[thelist] Virus/Trojan what next...

[David Wagner]

Liam Delahunty wrote:
> Despite running Inoculate it on this work computer and updating the virus
> records daily I just ran a scan and discovered:

"Trojan" usually indicates that the program was quietly installed along
with something else (although the definition has been streched
somewhat). SubSeven is one of the most common of these nasty little
bugs, and has many variants.

More information and removal instructions can be found at one of the
following sites.

http://www.hackfix.org/subseven/
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven.22.a.html

If SubSeven got installed on your machine, and InoculateIT didn't catch
it, then there's something wrong with the program. It should have some
sort of real-time scanner component that watches *all* activity on the
system as it happens. Good AV software will ring all sorts of alarm
bells when a Trojan is being installed. Either InoculateIT doesn't work
that way, or it's broken.

> Anyway, this is a Back Orifice type trojan. I do run Zone Alarm and reject
> all requests to access the internet by programmes and stop outside computers
> getting in. So, what action do I take next, am I safe from snooping because
> of the firewall? Or do I have to change things like my password-safe key,
> and  do I need to change my PGP private keys?

If ZoneAlarm wasn't lighting up and screaming at you, then it's quite
possible that SubSeven got past it somehow. SubSeven.22.a, in
particular, takes some initiative in grabbing things that it shouldn't
grab and sending them elsewhere. Firewalls are only as secure as their
rules, and it's not hard to accidentally create a rule that allows bad
stuff to go on behind your back.

For example, a basic firewall app won't block a mass-mailer virus. Why?
Because the virus uses a standard port for transmitting email, and the
firewall doesn't recognize that there's anything wrong. Now, if you have
a firewall that actually recognizes different programs on your computer,
then it should catch the difference between Sircam emailing itself to
all your friends and Outlook sending the email you just wrote. Look for
this level of functionality in a firewall, or it won't do you much good.

Once you find something like SubSeven on a machine, I recommend the
take-no-chances approach: assume that all of your information is
compromised, and take the necessary steps. This is why I don't keep
banking information on my computer, for example; I don't mind changing
passwords, but I'd rather not cancel my credit cards if I can avoid it.

Good luck!

--

David Wagner
dave at worlddomination.net