• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Virus Trojan attacks from where?

Vitnir

Muse
V
Joined
May 16, 2002
Messages
665
For a few months now I have had two computers at home getting infected with
a virus named Backdoor.ranky but I can't understand how the virus gets into
the computer. I dont have emailprograms on it, I use webmail and I haven't
got any strange emails with attachments anyway. I don't visit websites where
I'm asked to download spyware or anything like that. I have installed all
updates that windowsupdate has advised me to do (Windows 2000). And yet
Norton Antivirus will find new infections every now and then. Symantec
doesnt have any useful information how to prevent infection I think, it just
says the trojan sets up a proxy server and tell me how to get rid of it.

What is the purpose of setting up a proxy server?
How is the infection done?

I use broadband and stay online for long periods, I dont have a firewall
since the one I tried didnt work very well, every now and then it would go
haywire and lock down everything. It was a Norton firewall 2000 I think. On
one of the computers I tried with adding a password and increasing the
security settings on the browser to maximum, does that do anything?
 
I don't know about this particular one, but it is possible it is a port-scanning type (it looks for open communication ports and enters through opens ports). I suggest checking Symantec's Security Site. It will scan your computer and let you know what ports are open, and a few ways to close them. Unfortunately, the most likely infection port is your internet port (8080 I think), and the best way to protect from infection through that port is a firewall. I have been using Norton Firewall 2002 with no problem (though it is a bit annoying at times). Also, ZoneAlarm from ZoneLabs is supposed to be pretty good.

--Edit - Just did a search... it is a port-scanning trojan horse, but it goes through port 41934. The Symantec Security Site would probably be all you need for this one.

--Edit again: There are different versions that attack different ports, but they seem like ports you can probably shut down.
 
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ranky.c.html

If you're plugging your computers directly into a DSL or Cablemodem without any type of firewall to isolate you then that's almost certainly the source of your infections. You're probably getting infected by variants of the original ranky, which is why they pop up every now and then.

Get a hardware firewall. A cheapo linksys or dlink can be had for as little as $50 these days.
 
I haven't listened to it in years. I might have to break down and buy it on cd.
 
Alrigth, I have instructed my netgear router to block the ports used by backdoor.ranky and its variants. Il see if that helps.
 
Ah, you have a router, sorry I didn't realize that. You should be protected from anyone scanning for backdoor ports then.

I do remember seeing a system at work that got infected (can't remember by what) by something that overwrote a system file. Windows file protection backed up the infected file and then would try to restore it, symantec would quarantine the file, windows would restore it, symantec would quarantine the file, etc. But if I remember correctly this would happen a few dozen times a minute and the system slowed to a crawl.

Your best bet is to follow symantec's removal instructions:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ranky.f.html

Good luck.
 
Yes I have been living with the false? impression that the router would be a firewall too but I had not upgraded any bios in it or made any settings to it until now other than port forwarding for games.
 
There's not enough information to offer much help.

Get Ad-Aware, and run it. Then right down the name of the trojan it finds, and post it.

It might be that you got zapped by one of the latest CoolWebSearch trojans. Nasty bugger. Or it might be something completely differant.
 
Your router should be shielding your PC's raw ports from the Internet, so scanning/tunneling isn't the issue. I agree, you likely have some spyware running. AdAware and Spybot Search & Destroy, for starters. If you run those and clean up what they tell you to, you should be good to go. If not, you may have CWS (poor guy!). Run Hijack This! and post the results over at spywareinfo.com.
 
Also, websites can and will run applications on your PC without ever asking you. The most common symptom of this is having your homepage changed.

--Dan
 
Ok, dont remember if I have run Ad-aware recently but I know what spyware is and I dont let it install. If websites can run things without approval then it starts to get scary. Will have to check when I get back home.
 
Yes Vitnir: spyware CAN install without your permission. Coolwebsearch hijacks your browser by using a flaw in the M$ Virtual Machine (for java).

All you do is go to an infected page (beware of anything on www.fortunecities.com), and wallah: next time you reboot your computer (and every time after that), your page has been hijacked.

But since you haven't listed any symptoms, not much I can offer diagnosis wise.
 
Well there were symptoms on one of the computers which had about 300 infected files when I discovered it. The problem was frequent crashes of games and programs. I thought I should give it a virus-check because you never know. For the record I have been online for 10years and never had a virus infection before, part of it for luck I guess plus that I don't have stupid friends sending me virus all the time. The few virus I have seen has been stopped by antivirus programs, I dont open attachments from emails and right now I use webmail partly because I dont want the new scripting viruses that use Outlooks vulnerabilities. I have had a router for a year and felt a bit secure since it was said to have a hardware firewall which is partly why I feel a bit shocked of being had.

I just ran Ad-aware from Lavasoft, it didnt find anything exiting I think, some tracking cookies but I'm too scared of cookies, should I? Spybot Search and Destroy found some security holes which there apparently is no patch for so not much to do there.

The Trojan I had most trouble with is Backdoor.ranky which is not said to do anything in particular, set up a proxy server it says. Dont know exactly what that means, can the hacker use my computer for something?
 
From Symantec's security website (description for Ranky.C):

When Backdoor.Ranky.C is executed, it does the following:

1. Opens TCP port 41934, so that it can receive commands from remote hackers. It runs as a proxy server on a compromised machine.
Click to expand...

So basically, it runs as a proxy server, and grants the hackers control (doesn't specify how much) of your machine. I imagine they can at least browse files and look for personal information that may be on your computer. All the variants pose the same danger.
 
Just curious Vitnir,

When symantec alerts you to an infection where does it say the infected file is located?

Symantec should also attempt to quarantine it, is that happening or is it giving you an "access denied" error?

If you look in the "Histories" portion of the symantec console you can find all the actions that symantec has taken for the last few months.
 
Last night was really fun for me.

I decided that I had to know the lyrics to Smashing Pumpkins "1979", and typed those three words into yahoo, along with 'lyrics'.

Lo and behold, a lot of websites. I visited the first 3, and neato-keen: I get what looks to be an actual M$ window (not an ie popup that looks like one) saying "Your computer is running with not enough security. Click yes to upgrade your security. Yes No"

So, I click no. And guess what? I get this!: "Do you really not want to upgrade your security? Yes No" WTF? How do you answer that and NOT get something installed? So I go to task manager and kill the offending window.

Guess what got installed anyway? EIGHT differant pieces of malware! I spend over an hour last night combing thru with ad-aware, hijack this!, and even hacking my REGISTRY, in order to kill "virtual bouncer", v2x.betterinternet, and host of other crap I've never heard of before.

According to one website, 'virtual bouncer' installs without permission, and you have to give the company that made it a credit card # to get it off your machine! Thus, it's other label: extortion-ware.

I'm going to have to check out firefox...
 
Uh_Clem said:
I haven't listened to it in years. I might have to break down and buy it on cd.
Click to expand...

What's worse, you can even get "Congress of Wonders" on CD, let alone the good guys :)

Terrifying, truly terrifying.
 
Uh_Clem said:
Just curious Vitnir,

When symantec alerts you to an infection where does it say the infected file is located?

Symantec should also attempt to quarantine it, is that happening or is it giving you an "access denied" error?

If you look in the "Histories" portion of the symantec console you can find all the actions that symantec has taken for the last few months.
Click to expand...

Several of the infected files were located in the temporary internet files catalog of IE. Thats why I thought increasing the security settings would be the trick.

I had a lot of "delete failed", restarting and deleting manually, quarantine failed, repair failed and whatever. Restarting in safe mode and deleting infected files manually had to be done in several cases. Some of the other viruses were located in the system32 catalog.

The last infection Norton found by itself at windows startup, restart in safe mode + full scan = quarantine and all is good except that nagging feeling since I do all my banking through the internet.
 
I run SpywareBlaster & SpywareGuard from Wilder Security. Both are freeware (asks for donations), both work extremely well. SpywareBlaster killbits the ActiveX controls in the registry, and SpywareGuard is real-time protection.

I have had exactly zero browser hijacks, etc, since installing them.

Another freeware one that other people say is good is Hijack This.

There is always the chance that something will slip through between updates, so I still run Adaware every once in a while.

Hopefully that will help with your problem :)
 
You must log in or register to reply here.

Back
Top Bottom