Need help with virus

Discussion in 'Backup and Security' started by Babak, May 10, 2002.

  1. Babak

    Babak

    I was wondering if anyone who is a virus pro could help me out. My computer has been infected with BKDR_IRCFLOOD.E and JS_EXCEPTION.E

    I've looked these up but can only find variations in virus encyclopedia (www.trendmicro.com) and therefore I'm not sure how to proceed. I've found JS_EXCEPTION.A/D/C and BKDR_IRCFLOOD.GEN and BKDR_IRCFLOOD

    I'm using PC-Cillin and so far it's got them quarantined because it can't clean them. I don't want to erase them just in case this could cause more damage. Thanks for any help.
     
  2. 3 trojans!
    Try Norton antivirus.
    Usually have the best luck with it vs. any others myself.

    Backdoor.IRC.Flood is a backdoor Trojan. It installs an mIRC client that has backdoor capabilities; this gives the hacker unlimited access to the computer.

    Also Known As: Backdoor.IRC.Flood.i, Backdoor.IRC.Flood.f
    Type: Trojan Horse
    Infection Length: multiple files

    Look in the symantec database for more info:
    http://securityresponse.symantec.com/avcenter/vinfodb.html/

    Cut the names down to "irc.flood" if the full name doesn't return in the search.

    Good luck.
     
  3. Call me paranoid but knowing I had backdoor on my trading box I'd be doing a ton of PW changes by phone myself.
    See other thread.
     
  4. It's a bit too late to advise you on virus protection, so I won't. As far as where you're at now, if I were in your shoes (and I have been) I would clean the machine; there is no other way to be really safe. That means formatting your drive after saving whatever indispensable documents or setup files can be salvaged. Then reinstall everything, starting with the OS. Pain in the butt, and time consuming; but it has to be done.

    Now here's how to make your life much simpler the next time (and you can be assured that there is a great probability of a next time).

    1) You get yourself a copy of Ghost or PowerQuest DriveImage for $40 or so. These are "imaging" programs. They work with DOS and make an image of your drive. It's not the same as a backup. Think of a backup as making photocopies of each file in a drawer. Think of an image as a photograph, or a mirror image of the same drawer. It's not just the files, but the entire partition and its structure that gets "imaged".
    2) You partition your drive into at least 2 drives (C and D)
    3) Install Ghost or PQDI from the CD (it goes onto drive D and the drive should be formatted as FAT32; make sure that you got as much space as you have on C: drive, although the image can be compressed to different levels chosen by you).
    4) After you have reinstalled your system and all your programs on drive C:, tested everything, and you are happy with your setup; write an image of your C: drive with one of the two programs above (I recommend PQDI, easier to use and much easier to learn). An image typically takes 10-15 minutes to be written to the drive.
    5) You do step 4) by booting up to D: drive with a DOS floppy (any DOS system floppy or the one that comes with Win98 will do fine) and then you run the imaging software to "write" the image.

    OK, now your machine gets infected.
    1) Boot to D: drive with your DOS floppy
    2) "Restore" your image with the imaging software.
    3) The existing C partition is deleted and your entire partition is restored as an exact "image" of what it was on the day you "wrote" the image to your D drive; so you know for sure that it's clean: no if's and but's. Everything's there. Just restore the additional working files that you may have backed up separately with Windows Backup as a normal precaution (new documents, updated data files etc...).
    Total cost in time: probably half an hour.
    4) And Bob's your uncle...

    Note: update your image regularly (by rewriting it) but before doing so you need to be 100% sure that the drive to be imaged is clean. Incidently, one of the problem with virus software is that it can slow down your machine to a crawl if you set it up to check all incoming and outgoing files.

    One thing that every Win user should do regularly is to access the Windows Update web site and install the current security patches. You're running Win2000 or XP Pro right? If you don't, you should.

    http://v4.windowsupdate.microsoft.com/en/default.asp

    The imaging stuff is easier to do than it is to explain, but it's a breeze. I would not bother if more people knew about this, but obviously they don't. Or their eyes glaze over when I explain it. I use the stuff both at home and at work routinely, so you can take my word for it. Next time some script kiddie ruins your machine, you'll be up and trading half an hour later and you can thank Elvis the Pelvis :D

    Elvis
     
  5. Babak

    Babak

    I'm not that worried about the backdoor capabilities because I've got ZA watching my ass, they are quarantined and I've un-installed IRC completely. Maybe I'm being naive! But looks like I'll be busy this weekend :D

    Thanks everyone. I appreciate the effort and help you have provided. Have a great mother's day weekend!