I have a subseven virus corraled by norton.. (in quarnteen)
But as usual Nortan can't get rid of the little pest. I'm sure The Cleaner can but it can't find it, that's because of Norton right?
So do I have to unquarnteen the stinker to let my little cow stampeed the daylights out of it? :D tanks

What's the exact name of the subseven as listed by Norton and which version of NAV are you running?

backdoor.subseven.22 a

aieeehh hands of lead,, double triple post

backdoor.subseven.22 a

oops norton 2000 7.07.

Ok

Did you follow EXACTLY the instructions at:

http://www.symantec.com/avcenter/venc/data/backdoor.subseven.22.a.html

I'd suggest that you read and follow the instructions carefully and then get offline (if broadband, pull the NIC or shut down your modem) and change all your passwords and check and save any logs that may indicate any compromise.

Make sure you run another updated scan before you go back online to change the passwords you need to be online for in order to change.

And then go to www.grc.com and run the ShieldsUp to make sure you don't have 139 or another open. Best is all green (stealth) on all the common ports. There are more-in depth scan sites I can give you, but take care of basics first.

List of SubSeven trojan ports (http://www.glocksoft.com/trojan_port.htm) Could be more / others.

You have ZoneAlarm running? Make sure you check any outgoing attempts... reset all to ? if necessary or unsure.


Good luck (edited for additions)

Norton sez to 1. Click Start, and then click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and select the following subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\ENC

CAUTION: Make sure that you navigate all the way to the \Enc subkey.

4. Press Delete and then click Yes to confirm.
5. Close the Registry editor.


I cant find the HKEY_LOCAL_MACHINE\Software\Microsoft\ENC
in my registry. I don't think (pretty dang sure) I ever opened the little stinker. (I should get 50 extra points for language control:))

Here's more info


http://www.sans.org/infosecFAQ/malicious/subseven_22.htm

I'd say since NAV got it quarantined it didn't get the chance to infiltrate the registry.

I'd do the removal, updated scan to make sure it not still present, change your passwords, then check the registry again to make sure it's still not there.

After all that, and checking in with ZA, after getting back online I'd also (w9x) Run | Command: netstat -an (W2K - Run | cmd ) to see which ports are "listening" or "established" and check those ports against the trojan port list from time to time - just to be sure ;)

hmmm now what do i type after that so the dos screen doesnt fly by and disapear?? :confused:

Do you want the right answer, or just any answer? ;)

Win9x, go to Run; type: command

type at the C:\>netstat -an

including the space

for W2K, go to Run; type: cmd

then the same netstat -an command as above

Mr. goodbites(sic);),, I saw you replied and was almost afraid to look :p

Socal, that's what I did and a black screen flashed and dissappeared so fast only my superhuman sight caught if for just a moment, (less than a second).. :(

Open a msdos box in your start / programs / msdos prompt.

Then type what socal told you.

It should remain on screen then.

Justy.

Well, did ya get it out? :)

Every virus I have had left my systems with a clean formating of my hard drive. Try it. Anti-virus things never work for me

Hey chief! yep i did that, but i didnt know it was in the windows directory. Then i ran it and only have about 8 tcp things listening :( but no foregin addresses :) But what is a UDP?
and what does the status of *|* mean?

oh and from shields up:Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.


But i know port 139 was open this am, i just happened to run a security ck on it, and the virus i found that i thought caused it is supposed to be in the registry, but i cant find any reference to it,
is it possible when i beefed up my firewall i have it blocked but its waiting to catch me with my pants down :p

please excuse my typos the doc has straped my arms to palms in wrist splints,, :( it hurts

Outlaw, thanks for the advice, but what the heck if one is going to format, why not go down in flames first. I plan to give a good run first., I have not had to reformat my hard drive because of that before. (:D may be the only reason!)

hmmm. Well, if you went to GRC and are stealth, and you're running ZoneAlarm and checking your outgoing connections (ALL of them, go into it and check carefully what you have allowed - many times virus use names very similar to authentic filenames), and if you've run another update AV scan (set your depth levels to 4 or 5 and use high heuristics - look at your options) and you don't have the registry entry I'd say you're ok...

Not sure I understand what you mean about the windows dir, but were you online when you ran that netstat? That's when you want to check for open ports, you would be concerned about a suspicious port on the foreign address, the port would be the number after the IP and :

xxx.xxx.xxx.xxx:XXXX
where xxx... is the IP Number
and XXXX = Port Number

But were you online when you ran it? Doesn't sound like it, or you'd have at least one "established" foreign address. Remember, you need ports established to connect to Internet and stuff. It's the known 'trojan' ports that you should look out for.

If you don't understand all that, don't worry about it. Let ZoneAlarm do the work for you! It will report which app and which port :)

From what you are saying, it's probable that the .exe was not run. I have had several incidents of Subseven being detected by Norton on the kids computers. I have mailscan set as it sounds you may. If the definitions are up to date, it catches it right away..BEFORE..it does any harm. Just delete your quaranteened file. Do one last deep scan, keep an eye on what Zonealarm is letting out..and don't worry about it
;)

Check your PM....

Socalgal

surrealchereal,
I see you found some life for your little alien bug. How did you wind up doing it? Shame on you for getting a virus, Sweetie. I'll have to keep my distance for a while, I guess. ;)

Well darlin' when you didn't meet my needs Tron stepped in and took up the slack!:p He had me taken care of the next AM:)
Send me a pirvate message if you want to know how he did it!

?

:D socal, this is what we were talking about. Avatar Animation (http://www.sysopt.com/forum/showthread.php?s=&threadid=83312&highlight=move) :)

? Ok.... that was so way OT, so I had no idea you were talking about that.

(LOL socal I hear that a lot,,?? wonder why;))

arrrrrggh, the dang thing came back, and I know how too, email.

Yah know what they say about curiosity and the cat :p

But how can you resist? :DThe guys name was Ben Dover!:D
Yeah it is still funny to me after all this.
Laughin all the way to FDISK :) not.

The interesting thing is I never opened the attachment....

Same one?

This is going around today

http://www.sysopt.com/forum/showthread.php?s=&threadid=83826

Update your NAV today - the defs are out.

Yep I did update but this is the same one.
But now I'm behaving like a normal paranoid nerd :p
.. I have this baby locked down so tight. It takes Vaseline to get my email.. :D