Hello ALL !

Chris Brown chris.brown at ctg.com
Tue Jan 30 14:56:20 EST 2001


First let's clear up some definitions, as it will help with how to handle your 
situation (these are my own definitions):

Worm - undiscriminating self replicating program that does not require the 
action of individuals to facilitate their replication

Virus - a program that replicates itself based on the use of or actions done 
on a computer by it's intended operator, but without their knowledge.

Trojan - A program that purports to do one thing that is generally useful 
(which it may actually do) who's actual purpose is to do something else, 
unknown to the operator, that is usually harmful

Attack - a conscious effort by an individual or group to degrade the 
availability, confidentiality, or integrity of a _targeted_, preselected set of 
system(s) 

[Note: some people consider worms special viruses, others consider worms 
and viruses the same thing.  I consider those practices confusing.]


First, you are most likely not being subjected to an attack.  By your self 
assessment, you are a victim of a worm (which is probably actually a virus, 
and not a worm).  Good antivirus software will help, but by itself is an 
incomplete answer.  Antivirus signatures need to be updated regularly 
(weekly/bi-weekly) to provide any real assurance.  Firewalls help, but 
only if it is good software and configured properly. Firewalls are like 
locks; they do no good if you install them and leave your front door open.  
They also do no good if you indiscriminately open the door to let strangers in. 

[Disclaimer: The firewall/lock analogy is actually a poor one for anyone at 
anything other than a beginner level.]

Here's what to avoid:

1.  Don't use ICQ, AIM, IRC, or any of the other chat systems.  Most are 
inherently flawed from a security standpoint and/or not coded with security 
in mind.  It is also an easy way to track down your IP address.  

2.  Don't use Napster, is gives away your IP address and your connection 
speed among other things.

3.  Turn off MS Windows printer and file sharing.  Period.

4.  Don't use Microsoft email clients unless you are prepared to check for 
security patches regularly.  Don't use an email client that can render HTML 
(or turn off that capability).

5.  Don't open email attachments unless you can absolutely trust the 
sender.  Never, ever open .exe, .vbs, .js, .dll, .bat, or .cmd files.  Period.

6.  Don't run server software (eg, a web server or ftp server)

7. If you don't know how to configure your firewall, chances are it's making 
you feel good and that's about it.  I'm not familiar with NetScan 4.12.  It may 
come decently configured out of the box.  Then again it may not.  If you 
don't know enough to check that it does the right thing, pretend it is not 
offering any protection at all, don't be lulled into a sense of security.

8.  Don't use the compromised system to ask for help on getting your system 
back.  You just told the attackers (if there in fact any) that you know they are
there.  This is bad.  Very bad.  They now have to cover their tracks.  They 
may trash your system to do it.


Now that you have some tips on what not to do in the future, here's how 
to clean up:

1. Get the latest signature file for your antivirus software and install it.  The 
variation among products for virus scanning is minimal.  Keeping the 
signature file up to date is the important part.

2. Disconnect from the net.

3. Run a full virus scan of your PC

4. Uninstall the chat programs, napster, and anything else that can operate 
in a peer-to-peer mode.

5. And the hard part:  Determine if you need to reinstall your system from 
scratch.  This probably isn't a necessary step, but it also isn't something 
anyone can tell you based on the information you provided so far. 

I've never heard of S7S, so I can't help you there.


Best of Luck!

Chris




--
Christopher Brown, CISSP
Corporate Security Advisor
Information Services
Computer Task Group (CTG)
chris.brown at ctg.com



>>> barefalls at juno.com 01/30/01 12:36PM >>>
I am new to the computing scene but have absorbed an incredible amount of
data in the last 6 months. Prior to that my last exposure to a computer
was an Apple in High School 20 yrs ago. I graduated in 1980 and fought
with card feeders at UB and lost interest. I joined this Linux group in
an effort to meet enthusiastic, knowledgeble individuals to share ideas,
problems and solutions; which brings me to the crux of the cookie. I have
recently noticed strange goings on within my system and began
investigating 4 weeks ago. This is obviously an online situation. In
short, I am under attack and need help!!!! This has gotten so bad to the
point where I recently had to thwart the Hybris.gen worm. My firewall
appears to be intact and functioning but the worm came in the mail and
Norton didn't flag it. I am now using NetScan 4.12 in and effort to
determine the intrusion sources. My ICQ was compromised and therefore
uninstalled but there's much, much, MUCH more. Does anyone know of S7S?
Can anyone offer me some assistance? From the little boy with his FINGER
in the dyke, Gregory D. Hough



More information about the nflug mailing list