Dialer.wsv

I have NAV installed on our machines at our office, and it just
recently caught Dialer.wsv on my machine. inst.exe and hooks.dll were
found at c:\. NAV caught it, and I wasn't infected, but what I'd like
to know is how it got on my machine in the first place.

Symantec info on the virus states that it might be installed by
malicious web sites.I typically use Firefox to browse (not that it
can't have issues), but I don't even remember browsing a site that
could possibly have had a virus. Especially around the times that it
was found.

We just went through a big long clean up trying to tighten up security
on our machines, and I thought we were up to date and clean. Does
anyone have recommendations on how to track down where virii come from
on XP Pro boxes?

Richard
Wed Feb 08 18:05:40 CST 2006

There is no way of tracking where an infection came from, other than your
own memory.

Do you really think that the people who distribute these things allow
themselves to be tracked?

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

<ben@peikes.com> wrote in message
news:1139442242.441458.234710@g47g2000cwa.googlegroups.com...
>I have NAV installed on our machines at our office, and it just
> recently caught Dialer.wsv on my machine. inst.exe and hooks.dll were
> found at c:\. NAV caught it, and I wasn't infected, but what I'd like
> to know is how it got on my machine in the first place.
>
> Symantec info on the virus states that it might be installed by
> malicious web sites.I typically use Firefox to browse (not that it
> can't have issues), but I don't even remember browsing a site that
> could possibly have had a virus. Especially around the times that it
> was found.
>
> We just went through a big long clean up trying to tighten up security
> on our machines, and I thought we were up to date and clean. Does
> anyone have recommendations on how to track down where virii come from
> on XP Pro boxes?
>

PA
Wed Feb 08 18:05:22 CST 2006

But did NAV /remove/ Dialer.wsv? See
http://www.symantec.com/avcenter/venc/data/dialer.wsv.html: "This risk can
be detected [read: removed] only by Symantec products that support security
risks."

So How Did I Get Infected Anyway?
http://www.wilderssecurity.com/showthread.php?t=27971

Run a /thorough/ check for hijackware!

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

ben@peikes.com wrote:
> I have NAV installed on our machines at our office, and it just
> recently caught Dialer.wsv on my machine. inst.exe and hooks.dll were
> found at c:\. NAV caught it, and I wasn't infected, but what I'd like
> to know is how it got on my machine in the first place.
>
> Symantec info on the virus states that it might be installed by
> malicious web sites.I typically use Firefox to browse (not that it
> can't have issues), but I don't even remember browsing a site that
> could possibly have had a virus. Especially around the times that it
> was found.
>
> We just went through a big long clean up trying to tighten up security
> on our machines, and I thought we were up to date and clean. Does
> anyone have recommendations on how to track down where virii come from
> on XP Pro boxes?

David
Wed Feb 08 18:19:32 CST 2006

From: <ben@peikes.com>

< snip >

|
| We just went through a big long clean up trying to tighten up security
| on our machines, and I thought we were up to date and clean. Does
| anyone have recommendations on how to track down where virii come from
| on XP Pro boxes?

To start with, there is NO such terminology is virii or viri as the plural of virus is
viruses.

http://spl.haxial.net/viruses.html
http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
http://linuxmafia.com/~rick/faq/plural-of-virus.html

As for tracking the source of a malware infection, it really isn't possible even if you are
at the infected PC and do a full computer forensic investigation. All you can do is take
preventative measures and teach people to practice Safe Hex. Time is better spent on
prevention then on trying to ascertain where malware came from.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Pandaman
Thu Feb 09 01:21:27 CST 2006

Hello Ben.
It is very difficult to understand where this dialer came from.

As far as I can understand this is corporate environment.
You may install Microsoft Antispyware on ALL computers so it will take care
of most of the not-viral malware because as you know Norton is much better in
the viral malware.MS Antispyware is still in Beta 1 but it is stable on all
machines.

http://www.microsoft.com/athome/security/spyware/software/default.mspx


Also ,as you use Norton you might want to increase your protection.
If you use Symantec/Norton 2006 version ,you are already much more protected
than the old versions because Symantec offers daily updates fro its 2006
products .

However ,if you use Symantec/Norton 2003,2004 or 2005 version you probably
know that Norton's Live Update offers only weekly updates which is very very
bad if there is an epidemic of new threats (such as Sober , Mitgleider
,Netsky ,MyDoom.........)
That's why ,if you use version 2003/2004/2005 you could be interested to
understand how to use Symantec's Intelligent Updater in combination with Live
Update:

http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002021908382713?OpenDocument&src=sec_web_nam

http://www.symantec.com/avcenter/download.html



Panda_man
--
Prevention is always better than cure !
Panda TruPrevent - the most intelligent technology to combat unknown malware
http://www.pandasoftware.com
http://pandaman.hit.bg





"ben@peikes.com" wrote:

> I have NAV installed on our machines at our office, and it just
> recently caught Dialer.wsv on my machine. inst.exe and hooks.dll were
> found at c:\. NAV caught it, and I wasn't infected, but what I'd like
> to know is how it got on my machine in the first place.
>
> Symantec info on the virus states that it might be installed by
> malicious web sites.I typically use Firefox to browse (not that it
> can't have issues), but I don't even remember browsing a site that
> could possibly have had a virus. Especially around the times that it
> was found.
>
> We just went through a big long clean up trying to tighten up security
> on our machines, and I thought we were up to date and clean. Does
> anyone have recommendations on how to track down where virii come from
> on XP Pro boxes?
>
>

ben
Thu Feb 09 09:08:22 CST 2006

First of all, we have taken preventative measures, and I believe that
I'm a "safe surfer". I rarely go to websites I don't know and I don't
download executables off the web. So right now, the only thing I can do
is trying to ascertain how the malware got onto my machine.

I don't care which site it came from, but I do want to know how/if it
was possible for a site to install a file on my machine without me
knowing it.

Without knowing how it got on my machine, how do I protect myself?
Whatever hole was used to install this malware, which NAV caught, could
be used to install a virus that Symantec hasn't seen yet.

David
Thu Feb 09 09:19:28 CST 2006

From: <ben@peikes.com>

| First of all, we have taken preventative measures, and I believe that
| I'm a "safe surfer". I rarely go to websites I don't know and I don't
| download executables off the web. So right now, the only thing I can do
| is trying to ascertain how the malware got onto my machine.
|
| I don't care which site it came from, but I do want to know how/if it
| was possible for a site to install a file on my machine without me
| knowing it.
|
| Without knowing how it got on my machine, how do I protect myself?
| Whatever hole was used to install this malware, which NAV caught, could
| be used to install a virus that Symantec hasn't seen yet.

There are only so many vectors for malware. If it is a specific infector, say an Internet
worm using TCP port 135, it easy relatively easy to narrow down to how the PC was infected.
However with Trojans and othernon-viral malware it is NOT easy to ascertain. It could have
been becuase one was Browsing malicious web sites, it could be because od IM/P2P software or
it could be email. As the number of permutations increases the harder it is to ascertain
how one got infected. Of course, without a seconadary application indicating the files
were truly infected, it could also be a false positive.

If vulnerabilities are NOT mitigated than a malicious web site can install files on the
computer without the user's knowledge. It could be an un-patched IE, old version of Sun
Java, a third party media player, etc.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm