Carey Fisher - NCS wrote:
> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
> 
> h**p://h*m*p*g*.*y*p*a*e*u*/system.exe	[ URL declawed by PAP ]

ClamAV says:
philpem@wolf:~/MALWARE$ clamscan system_exe
system_exe: Trojan.Mybot-1445 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 71517
Engine version: 0.88.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.32 MB
Time: 46.696 sec (0 m 46 s)

Virusdata from Sophos is here: 
http://www.sophos.com/security/analyses/w32rbotadh.html

If you don't have an antivirus installed, go find a clean machine, grab AVG 
(from free.grisoft.com), burn it to CD, then install it. If AVG won't install, 
get the firewall enabled and block *everything*. Go to 
http://housecall.trendmicro.com/ and scan your system. Let it remove any 
viruses it finds. Then install AVG.

Looks like pretty much your standard password stealing IRC botnet building 
trojan/worm. If I get sufficiently bored, I'll throw it into a VMware sandbox 
and pull it to bits with the old IDA freeware release and OllyDebug.

> This really surprised me since I've taken a lot of measures to secure my system
including a program that won't let new programs run without my permission.
This is why the first one didn't run.  I also run antivirus, I monitor the
router/firewall with Wallwatcher, and I block all inbound ports except a
couple (Skype, FreeVNC).

I notice you're using Outlook Express (the X-Mailer header told me <grin>). 
FWIW, there are tons of exploits that allow remote code execution in OE. The 
old double-extension bug, buffer overflows, the list goes on. I'd switch to 
Mozilla Thunderbird (it's a pretty painless switch, Tbird can import most/all 
of your mail and settings from OE).

What antivirus are you using?
I guess you've got a perimeter firewall on the router. Any firewall software 
on the machine itself (e.g. ZoneAlarm)?

> Anybody know anything about any of these apparent attacks.  Any suggestions to prevent this particular exploit (START/Run)?

I wonder if someone exploited VNC... What's your VNC password like - all 
lowercase and less than 8 characters maybe? And no numbers or symbols? :)

I have my network set up so that you have to SSH in (and use a public key to 
authenticate yourself with the server), then you have to tunnel from the 
server to the machines inside the network. There are only a few ports open on 
the router - SSH, SMTP and HTTP. If I need to connect to a machine on the LAN 
from the Internet, I don't add a port-forward, I use an SSH tunnel.

-- 
Phil.                         |  (\_/)  This is Bunny. Copy and paste Bunny
piclist@philpem.me.uk         | (='.'=) into your signature to help him gain
http://www.philpem.me.uk/     | (")_(") world domination.
-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist