AtmaWeapon
04-08-2004, 11:55 PM
The other day, ZC started attempting to ping hosts. I asked DN what business ZC had pinging random hosts, and he told me I had a virus/spyware infection. I was suspicious, but brushed it off UNTIL Norton tried pinging a host. This sounds innocent, but there are 3 modules to Norton: the realtime scanner, the system scanner, and the LiveUpdate module. LiveUpdate is the only module that connects to the internet for anything. So I got more suspicious.
Norton was turning up nothing, though, and I didn't know what to do. I finally went to broadbandreports.com and managed to find a trojan scanner, which revealed quite a few suspect files on my system. The presence of 3 trojan files and a downloader started to explain why my Sygate firewall went from no activity to a port scan every 45 seconds about two weeks ago. The ports I were being blasted on belong to MyDoom, Novarg, and Dameware Remote Admin. The remote admin is enough to make my skin crawl, but the other two are bad as well. A coworker explained to me I must be phoning home some kind of way and letting people know I was there.
Enter Trend Micro. (http://housecall.antivirus.com) Since I highly suspected my Norton had been crippled and could not detect what was infecting me, I headed for this onlne virus scan, and within a minute I had deleted some kind of IRC reporter. Before I got home, I was being port scanned every 30 seconds. Immediately after I ran the online scan, I never saw another scan.
Luckily for me, a friend just bought a new router and let me have his old one. Now my router is handling all incoming traffic very nicely, while my NATed laptop is using Sygate to help trap outgoing. It's not invincible, but it is way more secure than just the software firewall.
If you are relying just on Norton, I strongly suggest you run Trend Micro's virus scan. I would love to say this is the first time it caught something Norton did not, but it is more like the fourth.
I do not trust my laptop anymore, though. Almost any expert I have met has said after you are hit with a virus, it is better to format and reinstall than to try to mop up. This is difficult for me, though, as I have a lot of documents I must keep and I don't want to part with my 3+ GB of MP3s. My response to the initial infection was to immediately purchase an external enclosure so I can put my new 120GB HD to work as a backup drive. I intend to perform the backup and possibly start the format Monday night when the enclosure arrives.
Now for the questions.
1. I would like to use a program in the future to create images of my HD. I have learned from earlier mistakes and my new drive will have 4 partitions: Windows, Programs, Swap, and Data. I will frequently make images of the Windows and Programs partitions so curing a virus or bad install will be less painful. However, for this initial backup I may not have that option. Can a program like DriveImage (from the Partition Magic company) let you access individual files within the image? For example, could I image my current C: drive and later pull only documents from it? This would ensure I wouldn't lose anything, as I could pull from the backup when I need it.
2. Can anyone point me to a site that has good information on how to configure a router to be as secure as possible? I'd rather take a *nix approach and start too tough and work my way back than start too week and work my way up. I currently have a D-Link DI-614+ (the revision with two antennas, I think it is Revision A). I can get to the configuration page, but I'm not really sure how the firewall rules work.
This misfortune marks the last time I use Kazaa, as the two vectors both viruses spread by are email and Kazaa. I haven't opened an email attachment without triple verification from the sender in 2 years, so I doubt I got MyDoom or Novarg from the past. Be careful, guys. Norton isn't worth anything.
Norton was turning up nothing, though, and I didn't know what to do. I finally went to broadbandreports.com and managed to find a trojan scanner, which revealed quite a few suspect files on my system. The presence of 3 trojan files and a downloader started to explain why my Sygate firewall went from no activity to a port scan every 45 seconds about two weeks ago. The ports I were being blasted on belong to MyDoom, Novarg, and Dameware Remote Admin. The remote admin is enough to make my skin crawl, but the other two are bad as well. A coworker explained to me I must be phoning home some kind of way and letting people know I was there.
Enter Trend Micro. (http://housecall.antivirus.com) Since I highly suspected my Norton had been crippled and could not detect what was infecting me, I headed for this onlne virus scan, and within a minute I had deleted some kind of IRC reporter. Before I got home, I was being port scanned every 30 seconds. Immediately after I ran the online scan, I never saw another scan.
Luckily for me, a friend just bought a new router and let me have his old one. Now my router is handling all incoming traffic very nicely, while my NATed laptop is using Sygate to help trap outgoing. It's not invincible, but it is way more secure than just the software firewall.
If you are relying just on Norton, I strongly suggest you run Trend Micro's virus scan. I would love to say this is the first time it caught something Norton did not, but it is more like the fourth.
I do not trust my laptop anymore, though. Almost any expert I have met has said after you are hit with a virus, it is better to format and reinstall than to try to mop up. This is difficult for me, though, as I have a lot of documents I must keep and I don't want to part with my 3+ GB of MP3s. My response to the initial infection was to immediately purchase an external enclosure so I can put my new 120GB HD to work as a backup drive. I intend to perform the backup and possibly start the format Monday night when the enclosure arrives.
Now for the questions.
1. I would like to use a program in the future to create images of my HD. I have learned from earlier mistakes and my new drive will have 4 partitions: Windows, Programs, Swap, and Data. I will frequently make images of the Windows and Programs partitions so curing a virus or bad install will be less painful. However, for this initial backup I may not have that option. Can a program like DriveImage (from the Partition Magic company) let you access individual files within the image? For example, could I image my current C: drive and later pull only documents from it? This would ensure I wouldn't lose anything, as I could pull from the backup when I need it.
2. Can anyone point me to a site that has good information on how to configure a router to be as secure as possible? I'd rather take a *nix approach and start too tough and work my way back than start too week and work my way up. I currently have a D-Link DI-614+ (the revision with two antennas, I think it is Revision A). I can get to the configuration page, but I'm not really sure how the firewall rules work.
This misfortune marks the last time I use Kazaa, as the two vectors both viruses spread by are email and Kazaa. I haven't opened an email attachment without triple verification from the sender in 2 years, so I doubt I got MyDoom or Novarg from the past. Be careful, guys. Norton isn't worth anything.