Well, I didn't think it's gonna happen to me; ever. I didn't understand (nor care to understand) why are people so paranoid 'bout their security. I laughed off those who didn't use ptp. sharing.

Anyway, this is not a rant.

I have debian/win2000pro dual-boot box and I reboot quite often. I use limewire and recently installed new version of morpheus (just to check it out). Enough said! in past two or three days I noticed, when I boot win, that right when the desktop actually comes up but before any icons are loaded I get a small dialog-box that says something along the lines:

"Program so and so has created an error. Blah blah. Log is being written"

The dialog box has only one button; "OK"

Since morpheus comes w/ GAIN (gator, bonzai buddy, I am sure you know what that is) and I tried my best to remove it, at first I dismissed the dialog-box as crippled GAIN spyware/adware trying to load so I just clicked OK as the whole desktop loaded. After a while I noticed that performance degraded and after further investigation I discovered that the CPU usage was peeking at 100% every 2 seconds. Hmmm. i decided to investigate. I rebooted again. The dialog-box came up again but the name of the program was different than before. I clicked "OK". CPU kept going up and down. I rebooted again and again; same dialog box the program name always different. I noticed pattern, the program name although different always followed a format: Xxx1.exe. ("X" stands for a random letter in capital and "x" random letter in lowercase) Since "Search" could never find the program after I hit "OK", on my next reboot I left the dialog-box hanging' and searched again. This time the exe was found in "C:\Program Files" (not in any application folder, just by itself). Get this it was only 10k long and after I clicked on the dialog ("OK") it wanished!

The next step, "netstat" showed 4 connections to different IRC servers (one was in Italy) to standard 6667. …..cold hands and a lot of cursing…

Although I was pissed I realized that this was an opportunity for me to actually learn something. I decided that after I return from work I would try to identify and quarantine the problem.

Next day:

I noticed that the connections doubled. some were snmp, some irc, some http. One of the irc's was irc.aol.com. I connected to it and saw more than 2500 channels. how i'm gonna anything here (does anyone know how to determine a channel just by seeing the connection to a server?) My next step was to install Norton Antivirus. (I know, I know...) Of course it wouldn't load from the CD so I copied win2000 sepecific install folder on the Desktop and installed it. I rebooted and yes.. it didn't run. (let me hear you say anti anti virus protection)... So I decided to use an online scanner from the makers of PC-chilling. Imagine my horror to relize that 34 files were infected w/ KLEZ_worm, 1 w/ DEVINE trojan and some more w/ various IRC bombers and IP flooders. (i think, after learning about KLEZ that the flooder were part of its payload. First i deleted (manually ... i know) all the files in question. That got the number of infection down to 7. Than i user Symantec KLEZ removal tool which of course didn't run in safe mode (like Symantec recommended), only on regular start up. I'm not gonna make this any longer than I have to, soooo: Basically after 8 hours all together I said "**** it" and installed Debian throughout the whole HD.


The moral of this story: If you use windows, install firewall, install, av software, don't download files and just run them w/out proper quarantine. I was pissed and for the first time in my life passed up on sex because of some dickhead script kiddy.

I guess live and learn .... I just thougt i share this