Troubleshooting Bri's PC

[Bri]

thank you, I would like to correct one thing though. I am not troubleshooting a pc. ...I had speculated for a few months now....... Because of all of your help I have at least confirmed to myself that some things just happen.

I began receiving porn spam during a critical time in this process and just deleted it for months. I found Spamcop a couple weeks ago and after watching you all and others such as spamhaus for a week or so, this looked like my best shot to stop the slugs in my mailbox and continue studying the puzzle.

I have not gone to the many tech sites that seemed likely places to ask questions because I knew I was too silly to be helped.

I do not think I could do anything about this anyway even if it is true but it really is not in me to not at least try. Since I really did not want to state all this (and more) on a public forum and especially since you all deal with spam topics I tried to keep as close to spam spread stuff as possible knowing the answers would still lie in the technical direction I needed to follow. But you all give so much good information and it led to more questions. I have been unable to find a live body near me that can begin to discuss even port 25 and beyond with me.

No one has been missing the mark Wazoo, all things have been helpful in one way or another, problem is, again, that I do not have a specific question perse (sp?).

I reread my last message and I sound a little short with you wazoo and I am sorry, you have spent the most time sorting through my questions and it is much appreciated.

[Jeff G.]

I have been unable to find ... a live body near me that can  begin to discuss even port 25 and beyond with me.

Where are you?

[Bri]

I am in a place I no longer wish to mention on a public forum :-). I would also liked to amend a statement, there is surely someone (live) around me somewhere that knows what port 25 (among other things) is, but no-one I have found that has the desire to educate me nor the knowledge to help me put pieces into place. Of course, that is assuming I had the correct pieces to begin with , I am sure some may argue not and they may be correct.

A side story, a friend lives in a small town that has a new computer shop set up. I have worked on her few computers for years. I quit doing this last year because she and her kids refused to learn how to update the virus protection and insisted on downloading any crud they came across. The last time the computer quit (last month) she took it to the new guy. He forgot to put the sound card back in (no clue why he had it out anyway) and installed a pop blocker and Norton (she never paid for the norton) and Norton does not exist on her computer nor does the blocker. When she started internet banking last week I told her she needed a firewall. She called "her guy" and he says it is not necessary. Aint computer life grand ;-).

[Wazoo]

Not that I'd expect a reply, but what's your paranoia level? Is there belief or cause that someone would be attempting these things? .. you start with cracking, then pull in porn spam receipt, then pull in identity theft, but in the thoughts of not wanting to hit certain sites "because they may recognize things" has me wondering if you're just wanting someone to tell you to go to the authorities ..??

That something happened a number of months ago, then I'd gotten the impression that your "Network Error" messgae was much more recent led me to try to answer from one mind-set. That your focus was on this (or another) netowrk type issue is where all the focus on msblaster came from .. again, as most all of the Google hits on your error message deal with msblaster fall-out, one would think that this is the "only" issue ... but JeffG already pointed out "Hey, it's Windows .. stuff happens" ... and suggesting that most networking folks would probably shrug off the issue (after checking for being bitten), thus the lack of posts on the issue ..

Your time zone places you east of me, but that's not an open to the public question ... just stating that there is the possibility that you may be somewhere that you could be put in contact with someone, again, depending on how serious you are taking this.

is there a possible way using an http link through an email or a downloaded jpeg in a malicious way to cause symptoms of the blaster worm

Although that could be answered with a "yes" and I could walk away at that point, I'm thinking you want a bit more, though noting a lot of this has been covered already, albeit while dancing around the real subject.

download of a jgp via e-mail ... back to your level of paranoia, as the general answer would be "no". As I tried to exemplify with the stegnosis example, not only would the nasty code have to be embedded within the graphic, but you'd also have to be somehow co-erced into loading and installing the needed software to extract the embedded code. This would not be the run-of-the-mill exploit. Going with that this is "your" computer and you would have not fell for this bit of intricate social engineering, then you'd be left with the possibility of the "someone gained entry to your house, imstalled said software without your knowledge, and ...." So, the question again, are in such a position that someone would go to this much effort?

through an e-mail or http link - easy one here is yes, but .... Java, java scri_pt, activex and the ilk are advertised as being "safe" .... yet, exploits keep showing up that due to one reason or another, "stuff happens" .... the confusion reigns supreme on the subject, for example you can read on Microsoft's security issues web pages that "you should turn off all scripting until the security patch is released" but you'll find out that you can't install the security patch until you flip the switch and allow the scripting engines to run ...

There is no way in the world that I can say "yes, if you visited a web-site or recieved an e-mail, then you definitly picked up something bad that would make itself known by screwing up your system just like an active msblaster infection" ... I can say that if your system is unprotected, yes you can pick stuff up. Examples everyday over in the Microsoft newsgroups from folks that (though denying it of course) seem to hit the porn sites and then come in ticked off at their next phone bill, as they've picked up some code (usually falling for the 'speed up your Internet' or 'use our stuff to see our movies' and happily clicking away, but yes, allowing scripts to run can allow this garbage to be loaded 'in the background') that ends up dialing some ISP in Brazil (complaint I just saw earlier today) for some outrageous fee. One of my brothers, even after listening to some of my rants and warnings for years, brought his system here a number of weeks back due to "problems" .. I removed 27 dialer programs alone off of his system .... and of course he has no idea how they could have gotten there <g>

As you say the issue that started this happened so long ago, it would sound like all the forensic evidence is long gone ... but "we" don't have a clue as to what you've done to capture any and all of the data that may be important. What was the URL of the website, do you still have the suspect e-mail, etc ....

I sound a little short with you

I was crushed <g> ... let me say, retired Army, 20+ years of marriage, 8+ years of divorce (my dearly beloved went through over a dozen lawyers for whatever reason) .... if there was something there that should have grabbed my attention, I'll have to apologize, because I sure missed it <g>

here's again hoping that there's something in all of this that you can use.

[Wazoo]

Well, I took so long on the last post, that I see you tossed another one in here on me <g>

I am in a place I no longer wish to mention on a public forum :-).

There is the PM function, though that also goes along with the trust factor.

The last time the computer quit (last month) she took it to the new guy. He forgot to put the sound card back in (no clue why he had it out anyway)

Not knowing what he did, but ... case design made it an issue in order to swap motherboards, so it had to be removed to get around the drives / power supply. Forgetting to put it back in could be that so many of the current motherboards have the "sound card" function built-in ... second guessing other techs is hard to do, especially not knowing what the "failure" was to begin with

and installed a pop blocker and Norton (she never paid for the norton) and Norton does not exist on her computer nor does the blocker.

Small note here in that "Norton" (now owned by Symantec) has several products .. you might be looking for the wrong one

When she started internet banking last week I told her she needed a firewall. She called "her guy" and he says it is not necessary. Aint computer life grand ;-).

not sure why the tie-in of banking and a firewall ... separate needs and functions there, (firewall was always needed, banking suggest other tools, but based on what the bank has available also) ... and to reference the above, maybe the installed Norton product was the firewall tool?? again, way too much second guessing involved here

[Wazoo]

Ok, here's an interesting post clipped from one of the Microsoft support groups that has some sideline bearing on things discussed thus far. Note, that not allowing scripts to run is one of the first lines of defense. Also note that as this particular item is (loosely) defined as a "network monitoring tool for the evaluation and enhancement of our client's advertising issues", it's outside the usual virus, worm, trojan definition, so it's not a target for the anti-virus tools ...

per a Mike Burgess [MVP Windows Shell\User];

<quote> (from LavaSoft Support)

Unlike most conventional spyware, imrworldwide.com's Red Sheriff is loaded

as a Java applet embedded in a Web page you visit. Once loaded, it sends

information about your Internet usage (how long the page took to load, how

long you stayed, etc.) to the parent company, supposedly bypassing

firewalls, cookie blockers and the like.

</quote>

[more info]

http://www.cexx.org/sheriff.htm

http://www.spywareinfo.com/newsletter/arch...pril-2003/2.php

http://www.kalsey.com/2002/11/java_spyware

You can use my HOSTS file that targets\blocks Red Sheriff

# [iMR Worldwide][Tracking Service][Restricted Zone site]

127.0.0.1 measurement.redsheriff.com

127.0.0.1 www.redsheriff.it

127.0.0.1 www.redsheriff.com

127.0.0.1 www.redsheriff.com.au

127.0.0.1 www.RedSheRRif.com

127.0.0.1 server-au.imrworldwide.com

127.0.0.1 server-dk.imrworldwide.com

127.0.0.1 server-it.imrworldwide.com

127.0.0.1 server-no.imrworldwide.com

127.0.0.1 server-nz.imrworldwide.com

127.0.0.1 server-oslo.imrworldwide.com

127.0.0.1 server-sg.imrworldwide.com

127.0.0.1 server-uk.imrworldwide.com

127.0.0.1 server-us.imrworldwide.com

127.0.0.1 www.imrworldwide.com

[Bri]

<<<Unlike most conventional spyware, imrworldwide.com's Red Sheriff is loaded

as a Java applet embedded in a Web page you visit. Once loaded, it sends

information about your Internet usage (how long the page took to load, how

long you stayed, etc.) to the parent company, supposedly bypassing

firewalls, cookie blockers and the like.>>>

yahoooo :-) Bingo number 2. (sorry, I give up on the quote thing)

If it would be possible to PM someone that has at least one credible source to speak for them I would happily do so. Otherwise I must stumble around until no one answers me anymore ;-).

<<<not knowing what he did,but...case design>>>

He did a system restore from the sounds of it but hard to say, you think I am bad at explaining things, let me send you my friend for questions :-). A quick look under add/remove programs shows no virus program I have ever heard of, if fact it would have to not even show up because I recognize all the programs installed. Not saying he took anything out of the hardware-wise, but added with a few other things do you wonder still wonder that I dont ask his advice?

<<Hey, it's Windows...stuff happens>>

I do shrug off most stuff also, I use a computer for a living and am aware of the various warning messages seen daily using a variety of Windows operating systems with a variety of programs.

I am aware that forensics are important and short-lived on the net...not sure what to add after that.

What causes the snow...java scri_pt I think but I have not really looked into it?

It is not common in my experiece for my word program to open without my starting it but I guess I will go for the .DOC thing for the moment, I am cringing at the thought of the research to find all the answers in that one lol.

[Wazoo]

If it would be possible to PM someone that has at least one credible source to speak for them

Technically, JeffG has the power to take a look and follow your posting IP and track down your ISP .. just a general statement there .. I could thrill you with the stories behind some of my awards and accolades signed by Presidents, Secretaries of Defense, Chairmen of the Joint Chiefs of Staff - Pentagon, etc., ... but as was noted when they were awarded .. take this paperwork, pile of medals, and a dollar bill and I still can't buy a cup of coffee <g> (actually, back then it was a quarter, but just as inflation goes, so do the war stories<g>)

As there are very few among "us" that have met outside of this Forum or the newsgroups, don't see how you'd get that 'credible source' remark from anyone any more 'credible' <g>

What causes the snow

huh? Or is this in reference to an old post about HTML encrusted e-mails? If that's it, then yes, java scri_pt would drive the pretty pictures.

my word program to open without my starting it but I guess I will go for the .DOC thing for the moment

There are other file extensions / reasons for it, that one was just the most obvious.

[Bri]

<<<so do the war stories<g>>>>

From this neighborhood all thanks goes to current and past serviceman who have and will defend our country honorably every day

<<<my word program to open without my starting it but I guess I will go for the .DOC thing for the moment

There are other file extensions / reasons for it, that one was just the most obvious. >>>

Any clues on other reasons? Or is this a trade secret :-)

[turetzsr]

Hi, Bri!

It is not common in my experiece for my word program to open without my starting it but I guess I will go for the .DOC thing for the moment

There are other file extensions / reasons for it, that one was just the most obvious.

Any clues on other reasons? Or is this a trade secret :-)

...Assuming you are running some flavor of Microsoft Windows (not sure what happens in a Mac or unixen environment):

...Do you have an anti-virus program that allows you to add file extensions to the list of files to be scanned, such as Norton AV? If so, there's a list of common "dangerous" extensions there.

...Essentially, double-clicking any file that has an extension which is associated with an application will generally open that application.

[Bri]

<<<...Essentially, double-clicking any file that has an extension which is associated with an application will generally open that application. >>>

yes, thanks, I was aware of this.

[Wazoo]

Any clues on other reasons? Or is this a trade secret :-)

Not any kind of a secret, it's just that the list of possibilities is just way too long ... Complicated by the fact that a user can change thier configuration to do things outside even that long list.

Another "just an example" item that you may be more familiar with (and a shorter example believe it or not) is the simple .WAV file. Default install of a Windows OS would probably include a version of Windows Media Player (WMP) ... WMP registers itself to Windows as being the app to handle any and all .WAV files.

Then you hear what a great app WinAmp is, so you download and install WinAmp. During that install, you're given a choice of what file types you want it to be responsible for, and we'll go with the usual user experience of click, click, click ... the next time you try to fire up a .WAV file, WinAmp kicks into motion to play the .WAV.

A week later, someone turns you on to RealPlayer .. so you download and install RealPlayer. You're offered a chance again to select which file types your want it to play, but we'll do the click, click, click again .. and guess what ... the next time you try to handle a .WAV file, RealPlayer kicks into gear and plays the .WAV for you.

Then someone says that what you really need is QuickTime .. so you ..... rinse, repeat, rinse, repeat, ...

Remember, WMP is still installed, and if you fire it up first, you can still play those .WAV files, it's just the "automatic handling app" that changes, based on what you've told Windows to be the "default" app to run a specific file type/extension.

So in your specific example of "clicked on something and Word started", we'd have to know your list of file type/extensions that you've got connected to use Word as their handling application. Like a .TXT file would normally be defaulted to use Notepad, but you may have changed your system to use Word on .TXT files. "We" can't tell from here what connections you've made within your system.

[Wazoo]

not sure what happens in a Mac or unixen environment):

In the olden days, a Mac file would have a "resource fork" that would tie back to how the file would be handled by the OS.

*NIX, might be easier to start with ... everything is a file .... the screen is just a place to dump output from some file operation, a printer is just a place to "copy" a file to, etc. .... It's the actual file composition and how you "approach, handle, and manipulate" the data within that makes a difference ... Like running a "string" command on what Windows would call an executable file ... string will just look through the file, extract what looks like it could be text, copy that data to another file (console screen perhaps), and gracefully exit .. that 90% of the file was binary compiled code doesn't bother the system at all.

[Bri]

<<<So in your specific example of "clicked on something and Word started", we'd have to know your list of file type/extensions that you've got connected to use Word as their handling application. Like a .TXT file would normally be defaulted to use Notepad, but you may have changed your system to use Word on .TXT files. "We" can't tell from here what connections you've made within your system. >>>

At this point I am taking any educated guess that it is not a good connection with my Word program and I am sure glad I am fire-walled to my meager ability. Which I am guessing would save the majority of "idiot" fire-walled (updated) folks considering the things associated with that link. But then, other "fun" things are being planned along the road so who knows what may pop up next.

I know how to recognize the obvious applets, is there a way to place one in a not so obvious way? And what are the potential consequences if so? I dont need them all :-), just need a place to start

[Wazoo]

Not sure I understand all that you just said .. but "firewalled" can mean lots of things ... it seems I went through some of this recently (but maybe not in this thread?) One firewall may allow any traffic out, some traffic in. Another will allow any out, but only recognize certain traffic in. Another may be very restrictive on traffic both ways.

Example, I've a hardware firewall / router that handles the majority of incoming crud I haven't asked for. But also have a software firewall set with rules like Outlook Express will only go out to certain ports, SMTP, POP, and NNTP, blocked from ever going to port 80 or passing an HTTP request.

I know how to recognize the obvious applets, is there a way to place one in a not so obvious way?

You say "applets" which suggets, but does not limit, that you are talking about hitting a web page. To "recognize" anything, you'd need to see the source code for that page. To "notice", if you set Windows to not allow any scripting action to occur will either get you note that the page can't be displayed or the pop-up question for you to "approve" of allowing something to run.

Consequences? It all depends on what's going on. For example, I have to "approve" allowing a scri_pt to run every time I ask to see a .PDF file. Saying "no" results in a big, blank page. One web site I maintain requires that I go visit a vendor's site to snag pictures and write-ups on new products. Due to my firewall rules, if I try to go there with any of my main work systems, I can't get the pics to show up, due to the way that vendor's programmer wrote their code and built their file tree. So, I fire up a sacrificial computer, do all the data collection, then move all that data over to my "work" computer, and march on from there. And the next level of aggravation comes in when you can't access the page at all, because the programmer wrote it up in a way that it only looks "right" when the page is somehow manipulating / exercising your system. I've a recent rant to the USPS folks, as their Tracking page (and Contact, FAQ, etc.) are written around scripting code, and as that's not allowed here, those pages can't be reached from here.

[Bri]

Wazoo, that was all great info but I just have a tiny problem still, I need a place to start that can be a little more specific than you are being at the moment. A bad extension worm/trojan/exploit whatever has ever caused a word program triggered worm/virus/exploit whatever for any reason from mass emailings to individual persons would be quite helpful. I know that covers a whole lot of territory, all I wish is one little clue to anything with a known reason. It does not have to be a widely known reason, just a little known trivia fact would be great :-) .

[turetzsr]

Hi, Bri,

<snip> A bad extension worm/trojan/exploit whatever has ever caused a word program triggered worm/virus/exploit whatever for any reason from mass emailings to individual persons would be quite helpful. <snip>  .

...It's probably easy to write a Word Macro (in VBA, Visual Basic ® for Applications) that accesses CDO and sends e-mails to everyone in your contact list. Perhaps that's what's happening?

[Bri]

yes, ok, for arguments sake that is what is happening. Is there a place on the web that I can access real info regarding any issue that looks like this or can mimic other things like an exploit or a virus that uses a word program.

[Wazoo]

ok, outside of the normal places to go check data like the various anti-virus software sites for specific data, then how about places like the following?

http://secunia.com/

http://www.cert.org/

http://www.robertgraham.com/pubs/firewall-seen.html

http://www.merijn.org/cwschronicles.html - currently under a ddos attack, so may not be available

http://www.sans.org/top20/

Lots and lots of details, and some a lot more specific than you probably wanted.

[Bri]

<<<Lots and lots of details, and some a lot more specific than you probably wanted. >>>

yes, I am fairly certain I am familiar with some of these sites and certainly with the things that caught my eye first. I certainly will visit a couple couple again in the travels I am sure :-). Thanks for the links, I will add them to the list.

[turetzsr]

Hi, Bri,

Hi, Bri,

<snip> A bad extension worm/trojan/exploit whatever has ever caused a word program triggered worm/virus/exploit whatever for any reason from mass emailings to individual persons would be quite helpful. <snip>  .

...It's probably easy to write a Word Macro (in VBA, Visual Basic ® for Applications) that accesses CDO and sends e-mails to everyone in your contact list. Perhaps that's what's happening?

• W97M.Melissa.M
  
• mm.html]W32.Dotor.A[at]mm
  
• W97.Melissa.A
  
• W97M.Melissa.A
  
• WM.ShareFun.A
  

...These are the first five hits I got by doing a search for "word macro virus send email" at http://www.symantec.com/search/ with check boxes "Viruses, Trojan horses, Worms and Macros" and "Vulnerabilities and Exploits". The search results reported "31,188 results found."

...And another I found by doing a search at www.microsoft.com:

New Variant of the Melissa Virus

[Bri]

Thank you Turet, I have read of this one and others at the same site. But all indications that I have found state that it is received through email. My question would be can something like this be written into a webpage?

I am also aware that email transferred crud can delete files on a hard drive, the latest variation of MyDoom being a prime example. I remember reading of one in particular (that I cannot remember) that will delete a hard drive immediately if CTRL_ALT_DELETE is hit. Again the question would be the same, can something be written into a webpage that would accomplish the same thing? Knowing that windows and all its flaws can cause some strange things to happen, how common is it for doing a CTRL_ALT_DELETE because of a system freeze results in a hard-drive wipe?

[turetzsr]

Hi, Bri!

Thank you Turet,

...It's Steve (not Turet). See my sig.

I have read of this one and others at the same site. But all indications that I have found state that it is received through email. My question would be can something like this be written into a webpage?

...Sure! It could be on the web page as a file with any extension that you have associated with Word (.dot, .doc, .rtf, .wri, etc). There might be some scripting around it that would cause it to be executed without your having to take any action other than to open the web page (or e-mail).

I am also aware that email transferred crud can delete  files on a hard drive, the latest variation of MyDoom being a prime example. I remember reading of one in particular (that I cannot remember) that will delete a hard drive immediately if CTRL_ALT_DELETE is hit.  Again the question would be the same, can something be written into a webpage that would accomplish the same thing?

...Almost certainly -- again, with some kind of scripting. It could be done either with scri_pt right on the web page or it could be done in a Word document that gets executed when you open the page, or probably any number of other ways.

Knowing that windows and all its flaws can cause some strange things to happen, how common is it for doing a  CTRL_ALT_DELETE because of a system freeze results in a hard-drive wipe?

...Not sure about the CTRL-ALT-DELETE thingy. I would presume that a virus program running on your PC could intercept the CTRL-ALT-DELETE transmission and use it for its own purpose (such as deleting files or wiping a hard disc) but I thought Microsoft wrote Windows so that could not happen. Still, I suppose a virus could do something to some internal Windows component that would defeat whatever precautions Microsoft took ... I would guess using a buffer overflow or insecure privileged usercode or something along those lines.

[Bri]

<<< ..Not sure about the CTRL-ALT-DELETE thingy. I would presume that a virus program running on your PC could intercept the CTRL-ALT-DELETE transmission and use it for its own purpose (such as deleting files or wiping a hard disc) but I thought Microsoft wrote Windows so that could not happen. Still, I suppose a virus could do something to some internal Windows component that would defeat whatever precautions Microsoft took ... I would guess using a buffer overflow or insecure privileged usercode or something along those lines. >>>

ahhh yes, that would accomplish it considering the firewall would stop the buffer attack if installed. How successful is the standard firewall that resides in the XP operating system in stopping a buffer attack?

<<<My question would be can something like this be written into a webpage?...Sure! It could be on the web page as a file with any extension that you have associated with Word (.dot, .doc, .rtf, .wri, etc). There might be some scripting around it that would cause it to be executed without your having to take any action other than to open the web page (or e-mail).>>>

bingo 3, thank you

After running a search on a search engine and clicking on a link provided by the search engine a browser window attempts to open but the firewall (norton) stops it, what are the possible causes? just a hint would be helpful :-).

<<<QUOTE (Bri [at] Feb 26 2004, 09:48 PM)

Thank you Turet,

...It's Steve (not Turet). See my sig. >>>

thank you steve, I am not a common visitor to forums and used the abbreviation common to my on-line "world", no insults intended.

[Jeff G.]

After running a search on a search engine and clicking on a link provided by the search engine a browser window attempts to open but the firewall (norton) stops it, what are the possible causes? just a hint would be helpful :-).

Marketing folks are the root cause of popup ads. Norton's firewalls (which one and version are you using?) can block popup ads.