So much for my AV program...anyone seen this???

Everyday before I go out for the evening I go to Symantec and download the lates virus updates and today was no different. When I got back in and checked my big comp, Norton AV had found 2 infections: the DebPloit.Exploit and the ERunAsX.dll (part of the exe file) and it had Quaranteened them. So I checked them out on the Symantec web site and all i got was this....

DebPloit.Exploit
Detected as: DebPloit.Exploit

Aliases: None

Area of Infection: .EXE Files

No additional information.

This threat is detected by the latest Virus Definitions.

All computer users should employ safe computing practices, including:

Keeping your Virus Definitions updated.
Installing Norton AntiVirus program updates, when available.
Deleting suspicious looking emails.
You may also scan your PC for threats now, by using the free online Symantec Security Check.

To ensure complete protection against viruses and similar threats, please review Symantec's product offerings for Home and Corporate users.

Okay this is where it gets interesting. When I looked these files up in Explorer (W2K) it says a date of Aug 20, 2002 at 820PM...intersting, at this time and date my comp was not even physically hooked to the any network, cable was unplugged.

Nothing in the message at Symantec about what else to do besides running up-to-date AV which I do, there's, and it also scans my email, thank god...in the last 2 days it has stopped 12 emails that were infected by KLEZ...grrrrr...

I knowabout running safe, I also use Norton's firewall on that comp. Anyone here had any experience with this virus???? My concern is that it talks about infecting exe files!!!! Anything i download from the net goes through the AV and all email is scanned with updated virus patterns. I also found this at viruslist.com on a variation of the DebPloit.Exploit as Exploit.WinNT.DebPloit...

Exploit.WinNT.DebPloit



The DebPloit exlopit uses a vulnerability in the security system to assign permissions under WinNT systems (this includes Win2000) - it does not effect WinXP. It uses any process to exploit the permissions of any other process.

By controlling permissions allocation, Debploit has the ability to, for example, promote all users to the status of system/admin - that is if the targeted process is running under the LocalSystem, Administrator account.

As a result any process being run with User rights can let DebPloit into the Administration process, and restart itself with Administrator rights, for example.

This virus works on Microsoft Windows NT 4.0 and Windows 2000 with ServicePaks installed prior to Mar-12-2002 (It doesn't work if ServicePacks were installed after Mar-12-2002).


Like I said, my concern is the .exe threat and the permissions allocation of this virus. Any experience yall have will be greatly appreciated. As my comp is being scanned I write to you...

neomatsu

 

I'm sorry about your experience with this bug. I have never had 2K or the bug but I understand there is a patch for that hole.

It's getting brutal out there and challenges a user to keep abreast of all the necessary patches, SP's and AV signature updates. I think I spend more time doing prevention and backups than I do producing meaningful files.

 

interesting...

thanx for the feedback...interesting though was that there was a zip file on my infected comp that was for the DebPloit fix from back in march of this year...i must have d/l and ran the fix based on a tech mail i got...funny, there was a .dll file called ERunAsX.dll that Norton, identified as one of the infected files and the other was DebPloit.Exploit an exe file...confusing to say the least...only reason that I am now confused is that after I just d/l the zip file and scanned it, and opened it, i looked at the txt files and they were the same files that were in the infected folder on the big comp before i deleted those files...something does not seem right, i never d/l anything without running a AV on it and would not have done it back in march...you see what i am saying...i update my comps all the time and go to various sites a lot...my friends smirk at me, yet a few of them have been infected, sorry to say...this DebPloit has me confused and how the infected files got past my AV back in March and such...grrrrrr

yea it is brutal and I remember when I was working support last year and the Nimda virus i believe was wreaking havoc on the networks and the cisco routers and the server farm that housed the servers we were supporting...my company then the next week on the weekend of course, took its network offline for the weekend to update the network hardware and for a help desk to have to function without the proper tools and not to mention that the weekend the server farm got hit, i ended up spending 14 to 16 hour days at work and include driving 1 hour each way and i was ready to tweak anyone that condoned these miserable virus writers and such...

Oh well, I miss those long days and hopefully I will get a job soon...Texas has been hit hard...still scratching his head about this DebPloit thing, not sure if I should run the patch on my W2K machine or not...

neomatsu...

 

Here is a new Symantec article on the DebPloit.Exploit:

http://securityresponse.symantec.com/avcenter/venc/data/debploit.exploit.html

 

kwel...(C:

Thanx for the info...its frustrating, i keep this comp all updated and practice security as if my life depended on it and in reality it does...i dont know how this little bugger got on me comp but it did...it had to be pre-SP3 for W2K...

Oh well live and let learn as I always say...i may even instal a 2nd AV because of this...god i almost feel as paranoid as the patients I used to work with...but as the old saying goes... "they may actually be after youy and in that case its not paranoia but real fear... "

Again thnax for the info...

neomatsu

 

Notes from the author of DebPloit:

As you can see, it's been around for awhile and should properly be classed as a trojan rather than a virus.

The presence of ERunAsX.dll indicates a W32.Masy.Worm (a mass mailing worm) infection in addition Debploit (both make use of the same vulnerability). If you have a file named ERunAsX.exe on your system, delete it (Norton sometimes leaves it behind).

 

Zephyr, As a newbie Sysadmin, I tend to agree with you: "I think I spend more time doing prevention and backups than I do producing meaningful files. "

Brett, there may be some correlation here:
"Location: Lost "
and
"I prefer to think of them as The Ten Suggestions. "

Anyway, THANKS to both of you for the help on these issues. They can be a real pain to deal with.