwise they will get recreated on a normal reboot):
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters
Name: AutoShareServer for servers
Name: AutoShareWks for workstations
Type: REG_DWORD
Value: 0
Both D_WORD's (AutoShareServer / AutoShareWks) need to be adding and/or modified to the above value.
Ciau...
digitalk2003
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
