I have been using CPF for a couple month now. Previously I had been “borrowing” a neighbors wireless. I just installed a Cable Modem as I was in need of something more stable. Any way I did not put in a hardware FW as I had been using CPF and did not want to spend the money.
The other day I was having some problems and turn CPF off for a minute to test something and turned it back on after about 1 min. I was talking to some one on VOIP when I got a Application Monitor security alert which I ignored for a few seconds soon I had twenty plus alerts showing I enied access, and looked at my security log my pc was trying to flood the network with connection attempts. Below is a short sample of the log which had been cleared just a minute before within 2 min the log file exceeded 3 Meg
Date/Time :2007-06-05 22:00:58
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (qvfcauz.exe:190.85.84.225: :2967)
Application: C:\WINDOWS\system32\qvfcauz.exe
Parent: C:\Archivos de programa\Symantec AntiVirus\winupd3.exe
Protocol: TCP OutDestination: 190.85.84.225::2967
Date/Time :2007-06-05 22:00:58
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (qvfcauz.exe:190.195.19.57: :MS-ds(445))
Application: C:\WINDOWS\system32\qvfcauz.exe
Parent: C:\Archivos de programa\Symantec AntiVirus\winupd3.exe
Protocol: TCP OutDestination: 190.195.19.57::MS-ds(445)
This repeated add infinitum with ports 445, 2967 and any address in the 190.X.X.X range
I think it got on my PC using a Symantec AV security vulnerability and I try to keep everthing patched. Neither Symantec nor BOClean picked it up but when I turn CPF back on after a couple seconds CFP picked up the traffic and blocked it. I quickly finished what I was doing disconnected from the Internet did a search for both:
“qvfcauz.exe” found nouthing as this is probably a random name
and
winupd3.exe did not find much 7 entries in google this suprised me.
The only real thing of interest was
here http://fileinfo.prevx.com/adware/qqdc4f98800118-WINU42153739/WINUPD3.EXE.html
and I was not sure if I trusted this site
Did a Hijackthis scan Here is very summerized list
Running processes:
C:\WINDOWS\system32\qvfcauz.exe
O4 - HKLM..\Run: [Windows Service Agent] qvfcauz.exe
O4 - HKLM..\RunServices: [Windows Service Agent] qvfcauz.exe
Updated Symantec with a file downloaded to a different PC
Booted into Safemode scanned the PC
Symantec found W32.Spybot.Worm
one of the details in the technical details is
May drop Hacktool.Rootkit to hide the worm from the process list and register the hacktool as a service.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV
Lessons learned all of which I knew and failed to follow
- It is best to have layered security
1a)run both a hardware firewall and a software firewall. Software firewalls tend to be a bit more robust and have more features however all things have their weaknesses
1b)If you don´t have both never connect to the internet withyour software firewall turned off, even the windows firewall might have prevented this - No antivirus is perfect ( both BOClean and Symantec missed this)
- Comodo Personal Firewall 2.4.18.184 with Application Monitor, Component Monitor, Network Monitor and Application Behaviour Analysis is a good firewall, I think it might have saved me a lot of problems
Thank God I kept good back ups because the only way I knew of to be sure to remove a rootkit is 1.format the drive 2.write 0s to the drive 3. reload and 4. restore
What a pain (:AGY)
Oh well Thanks Comodo you stop it before it could get worse and someone got into my PC (L)
I cant wait for V3 It should be out tomorrow in beta :THNK
Lesson learned this time before I had major problems. I hope!!
Opus Dei