WineBoard
Virus Warning - Printable Version

+- WineBoard (http://wines.com/wineboard)
+-- Forum: GENERAL (/forum-100.html)
+--- Forum: Welcome (/forum-1.html)
+--- Thread: Virus Warning (/thread-15635.html)



- Wallace - 01-15-1999 08:22 PM

I just received this warning from my ISP.

Recently, it has come to our attention that a growing number of our customers' machines have become infected with the Back Orifice and NetBus Trojan Horse programs. These programs usually get on a computer when the user receives a file on IRC (Internet Relay Chat), through ICQ, in email attachments, or by downloading information/graphics/software from the Internet. Once on your system,
these programs allow anyone on the Internet to connect to your computer and use it remotely. This means any time you connect to the Internet, others can make use of your computer to engage in potentially malicious activity. For example, your files can be
modified or deleted, or your stored passwords can be stolen giving the trespasser access to your Internet account as well as your computer. Once someone else can access your computer online, it can be used to engage in attacks on other computers on the Internet with the appearance that you are the culprit. Again, the best course of
action is to be aware of the possibilities and then take steps to protect yourself.

There are different ways to approach the Back Orifice and NetBus infections, and we would like to recommend the following guidance to help you check your computer, remove any infection, and avoid any future compromises.

Back Orifice and NetBus currently only work on Windows machines. If you are using a Macintosh, a Unix or Linux machine, or other
non-Microsoft operating system, you are currently safe from this particular threat. If you are on a Windows PC, these steps may help:

DETECTING AND REMOVING BACK ORIFICE AND NETBUS

A program called Back Orifice Eliminator will detect and remove any copies of the Back Orifice program on your machine. This program may be obtained from the web site

http://www.bardon.com/boelimdl.htm

NetBus may be detected and removed with the program NetBus Detective, which is available from the web site

http://csk.norberg.se/Detective/

Back Orifice Eliminator and NetBus Detective are free software.

Additional information on both Back Orifice and NetBus, including instructions for removing these programs by hand, may be found at

http://www.nwi.net/~pchelp/bo/bo.html

This site also has another Back Orifice detection and removal program called BODetect, which is free for non-commercial use.

No matter which removal method you've used, after you have removed Back Orifice or Netbus from an infected machine, you should
immediately change your Internet account password. Please see below for instructions on how to do that.

You should also change any other passwords stored on your machine, such as passwords for accessing work, other mail accounts, or even web sites which you use passwords to access.

PREVENTING FILES FROM BEING PUT ON YOUR MACHINE WITH ICQ

When engaged in Internet Chat with the ICQ program, a design flaw in that program can allow people sending a file to your machine to make it appear that they are sending you a file of one type (say, a JPEG image), when in fact they are actually sending you an executable program. If you click the button to open the file when the transfer completes, you may end up executing a program that contains Back Orifice or NetBus. It is recommended that you use anti-virus software to scan programs you receive with ICQ before opening and executing
them.

PREVENTING FILES FROM BEING PUT ON YOUR MACHINE WITH mIRC

The default configuration of some versions of the mIRC client program for Internet Relay Chat will automatically accept files sent to you from anyone. To check this, go into mIRC, go to the "DCC" menu, and select "Options." Under the "Send" tab, make sure that your setting for "On send request" is either "Show get dialog" or "Ignore all." If
it is set to "Auto get file," then you are vulnerable to having files put onto your computer without your being aware of them. The "Show get dialog" will prompt you to accept or reject any files being sent to you, and "Ignore all" will cause all attempts to send you files via IRC's DCC to be ignored. Please note that even with "Show get dialog" it is possible for a malicious user to send you a file that appears to be something innocuous (say, a JPEG image) when it is actually an executable program, similar to the problem with ICQ.

BE CAUTIOUS ABOUT EMAIL ATTACHMENTS AND DOWNLOADS

Back Orifice and NetBus can also be sent as email attachments or downloaded as software. They can be attached to other programs so that it appears that you have downloaded and executed a normal program, but in the process Back Orifice or NetBus has quietly installed itself. For example, a simple game called "Whack-a-Mole"
(filename "game.exe") is being used to distribute NetBus.

To prevent infections from email attachments and downloads, use anti-virus software to scan any programs you download or receive in email before running them. The current versions of Norton Anti-Virus
and F-Prot Anti-Virus both detect Back Orifice. Make sure that you keep your virus software up-to-date.

Always be wary of software offered to you by people you don't know, either via email or via some other mechanism such as ICQ or mIRC.

USE OF FIREWALL SOFTWARE CAN PROTECT YOUR MACHINE

Even if your computer is infected with Back Orifice or NetBus, you can prevent connections to your machine by using a program such as the Conseal PC Firewall (http://www.signal9.com/) or NukeNabber
(http://dynamsol.ulink.net/). These programs also notify you when someone attempts to make an unauthorized connection to your computer so that you can notify their Internet provider to help prevent further abuse. Please note that some expertise may be required to configure
these programs correctly, and we cannot offer technical support for them.

CHANGE YOUR PASSWORD

If you even suspect that your computer may have been infected with Back Orifice or NetBus, we recommend changing your password
immediately. It is generally a good idea to change your password every 3-4 months in any case.