Protoride.c Worm

[Und3ertak3r]

Don't it just piss ya,

good bloody track record, leave the helm to become a salesman and some BSOD allows some **** in on my network..

OK here is the story.. Ofice manager grabbs my attention, that there's some warning on our Accounts pc.. there it is in full glorry, MsUpdate.exe in the startup and associated reg entries all asssociated with win32.protoride.c a quick bit of reasearch and the little bugger is in the bin.. oh all the while the routers and hubs are off.. wasn't the boss pissed.. he wanted the network active while I elliminated a Network aware worm.. bit like aog chassing its tail..huh..
found one other machine infected.. the only other machine that the BSOD had allowed Root share on the network..
Now the question HOW THE $#$# DID the thing get in? the info I have is next to **** useless, tells me protride is network aware and what it attempts.. but not how the hell it spreads.. or did I miss something...?

The infected machines were both Win98, (because of the backwoods DOS Product Database we have to use),

While The system is supposed to use a Smoothwall Gateway/firewall for the Internet access for B2B, and the Crap DOS Application database updates, I suspect the Lazy office Staff with help of BSOD have had been using the PC's internal modem..which is now in the recycle bin..the System on first reboot after looking at the problem insisted on connecting to the ISP via the Dialup..hmmm ..

Ok my thoughts on the infection.. or how it entered the machine..

1/ Product DB update.. there are several files arrive via the programms own dl proto from headoffice, beside this there is a simple messageing system, the files are in a ZIP compressed file oh and encrypted.. (scannig with the CA virus scanner on this zip normally won't work)
2/ Open door while the machine was on the internet.. but file and printer sharing was off for the dialup con...
3/ A new staff member had brought some files from home on a FDD and edited them on the machine in question.. these were Excel files and the disk was scanned later in a test system and nill found on the disk..
4/ A staff member had been checking their Yahoo mail box, and while no mails with attachments had been opened nor mails of a sus nature.. (and no information as to protoride being email bourn)

(that last one scared the crap out of several staff as I fliped through the pages in order of visit.. stumbling on the Yahoo visits.. and another staff members f..up at a b2b site..lol)

so How the heck are Worms like Protoride spreading? this is so I can block that door b4 BSOD returns to work.

I am strongly recommending the canning of the two WIn98 machines for win2k or XPpro.. hanging the body of the Yahoo visiter near the Accounts PC, as a reminder to all who break the und3rtak3rs rules. and shooting any staff member who circumvent the path to the gateway/firewall..


Cheers guys

BTW.. Nihil.. regprot is running onall boxes in the shop except BSOD's.. and the AV updates are d/l'd and installed at the sametime as the DB updates..

oh BTW.. who is BSOD.. well it is a what.. Blue Screen of Death.. my name for extreem ****tards..

[nihil]

Hi Undies,

You mean to say you had your own personal April Fool all along, and didn't share him with us?

BTW.. Nihil.. regprot is running onall boxes in the shop except BSOD's..

Might this be the weakest link?, given that it is network aware?

A quick look suggests that it is aware of network shares AND IRC channels I guess that your man might have opened Pandora's box by allowing root?

I do not see it as a Win9x problem though............after all it will run on the NT family as well...........it is rather what is being done/allowed on your systems?

You say that you only have two 98 machines, because of some old DOS system that you have? I have had situations where a user has had two boxes on their desk...........a proper one and one to run Win3.1x/DOS 6.33 for legacy systems.....................can you see a possible solution in that direction? That would kill the W32 type apps?............although there is probably something else that I would kill first?

I think that trashing the dial-up modems was a good idea.............hell that goes straight past firewalls, network security and the lot.

I will now go to the pub and get drunk.........come home and find your man his new personal screeensaver...............well cool............it even fakes doing a Dr.Watson

The malware does make several registry entries, so I am sure that Regprot would have warned them, if it were running?

Cheers

[1c3m4n85]

You may have already seen something similar to this. Here's a link from Sophos on this virus.

http://www.sophos.com/virusinfo/anal...rotoridec.html

1c3m4n85

[Und3ertak3r]

Regprot installed by me after the fact.. unfortunatly.. Boss relented after this being the second infection in a week.. last one was Netsky.D..

i suspect my holiday from Virii is almost over.. Boss was also unhappy at the number of systems that were coming back with problems..

i said it was a hot summer.. he said "that was the hardware... I'm talking sotware probs"
Now i am no software expert .. BSOD is..

cheers

Oh and yep regarding the Link, that is a s good as it gets.. at least the Symantec A version info had a date to give me an idea how old it was.. dont that just piss ya

[silver-bullets]

Doesn't your AV pick that stuff up?

-Cheers-

[Und3ertak3r]

Office manager grabbs my attention, that there's some warning on our Accounts pc.. there it is in full glorry, MsUpdate.exe in the startup

That message was the AV telling us After the fact.. Normaly the CA (VET) allarms when a Malware prog is being moved into or off of a system.. but the crap won't scann emails..

i had checked the config and It was still as I had left it.. My question is more for how does THIS particular virii spread.. That is how I decide what the next step in my protecting the system..

My Problem is my boss wants me out of sales..**** I am earning more there.. and back in the tech bay..

Cheers