Windows File Protection
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Windows File Protection

  1. #1
    Member
    Join Date
    Apr 2003
    Posts
    51

    Windows File Protection

    Dear Friends
    iam getting the following message in event viewer
    File replacement was attempted on the protected system file c:\program files\outlook express\msimn.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.0.2919.6700.

    is there any virus, if so advice me how to remove
    regards
    prem

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes, you have BugBear.B.

    Go to www.symantec.com and download the removal tool.

    Boot your machine in safe mode.
    Run the cleaner
    Boot in normal mode
    Install a virus scanner then update the DAT file to prevent future infections.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    AO's Mr Grumpy
    Join Date
    Apr 2003
    Posts
    903
    This is you Outlook Express Mail Program. Check which version should be in use against which version of Windows you are running. On XP Pro the OE version on my machine is 6.00.2800.1106 with a file size of 56.0KB. Can't tell if you have a virus or not, as you do not say if you are running any AV software, and if so what are the result's of any scan
    Computer says no
    (Carol Beer)

  4. #4
    Member
    Join Date
    Apr 2003
    Posts
    51
    I am not using any AV softwares now,
    and when i view process list there are repeated instance of tftp.exe and cmd.exe, and with netstat i found lot of outbound connections to various ip's port 80

  5. #5
    AO's Mr Grumpy
    Join Date
    Apr 2003
    Posts
    903
    Never having had the misfortune to have any serious virus's as I have usually prevented them with good AV measures, and therefore do not have a great deal of experience in this area but, as you say you have no AV protection, I suggest you take the advice given by the horse13 and then check the results

    As a matter of interest,exactly where on Event Viewer does this message appear, ie in which folder, application, security, or system, and is it an information, error or warning message? Better still let's see a screen dump
    Computer says no
    (Carol Beer)

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Trust me, you have bugbear.b. Notice that your app is listed as one of the ones infected on the app list about half way down the page. I have put it in boldface for you for clarity.




    Virus Name : W32.Bugbear.B
    W32.Bugbear.B is spreading at an alarming rate. We have received many reports of this worm.
    - This is a new variant of W32.Bugbear worm.
    - Drops PWS.Hooker which is used for steeling passwords.
    - Spreads through shared network drives.
    - Also has Backdoor capabilities.
    - The worm will also attempt to terminate the processes of various antivirus and firewall programs. Fortunately Quick Heal is not included in this list.

    The Detection of this worm has been provided in the udpate released on 5th June 2003.

    This worm arrives through emails as attchment file. The email makes use of the " Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability to autoexecute on a vulnerable system. This helps the worm get executed even if the user has not executed the attachment file. All users who are using Outlook Express and have not applied this patch then kindly apply the same immediately.


    The email may have subject form one of the following:
    Hello!
    update
    hmm..
    Payment notices
    Just a reminder
    Correction of errors
    history screen
    Announcement
    various
    Introduction
    Interesting...
    I need help about script!!!
    Stats
    Please Help...
    Report
    Membership Confirmation
    Get a FREE gift!
    Today Only
    New Contests
    Lost & Found
    bad news
    wow!
    fantastic
    click on this!
    Market Update Report
    empty account
    My eBay ads
    Cows
    25 merchants and rising
    CALL FOR INFORMATION!
    new reading
    Sponsors needed
    SCAM alert!!!
    Warning!
    its easy
    free shipping!
    News
    Daily Email Reminder
    Tools For Your Online Business
    New bonus in your cash account
    Your Gift
    Re:
    $150 FREE Bonus!
    Your News Alert
    Hi!
    Get 8 FREE issues - no risk!
    Greets!

    For the attachment filename, the worm uses filenames in the My Documents folder location, which have one of the following extensions:
    .reg
    .ini
    .bat
    .diz
    .txt
    .cpp
    .html
    .htm
    .jpeg
    .jpg
    .gif
    .cpl
    .dll
    .vxd
    .sys
    .com
    .exe
    .bmp

    The attachment file may have two extensions, the second extension is
    .scr, .pif, or .exe.

    In addition, the filename can consist of one of the following words:
    readme ,Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data

    Please note that the virus can spoof the From and Reply To fields in the emails it sends.

    When the infected attachment is run it does following details:

    It copies itself in the infected system with random letters chosen by the worm. For Example:
    C:\Windows\Start Menu\Programs\Startup\Cyye.exe
    when it runs on a Windows 95/98/Me-based system.

    C:\Documents and Settings\\Start Menu\Programs\Startup\Cti.exe
    when it runs on a Windows NT/2000/XP-based system.

    xxx.EXE (usually 72192 bytes) in the Startup folder
    and
    zzzzzzz.DLL (usually 5632 bytes) in the System folder

    It infects files of several popular applications and system tools. The following files in Program Files and Windows folders are infected:
    %ProgramFilesDir%\winzip\winzip32.exe
    %ProgramFilesDir%\kazaa\kazaa.exe
    %ProgramFilesDir%\ICQ\Icq.exe
    %ProgramFilesDir%\DAP\DAP.exe
    %ProgramFilesDir%\Winamp\winamp.exe
    %ProgramFilesDir%\AIM95\aim.exe
    %ProgramFilesDir%\Lavasoft\Ad-aware 6\Ad-aware.exe
    %ProgramFilesDir%\Trillian\Trillian.exe
    %ProgramFilesDir%\Zone Labs\ZoneAlarm\ZoneAlarm.exe
    %ProgramFilesDir%\StreamCast\Morpheus\Morpheus.exe
    %ProgramFilesDir%\QuickTime\QuickTimePlayer.exe
    %ProgramFilesDir%\WS_FTP\WS_FTP95.exe
    %ProgramFilesDir%\MSN Messenger\msnmsgr.exe
    %ProgramFilesDir%\ACDSee32\ACDSee32.exe
    %ProgramFilesDir%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
    %ProgramFilesDir%\CuteFTP\cutftp32.exe
    %ProgramFilesDir%\Far\Far.exe
    %ProgramFilesDir%\Outlook Express\msimn.exe
    %ProgramFilesDir%\Real\RealPlayer\realplay.exe
    %ProgramFilesDir%\Windows Media Player\mplayer2.exe
    %ProgramFilesDir%\WinRAR\WinRAR.exe
    %ProgramFilesDir%\adobe\acrobat 5.0\reader\acrord32.exe
    %ProgramFilesDir%\Internet Explorer\iexplore.exe
    %WinDir%\winhelp.exe
    %WinDir%\notepad.exe
    %WinDir%\hh.exe
    %WinDir%\mplayer.exe
    %WinDir%\regedit.exe
    %WinDir%\scandskw.exe

    where %ProgramFilesDir% is a Program Files directory and %WinDir% is Windows directory. The EXE file is an executable copy of the virus. The DLL is a keystroke logging tool which is used by the virus when it is activated. The keylogging component of W32.Bugbear-B (the DLL) hooks the keyboard input so that it records keystrokes to memory.

    It then attempts to kill antivirus process running and starts with Mass mailing by extracting Email address from current user's email address and SMTP server from the registry key
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts.

    It also drops and Backdoor which Quick Heal will detect as W32.Hooker and remove it successfully.

    It then uses its own SMTP engine to send itself to all email addresses it finds.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    AO's Mr Grumpy
    Join Date
    Apr 2003
    Posts
    903
    Thanks thehorse13, I never pay much attention as I'm rarely troubled, but now I'll be watching out for the little bugger. BTW, can't you post that as a tut? -- Just a thought.
    Computer says no
    (Carol Beer)

  8. #8
    Member
    Join Date
    Mar 2003
    Posts
    74
    Hi thehorse13,
    Thanx for the info. Its really explained.
    -------------------------------------------------------------------------------
    Hello premshamo, why U are not using any av.? U know the importance.

    This time it was BugBear.B. but anytime U may face any DEAR_BEAR for yr computer to love. Be prepared.
    --------------------------------------------------------------------------------
    Rg
    (-:IF U R A HACKER TRY TO BE ON POINT,IT SAVES TIME:-)

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Sorry jm,

    Since this information was gathered elsewhere and not written by me, I wouldn't post it as a tutorial.

    Hope the info helped out none the less.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Well prem, I've said it before and I'll say it again....being online without AV software is as dangerous as being addicted to prostitutes and allergic to condoms. It's only a matter of time before you get some sort of infection. Head over to www.grisoft.com and download the free version of AVG.

    /me walks away singing "before you get between the thighs, don't forget to condomize..."
    Al
    It isn't paranoia when you KNOW they're out to get you...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides