loblo

Windows 9x/Me Security Thread

114 posts in this topic

Timely topic as my system just got hit by a W32.Polipos.A virus which has infected about hundred executables or so. :lol:

Out of curiosity - did you (or can you) take note of any changes to the time or date-stamps on any EXE files on your system? There are some reports that your file time or date will be changed to reflect when the virus infected the file.

Also, do you run a Gnutella client (ie Limewire or other)? That is one of the methods known to spread this virus (but I'm not sure how exactly the virus can be executed without the user's knowledge or direct intention).

You probably downloaded and ran a file that was already infected with Polipos.

I have so far cleaned it up to the point it doesn't seem to be spreading anymore but I'll take me another day or two for doing a full cleanup I guess as I have got to reinstall a lot of commercial software packages as well as finding on the net again quite a few freebies freebies that also got infected . :wacko:

Most likely the files that were tampered with (infected) will be limited to your /program_files and /windows directories.

0

Share this post


Link to post
Share on other sites

wsxedcrfv, AFAIK (but you'll tell me if I am wrong) a router won't block outgoing traffic so a decent firewall is still necessary IMHO in case one gets hit by an online browser/flash/java exploit downloading and executing code on one's machine.

While it is true that a NAT router only does in-bound fire-walling, any out-bound fire-walling that is in place on a computer will not prevent that computer from being exposed and infected by browser or user-downloaded malware. There is a lot of malware that knows how to disable or circumvent any software firewall you may have running.

I've asked here before if people could post their experiences with windows 98 and software firewalls and give examples of how the software firewall detected a bona-fide (real) instance of malware trying to make an external connection to the internet to download additional malware. I don't believe any such examples were ever posted.

0

Share this post


Link to post
Share on other sites

I once got W32.Funlove.4099 virus from a computer repair shop, I infected every single windows executable (EXE, DLL, OCX, SCR etc.) on all the drives I had on the PC... Norton 2005 DOS part saved my machine, and managed to clean every single file form the virus, that was in ~2005, and since then I have not had any virus outbreaks. I don't run any protection software, but I do scan my drives couple times a year at work, and so far I have not found anything.

0

Share this post


Link to post
Share on other sites

Thanks, all. I didn't know of many of these programs and tips.

Some programs I use that haven't been mentioned yet:

Clam Sentinel 1.15 by member 'Aru'. Real time front end for ClamWin AV with additional configurable system monitor (heuristic). I'm running a portable pre-release version 1.16 which is expected to be released this month.

Multi Virus Cleaner 2011 Last version : v11.3.1 - March 29th, 2011 - scanner, updated every 1-2 months, installed.

SmartCOP Virus Scanner - updated frequently, portable, disposable, requires name and email for registration.

RootAlyzer - Portable rootkit scanner by Safer - also incorporated into Spybot Search & Destroy.

All programs are free for personal use and compatible with Win98/ME without KernelEx.

0

Share this post


Link to post
Share on other sites

I doubt that real-time scanning by my anti-virus software would have protected me from the blazingly fast exe infector Tenga.a. Kaspersky AV a year ago was able to identify etc the malware output, the Tenga-infected .exe files. But apparently Kaspersky AV was not able to identify the original agents causing the infection because I always scan my downloads.

Well, it is very possible that the original source of infection had been skillfully hexed as to escape signature detection while still working, (something which is much easier to achieve than writing a new malware from scratch) but I think real time protection would have blocked execution of the infected files which you run routinely everyday and were responsible for the bulk of your massive infection.

0

Share this post


Link to post
Share on other sites

Out of curiosity - did you (or can you) take note of any changes to the time or date-stamps on any EXE files on your system? There are some reports that your file time or date will be changed to reflect when the virus infected the file.

Not sure if time stamps had been altered, I didn't check that but I monitor a certain number of files/folder for changes at least once daily using Syslog and Md5Checker so it hadn't been running for too long until I became aware there was a problem.

Also, do you run a Gnutella client (ie Limewire or other)? That is one of the methods known to spread this virus (but I'm not sure how exactly the virus can be executed without the user's knowledge or direct intention).

I run uTorrent and eMule from time to time but I don't download executables with them and they aren't Gnutella clients anyway AFAIK. Anyway those malware reports that are copy/pasted everywhere are usually a mixture of good info and rubbish IMO.

You probably downloaded and ran a file that was already infected with Polipos.

That's most probably what happened when I was sorting and running some of the massive number of programs I had downloaded from sites such as leetupload, vxchaos and so on sometime ago..

Most likely the files that were tampered with (infected) will be limited to your /program_files and /windows directories.

Nope, I had files altered by it in various other directories, including some on other drives.

0

Share this post


Link to post
Share on other sites

There is a lot of malware that knows how to disable or circumvent any software firewall you may have running.

While this is true, I don't think it means firewalls are useless as the larger number of malware don't use firewall circumvention methods and I selected Jetico as my firewall as it would appear most circumvention methods don't work with it (Perhaps not so true today as it was some years ago since I use version 1 which doesn't get updated anymore).

I've asked here before if people could post their experiences with windows 98 and software firewalls and give examples of how the software firewall detected a bona-fide (real) instance of malware trying to make an external connection to the internet to download additional malware.

Jetico blocked the gozi trojan from accessing the network for fetching some other files when it was still a zero-day and went undetected by my then real time antivirus. I then uploaded the file on Jotti for online scan and it was deemed clean by all scanners. I was still using IE at the time and it ended on my machine through a javascript/active X exploit.

I don't believe any such examples were ever posted.

I posted about it under another nickname a few years ago.

0

Share this post


Link to post
Share on other sites

No AV, no FireWall, not even Spybot S&D or similar.

No software to protect my computer at all!

It's been years I don't use them anymore and I'v never been infected. (It's still possible that a virus came and crashed instantly but I don't think so).

However I disable many things that was designed by Microsoft to allow viruses to penetrate and propagate into a computer:

1/ ActiveX. With the help of Maxthon I dosable this, but that can be done in K-Meleon or another w9x compatible browser. The downside of it is that it disable YouTube and flv videos. So I re-activate it when I realy want to watch a video in the YouTube format, and only on very well-known websites and only on the tab and for the session where I want to watch this video.

2/ Javascript. On dangerous or very-dangerous websites (I do go to such websites sometimes) I completely disable javascript. While I think that disabling ActiveX is enough safe, disabling Javascript is even better psychologicaly. I also disable javascript to increase speed.

3/ e-mail HTML. In Outlook Express I read all my e-mail as plain text. No HTML for me in my input box, even when the message is unreadable. Poeple have to send me pure text if they want an answer.

4/ Windows Media Player. I don't use it because it has features to download and install stuffs. This was exploited in the past on various platforms.

5/ Auto Insert Notification. That thing that pops up and run the virus installed on a CD. Even when there is no virus it's so annoying that you want it disabled.

6/ Spam. My service provider is effective in filtering span and I edited over the years good spam filtering rules. And of course suspicious attachements are immediately deleted. But that goes without saying.

When spam are automaticaly deleted from the server they don't even touch your computer. That alone must stop a bunch of viruses IMO.

Probably I forgot other stuffs... I don't consider myself as being safe by the use I do with my computer, yet it's been ages since I have seen a virus here.

0

Share this post


Link to post
Share on other sites

I tried using Eusing Free Registry Cleaner and all it did was delete a bunch of "un-used" file extensions like .zip, .bmp, .jpg and other important file associations.

So then I had to re-associate all those file extensions with the correct programs. Basically all Eusing did was screw up my computer.

The only registry cleaner I use is the one inside CCleaner.

0

Share this post


Link to post
Share on other sites
I tried using Eusing Free Registry Cleaner and all it did was delete a bunch of "un-used" file extensions like .zip, .bmp, .jpg and other important file associations... Basically all Eusing did was screw up my computer.
I usually don't try out old little-known Win98 stuff without the recommendation by somebody of authority (like members of msfn.org :) ), unless I am searching for something very specific and after having done some research on my own. In any case, it's good to hear which old can of worms one should definitely not open.

My system is very well backed up, and an opsys restore to the exact state prior to the testing takes me about 10-20 minutes, so if something looks good, I may wind up trying it out.

0

Share this post


Link to post
Share on other sites

Jetico blocked the gozi trojan from accessing the network for fetching some other files when it was still a zero-day and went undetected by my then real time antivirus.

According to this: http://www.secureworks.com/research/threats/gozi/ the exploit that was used to transfer gozi to your computer used a hidden iframe containing "JavaScript code using XMLHTTP and ADODB (ActiveX Data Objects) functions to download and run an EXE file which was hosted on the same server". This likely happened no earlier than December 2006, and more likely during the first half of 2007.

I think that for gozi to infect a system, the system must have the MS04-025 (Navigation Method Cross-Domain) vulnerability. This would have been patched as part of an IE 5.5 or IE6 cumulative update for various versions of Windows (including win-98 I believe). You would also have to be using IE for your browser and would have browsed to one of an estimated 2000 hijacked servers that were serving up the hidden iFrame containing the Javascript exploit code. And I'm really not convinced that the gozi infector or loader would have successfully launched itself and operated properly if it found itself on a win-9x system in the first place.

Would you by chance have been running a dual-boot win-98/XP system back during the first half of 2007?

0

Share this post


Link to post
Share on other sites

As I've said I got Gozi on my machine through an Internet Explorer javascript/activeX exploit and the details you copy/pasted about it are most certainly correct.

I got infected beginning of February 2007 I believe and FWIW I also believe I have been the first person in the world to post about it in forums and from what I had been told by phone afterwards by a guy claiming to be an IT security journalist who first contacted me about it by PM, the gozi virus was already known by major software security companies but none had published anything about it or had any signatures for it yet

And no I wasn't running a dual boot system, only Windows ME and, as I have already said, even if you don't believe it for whatever reason, Jetico succesfully blocked a first executable from downloading another one, which means it was actually running without crashing on my machine.

I also got infected by a rootkit once, it was nearly undetectable, invisible file, invisible process and invisible registry startup key. Yes there are rootkits for Win 9x as well... :w00t:

Edited by loblo
0

Share this post


Link to post
Share on other sites

I tried using Eusing Free Registry Cleaner and all it did was delete a bunch of "un-used" file extensions like .zip, .bmp, .jpg and other important file associations.

So then I had to re-associate all those file extensions with the correct programs. Basically all Eusing did was screw up my computer.

The only registry cleaner I use is the one inside CCleaner.

All registry cleaners should be used with caution. CCleaner isn't foolproof either, as it listed registry entries that I know are in use. They should be used as a guide while manually cleaning the registry. Since it's really tedious to often check every nook and cranny of the registry by hand, I find that these can aide in that area. Always review what they've found first before allowing them to delete any entry, and always backup before committing the removal. I personally use Eusing Free Registry Cleaner as part of my registry cleaning toolkit, along with a few others (a second or third or fourth opinion is always nice), and it has been working fine for me.

One thing I never liked about registry cleaners is the way they often refer to the detected entries, "215 errors found"... issues/problems/etc. It should be more like "215 possible unused entries, remove only if you are sure of what you're doing." And beware of registry cleaners that detects an exorbitant number of entries, "2154 errors found." :rolleyes: Why not just flag the entire hive while you're at it?

0

Share this post


Link to post
Share on other sites
And beware of registry cleaners that detects an exorbitant number of entries, "2154 errors found." :rolleyes:

I am not sure you really know what you are talking about... :rolleyes:

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.