Computer Trojan Attack/Virus Alert

5 July 2002 | Magnum44

[Magnum44]

Norten Firewall/Anti-virus has just given me a security alert to the "Backdoor/SubSeven Trojan" coming from IP 209.239.196.152. I have only been surfing FR today (via Earthlink). I am no a computer security expert, so beyond trying to see that my own machine is secure, I do not know how to advise others or how to investigate whether the attempted attack came via FR. Everybody watch your system and make sure you have your Firewalls up and virus checkers on.

Regards

[per loin]

Hmmm. My browser returns "no such host" for that IP.

[RedBloodedAmerican]

sub7 is an old one. Try anti-trojan.net and see if you have a trojan onboard already, maybe?

[Cultural Jihad]

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven.html

[Gorzaloon]

Trying whois -h whois.arin.net 209.239.196.152 JPS.Net Corporation (NETBLK-JPS-NETBLK-2) 595 Menlo Drive Rocklin, CA 95765 US Netname: JPS-NETBLK-2 Netblock: 209.239.192.0 - 209.239.223.255 Maintainer: JPS Coordinator: Earthlink Network, Domain Administrator (DAE4-ARIN) arinpoc@corp.earthlink.net +1-626-296-2400 (FAX) 626-296-5113

So some 14 year old downloaded SubSeven.

Admins have an acronym they use: WWF= Weenie With Firewall.(Nothing personal, I used to report them all the time!)

If Norton reports it, it prevented the attack. Norton sells a lot of upgrades by scaring people. Yes, there are L33T punks out there, and worse, always probing, and IMO, the parents that taught them those values need to be stomped in front of them. But it is a fact of life, that on the Net, burglars are trying your "Doors and windows" day and night. If one does have an always on DSL or cable connection, then they need to run SOME kind of protection. A hardware router or a software firewall, like Norton or Zone Alarm.

If you do a google search you will find many sites on the Web claiming a lot of these products are "Snake Oil"- I am not sure of that myself-no matter their faults they are better than none, though there are marketing advantages to a software program that looks like it is "Doing Something".

[NerdDad]

I'm a double WWF. I have a Netgear Firewall Router that catches all the sub-7s and such and also have Norton Internet Security on each machine. Use that mostly to protect my kids. I caught 3 Sub 7 scans in less than an hour while on FR. I know my presence on FR has anything to do with it. My presence on a Cable Modem is the culprit. Being in "the biz" I understood that well enough from the outset to have belt and suspenders.

Folks, if you are sitting on the internet with a cable modem or DSL and are not running an up-to-date virus scanner (and I recommend a firewall) it's like walking out of your house and leaving the doors open.

[Humidston]

Oh great. Here I am on DSL and my daughter just broke up with our computer wizard. At least I have Norton and just updated it.... *sigh*

[bobwoodard]

That just means there isn't a web server hooked up to that address, there could still be something there sending out stuff.

[Magnum44]

All responses appreciated. This was mainly a courtesy post. It seems to be either of little concern to a lot of concern depending on whether you have virus detection running. I learned something, too. Keep your guards up.

FRegards,

[Flyer]

my daughter just broke up with our computer wizard

Is she someone I should know?

[sigSEGV]

I'm sure you mean well, but this doesn't mean a thing. This is a common everyday event on today's Internet. Your address got hit at random.

[TheErnFormerlyKnownAsBig]

I've been getting hit 2 or 3 times a day for the last three weeks with the W32.Klez.E and the variation that end in H@mm and a few other variants as well. It has even pulled my email address out of somebody elses address book and sent the virus out with my address as the sender.

I have Norton and it not only stops incoming viruses (especially the common ones like the Klez. virus) but halts outgoing viruses as well so I know it not on my computer and my scan of my computer 2x a day has been confirming that.

[usconservative]

Try HouseCall from Trend Micro. Choose the "Scan without registering" and let it scan your hard drives. It's a web based virus scanner that works VERY well. It's updated with all the newest virus strings, and can remove any viruses it finds automatically if you choose that option.

I use it once a week in conjunction with my McAfee Virus Scanner to keep my system clean.

[blondee123]

I run norton too & my email addy has been pulled by someone & has been sending out infected klez for over a month. i just updated to a new nortong, removed the old one & installed this one from disc & ran the entire scan. my machine is clear, so HOW do we stop the other peoples machines from sending out infected emails using our address?? Is there a way? Any computer geniuses out there?

[TheErnFormerlyKnownAsBig]

What happens, I believe, is the infected person's address book is being used to send out the messages. This version is taking our email address from the address book and is substituting our address for the real one.

Short of sticking a piece of dynamite in the infected computer there isn't anything we can do but notify those who send us notices saying we sent them a virus that we didn't send the virus.

Of course I'm no computer expert so everything I wrote could be incorrect.LOL

[TC Rider]

This site, www.grc.com does free port scans and vulnerability checks. It's pretty interesting to read some of his articles, especially his tales of the script-kiddies and what the trojans are all about.

[Chad Fairbanks]

The simplest way, is to never give anyone your email address, ever. This may mean never using your email, but as the it's been said - Abstinence is the only 100% guarantee ;0)

[DB]

Change your ISP/Email password for starters.

[quimby]

HOW do we stop the other peoples machines from sending out infected emails using our address??

One way is to get rid of micrshaft software and fly free with linux. As well as being free to buy, it is virtually virus free.