EXPLOIT-- what is this and what do I do - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: EXPLOIT-- what is this and what do I do


| running Kasp now


If Kaspersky and McAfee scanners find nothing that is good.

After that you can consider that the unknown exploit code did not take advantage
of some
vulnerability or the vulnerability that it targets was properly patched.

You should subsequently update your PC based upon the findings of the secunia
Software
Inspector.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

David:

I still have problems, kind of, but perhaps I have a handle on matters?

I ran Kasp: It said:

Quoted text here. Click to load it
Current object: c:\

         Sector Objects :      0              Known viruses :      1
                  Files : 288743               Virus bodies :      6
                Folders :   6049                Disinfected :      0
               Archives :   8123                    Deleted :      0
                 Packed :    296                   Warnings :      0
                                                 Suspicious :      2
    Scan speed (Kb/sec) :      0                  Corrupted :      0
              Scan time :  01:49:48              I/O Errors :      0
Quoted text here. Click to load it
The two suspicious ones are:
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[From
00:10:54 -0500]/html suspicion: Exploit.HTML.Iframe.FileDownload

c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"
suspicion: Exploit.HTML.Iframe.FileDownload

Quoted text here. Click to load it



I found the first file in my deleted files box (no attachment or anything).
The second one must be the same file (there appears to be a back-up, as the
extension indicates. in the RECYCLER folder???)

I'm not sure what action to take, if any. Should I delete the email from my
deleted folder. I assume it then goes to the recycler folder. Do I then
delete the DC1273.bak from the RECYCLER folder?



Or do I do nothing?





Now, the known virus is:



c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[From
17:45:07 -0500]/postcard.exe infected: Email-Worm.Win32.Luder.a.



This occurs 6 times, so I assume that's what is meant by the VIRUS BODIES
statistic above.



These are all postcard.exe attachments in emails I deleted. I am 99.99% sure
I never opened any of the attachments (I do NOT open attachments).



SO, where do I go from here? Do things look okay? Should I be deleting
anything?



Mel















Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do

David:

Update on the info below:

I see when that email arrived, on the bottom of the email it said:

Quoted text here. Click to load it
Viruses found in the attached files.
The file fzooi.exe: Virus identified I-Worm/Swen.A. The attachment was moved
to the virus vault.
Quoted text here. Click to load it

So, maybe the deletion of that file by AVG caused Kaspersky to also deem it
suspicious???

Mel


Quoted text here. Click to load it
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[From
Quoted text here. Click to load it
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[From
Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do


| David:
|
| I still have problems, kind of, but perhaps I have a handle on matters?
|
| I ran Kasp: It said:
|
| Current object: c:\
|
|          Sector Objects :      0              Known viruses :      1
|                   Files : 288743               Virus bodies :      6
|                 Folders :   6049                Disinfected :      0
|                Archives :   8123                    Deleted :      0
|                  Packed :    296                   Warnings :      0
|                                                  Suspicious :      2
|     Scan speed (Kb/sec) :      0                  Corrupted :      0
|               Scan time :  01:49:48              I/O Errors :      0
Quoted text here. Click to load it
| The two suspicious ones are:
|
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| 00:10:54 -0500]/html suspicion: Exploit.HTML.Iframe.FileDownload
|
| c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"
| suspicion: Exploit.HTML.Iframe.FileDownload
|
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>...
|
| I found the first file in my deleted files box (no attachment or anything).
| The second one must be the same file (there appears to be a back-up, as the
| extension indicates. in the RECYCLER folder???)
|
| I'm not sure what action to take, if any. Should I delete the email from my
| deleted folder. I assume it then goes to the recycler folder. Do I then
| delete the DC1273.bak from the RECYCLER folder?
|
| Or do I do nothing?
|
| Now, the known virus is:
|
|
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
| 17:45:07 -0500]/postcard.exe infected: Email-Worm.Win32.Luder.a.
|
| This occurs 6 times, so I assume that's what is meant by the VIRUS BODIES
| statistic above.
|
| These are all postcard.exe attachments in emails I deleted. I am 99.99% sure
| I never opened any of the attachments (I do NOT open attachments).
|
| SO, where do I go from here? Do things look okay? Should I be deleting
| anything?
|
| Mel


You received email with an IFrame Exploit.

You need to go into your email software (Outlook Express) and delete that email
message.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

David:

OK -- I can do the first email. I can delete that from the deleted files
folder.

But don't forget the copy that resides in:
c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"
Quoted text here. Click to load it

Now, that DC1273.BAK is a backup of my deleted files folder. Can I delete
that entire file too? Well, I can, but do you know if OE will recreate a new
backup of my deleted files folder? I hope so.

Mel



Quoted text here. Click to load it
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
Quoted text here. Click to load it
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do


| David:
|
| OK -- I can do the first email. I can delete that from the deleted files
| folder.
|
| But don't forget the copy that resides in:
| c:\RECYCLER\S-1-5-~1\DC1273.BAK/[From "postmaster"
|>> suspicion: Exploit.HTML.Iframe.FileDownload
|
| Now, that DC1273.BAK is a backup of my deleted files folder. Can I delete
| that entire file too? Well, I can, but do you know if OE will recreate a new
| backup of my deleted files folder? I hope so.
|
| Mel


That's the Trash Can.  Dump the Trash Can (Recycle Bin).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

David:

Two other general questions:
1) I've learned that the Exploit is not a virus. But it is code that seeks a
vulnerability in some program/application. It then does something. When it
does whatever it does, am I correct that one of the AV programs should spot
it (I assume that's why we ran those programs?). So if the exploit did its
thing would there be a worm or virus? Or is it some other malware that the
AV program should pick up.

2) Do we even have an answer as to why the file that led to my original post
was 167K but 0K when I tried to upload it or send it?

Mel






Quoted text here. Click to load it
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
Quoted text here. Click to load it
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do


| David:
|
| Two other general questions:
| 1) I've learned that the Exploit is not a virus. But it is code that seeks a
| vulnerability in some program/application. It then does something. When it
| does whatever it does, am I correct that one of the AV programs should spot
| it (I assume that's why we ran those programs?). So if the exploit did its
| thing would there be a worm or virus? Or is it some other malware that the
| AV program should pick up.


It should if it is known or can heuristic scanning if it looks malicious.


|
| 2) Do we even have an answer as to why the file that led to my original post
| was 167K but 0K when I tried to upload it or send it?
|
| Mel
|

None.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: EXPLOIT-- what is this and what do I do

Correction:

The RECYLER folder does NOT normally contain a B/U of the deleted files
folder.

It is the recycle bin folder.

For some reason, that same email must have been there.

Anyway, I emptied the recycle bin and now the c:\RECYCLER is empty.

Mel

Quoted text here. Click to load it
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
Quoted text here. Click to load it
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
Quoted text here. Click to load it



Re: EXPLOIT-- what is this and what do I do

Ah... I think I've figured out how such a B/U got in the recycle bin.

Every so often, when you close OE, it offers to compact folders. When I say
YES, part of the compacting process is to B/U each folder in OE, do the
compacting, and when successful it deletes the B/U file. For small folders,
the B/U might be done in memory only. But for large folders like my deleted
files folder (which I never empty), it saves the B/U somewhere and then
deletes it.

That's how it got in the recycle bin.

David -- thanks for your help.

I'm hoping this episode is OVER!!

Mel


Quoted text here. Click to load it
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
Quoted text here. Click to load it
c:\DOCUME~1\MELVIN~1\LOCALS~1\APPLIC~1\IDENTI~1\{DFF16~1\MICROS~1\OUTLOO~1\DELETE~1.DBX/[F
Quoted text here. Click to load it



Site Timeline