Saturday, June 19, 2004
My home PC had the flu ;-)
For the past two weeks our (my sister's actually) home PC has been down with the flu and the doctor (Norton Anti-virus) seems to be (unavailable) out of the town.
My home PC is a HP Pavilion t530i (with Windows XP HE) and has Norton Anti-virus 2004 pre-installed on it. Suddenly my sister observed that when she would connect to the internet (yes, we still use dial-up using the modem connection here, in India), she would get an error for lsass.exe process. Her first encounter with an Extra-terrestrial! Just kidding, a PC virus.
Later in the evening after coming back from work, she mentioned it to me. And we tried to figure it out. However, given that after connecting to the internet the PC would shutdown, we could not achieve much from the same machine. As a resort, we used another PC to get more details regarding this from the internet. We found out that a virus exploited some vulnerability in lsass.exe causing the machine to shutdown in a minute.
Symantec security response indicated that our PC was infected with the 'Sasser' virus. It contained explicit clear steps to ensure that you would remain connected to the internet and those helped. After following those steps we were able to increase the shutdown time to nearly 2:30 hours. Well, we needed that much time (to update the virus definitions and download the fix Sasser tool) given that the speeds for dial-up are 3 kbps. No, I am not kidding now.
We finally managed to get rid of Sasser by running the fix tool given by Norton folks and re-booted the machine. Just to find that next time we would connect to the internet we could not access security response pages from Symantec, from our home PC (we had earlier used another machine). Also, we observed that we could not run regedit.exe (it used to start all right, but the window would just vanish in a couple of minutes). Again the PC was infected and the doctor was no-where to be seen. Yes, I was not able to start Norton anti-virus, same behavior, as regedit. (bad luck, no live update, no scan :( ).
I was wondering if IE on my PC was now infected since it would not allow me to visit Symantec site. However, all other site (like www.google.com) would work. Actually none of the anti-virus sites were available.
We were unable to figure out what had infected our system.
Today, finally I found the following link in one of the desperate searches done on google.com
http://www.experts-exchange.com/Security/Win_Security/Q_20935886.html
[Cannot access any Anti-virus websites, live updates etc.]
Boy, was I glad to find that there was some expert opinion available on the issue we were facing. I quickly checked up the 'hosts' file and found offending entries like
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
Obviously this meant that IE was not infected, the address resolution, resolved the address for these sites to my machine :) My machine never runs the webserver for Symantec corporation and hence my browser was returning 'Page cannot be displayed'. Nice trick, I should have guessed it before. Ofcourse, virus writers want to achieve the most, with little coding. By simply modifying the 'hosts' file, they had managed to fool me in to thinking that IE was infected.
Now I started looking for any files in my %SYSTEM% folder that were executables and had recent time stamps. I found the following files had recent time stamps:
wnetlogin.exe
cool.exe
supu.exe
etc...
Another quick search on google revealed that these are potential viruses, namely W32.Donk.R. I had cleaned up the 'hosts' file and that allowed me to visit the Symantec security response pages by now. However, Norton anti-virus still would not start and hence no live-update. The security page for W32.Donk.R (link below) described the registry keys updated by the virus
http://www.symantec.com.br/avcenter/venc/data/w32.donk.r.html
After the registry entries were cleaned up and another reboot we finally got Norton Antivirus to run. Hooray!
Just to find that our subscription to live-update has expired. Well, we renewed it and finally give our PC an anti-biotic, pain-killer for the much needed relief :)
Hush, finally the doctor is back in town and patients are recovering already :)
My home PC is a HP Pavilion t530i (with Windows XP HE) and has Norton Anti-virus 2004 pre-installed on it. Suddenly my sister observed that when she would connect to the internet (yes, we still use dial-up using the modem connection here, in India), she would get an error for lsass.exe process. Her first encounter with an Extra-terrestrial! Just kidding, a PC virus.
Later in the evening after coming back from work, she mentioned it to me. And we tried to figure it out. However, given that after connecting to the internet the PC would shutdown, we could not achieve much from the same machine. As a resort, we used another PC to get more details regarding this from the internet. We found out that a virus exploited some vulnerability in lsass.exe causing the machine to shutdown in a minute.
Symantec security response indicated that our PC was infected with the 'Sasser' virus. It contained explicit clear steps to ensure that you would remain connected to the internet and those helped. After following those steps we were able to increase the shutdown time to nearly 2:30 hours. Well, we needed that much time (to update the virus definitions and download the fix Sasser tool) given that the speeds for dial-up are 3 kbps. No, I am not kidding now.
We finally managed to get rid of Sasser by running the fix tool given by Norton folks and re-booted the machine. Just to find that next time we would connect to the internet we could not access security response pages from Symantec, from our home PC (we had earlier used another machine). Also, we observed that we could not run regedit.exe (it used to start all right, but the window would just vanish in a couple of minutes). Again the PC was infected and the doctor was no-where to be seen. Yes, I was not able to start Norton anti-virus, same behavior, as regedit. (bad luck, no live update, no scan :( ).
I was wondering if IE on my PC was now infected since it would not allow me to visit Symantec site. However, all other site (like www.google.com) would work. Actually none of the anti-virus sites were available.
We were unable to figure out what had infected our system.
Today, finally I found the following link in one of the desperate searches done on google.com
http://www.experts-exchange.com/Security/Win_Security/Q_20935886.html
[Cannot access any Anti-virus websites, live updates etc.]
Boy, was I glad to find that there was some expert opinion available on the issue we were facing. I quickly checked up the 'hosts' file and found offending entries like
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
Obviously this meant that IE was not infected, the address resolution, resolved the address for these sites to my machine :) My machine never runs the webserver for Symantec corporation and hence my browser was returning 'Page cannot be displayed'. Nice trick, I should have guessed it before. Ofcourse, virus writers want to achieve the most, with little coding. By simply modifying the 'hosts' file, they had managed to fool me in to thinking that IE was infected.
Now I started looking for any files in my %SYSTEM% folder that were executables and had recent time stamps. I found the following files had recent time stamps:
wnetlogin.exe
cool.exe
supu.exe
etc...
Another quick search on google revealed that these are potential viruses, namely W32.Donk.R. I had cleaned up the 'hosts' file and that allowed me to visit the Symantec security response pages by now. However, Norton anti-virus still would not start and hence no live-update. The security page for W32.Donk.R (link below) described the registry keys updated by the virus
http://www.symantec.com.br/avcenter/venc/data/w32.donk.r.html
After the registry entries were cleaned up and another reboot we finally got Norton Antivirus to run. Hooray!
Just to find that our subscription to live-update has expired. Well, we renewed it and finally give our PC an anti-biotic, pain-killer for the much needed relief :)
Hush, finally the doctor is back in town and patients are recovering already :)
Labels: virus
# posted by Paresh Borkar @ 12:43 PM 
