SCN: Re: Re: Sircam

Scot Harkins on scn.org scoth at scn.org
Thu Jul 26 10:02:18 PDT 2001 

My wife received and opened a copy on her system.  The McAfee, for some
reason, wasn't loaded at the time; corrupted virus files.  I loaded the
latest SuperDAT (last Saturday), and McAfee then fired up and removed all
the virus files but not the worst of the registry entries.  I couldn't
launch any program because the virus hacked the registry to require running
the virus every time any application was started.  I couldn't load RegEdit
to fix it because RegEdit is a program, and Windows wanted to start the
virus first.  Oddly enough, it was removing the actual virus files that
landed me in the hardest spot.

I tried various tricks with copying other programs to the name of the virus
file (SirC32.exe).  I finally just re-hacked the key by creating a registry
entry in a text file to import into the registry to replace the virus'
handiwork.  Thankfully, I was able to right-click the text file (with a .reg
extension) and merge it into the registry.  This bypassed the call for the
virus.  Problem fixed.

I was able to locate the series of dll files in the system directory the
virus used to keep track of where it sent copies of itself from us, where
ours came from, and what files it listed out of our documents directory.  I
also hand-cleaned the rest of the registry entries, which were not dangerous
in their own right.

Since we got the first one I have received another copy from someone else
and, today, yet another virus (W32/Magistr at MM) from someone else.  Also, in
that time, McAfee has released two new dat sets of virus data files.

One of the tacks I had taken was using RegEdit from DOS/command mode.  From
there I should have been able to export the entire registry.  The System
registry file, however, never did export, perhaps for being too large
(nearly 4MB).  That's supposed to be the last resort.  I'd gotten to looking
for hex editors so I could get to the file.

I'm an experienced admin and I spent several hours trying to fix this
because the AV software didn't get the registry keys fixed (it does now I
hope).  This would have been a case of wipe and reload for most folks.  If
the AV software had been loaded it would at least have caught it when she
tried to run it (I tested it, and it did).

It just goes to show that it's not enough to simply load the anti-virus
software.  You have to watch to make sure it's loading and stays running all
the time, and you need to make sure the AV data files are up to date.
That's more important than anything since those files contain the info on
how to spot the virus and how to clean it.  Beyond that are updates to the
AV software itself; new "engines" come out from time to time to adjust to
new angles that viruses use and to improve virus cleaning in general.  If I
had still had McAfee program and data files from last year it wouldn't have
caught this virus and we would still be in a pickle.

Now, I'll tip my hat to the "don't open attachments" crowd.  It's true to be
careful.  If I'm suspicious I simply try saving the attachment and then scan
it.  McAfee will catch it on the save step.  If not, then the scan ought to
catch it.  This is true for any OS: Mac, Linux, and so on.


sh

--
Scot Harkins (KA5KDU)
Greenbank, WA         | Native Texan firmly planted in Western Washington
scoth at bigfoot.com     | SCA: Ld. Scot MacFin, Barony of Madrone, An Tir
scoth at scn.org/msn.com | URL <http://www.bigfoot.com/~scoth>


----- Original Message -----
From: "Joe Mabel" <jmabel at speakeasy.net>
To: "Sharma" <sharma at aa.net>; <scn at scn.org>
Sent: Thursday, 26 July, 2001 9:25 AM
Subject: SCN: Re: Sircam


> THe Crisis Resource Directory (heathens at scn.org) has been hit with a bunch
of Spanish-language Sircam mail. I had the good sense to spot it for a virus
without opening the attachment. Have other SCN'ers gotten this thing?
Obviously, mostly dangerous to those who are reading their email on a
Windows system.
>
> JM
> * * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
> . To unsubscribe from this list, send a message to:
> majordomo at scn.org In the body of the message, type:
> unsubscribe scn
> ==== Messages posted on this list are also available on the web at: ====
> * * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *
>


* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *

More information about the scn mailing list