RoMZERO
10-12-2002, 23:00
mio padre si è cuccato un worm aprendo una pagina internet sul suo pc (ha winme) che è in lan con il mio (win2k)
il worm si chiama W32.Opaserv.Worm ed è presente nelle seguenti varianti
w32.opaserv.worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html)
w32.opaserv.g.worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.g.worm.html)
w32.opaserv.e.worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.e.worm.html)
cosa fa il bastardo ?
1) shara su internet i tuoi hd
2) quando si installa si porta dietro o altri worm o altri virus
3) su winme e winxp usa il ripristino configurazione per ripristinare la sua installazione
4) si piglia semplicemente aprendo una pagina web
5) lo rimuovo TOTALMENTE ma ogni volta che mio padre si collega ad internet e apre IE si reinstalla insieme ad un virus nuovo
6) se hai una lan si diffonde sulla lan
ed è proprio quest'ultimo punto che mi preoccupa
su questo pc ho win2k... norton e pc-cillin non rilevano nulla, ma ho il firewall impazzito
credendo fosse a casua dell'installazione dell'adsl ho disinstallato il firewall e per l'occasione ne ho installato una versione + nuova, si tratta di blackice defender 2.9
il programma segnala pericoli di accesso ripetuti
attacchi ripetuti su + porte anche dalla stessa persona
devo preoccuparmi ? ho il worm in stealth nel mio pc ? anche se sul sito symantec non è dato per worm stealth :(
da stamattina alle 11 fino ad ora (23.50) son stato soggetto a tutti questi allarmi (purtroppo non me li copia tutti il firewall, questi sono solo una piccola parte)
Time, Event, Intruder, Count
12/10/02 19:47:20, BlackICE detection stopped, 0.0.0.0, 1
12/10/02 20:07:11, BlackICE detection started, 0.0.0.0, 1
12/10/02 18:37:45, TCP port probe, 193-152-161-219.uc.nombres.ttd.es, 6
12/10/02 22:32:12, TCP port probe, 194-185-170-155.f4.ngi.it, 9
12/10/02 20:11:11, TCP port probe, 194-185-220-30.f4.ngi.it, 1
12/10/02 22:01:58, HTTP port probe, 202.152.37.58, 2
12/10/02 20:11:11, TCP port probe, 213-140-6-139.fastres.net, 2
12/10/02 22:31:10, TCP port probe, 213-140-6-139.fastres.net, 8
12/10/02 21:06:53, TCP port probe, 213-156-35-135.fastres.net, 1
12/10/02 20:11:14, TCP port probe, 213-156-50-138.fastres.net, 1
12/10/02 22:56:13, TCP port probe, 213-156-50-139.fastres.net, 12
12/10/02 20:11:11, TCP port probe, 213-156-54-139.fastres.net, 3
12/10/02 21:06:54, TCP port probe, 213-156-54-139.fastres.net, 6
12/10/02 20:10:42, TCP port probe, 213-156-57-138.fastres.net, 1
12/10/02 22:49:23, TCP port probe, 213-156-57-138.fastres.net, 9
12/10/02 20:10:43, TCP port probe, 213-156-58-135.fastres.net, 3
12/10/02 21:22:19, TCP port probe, 213.174.175.134, 3
12/10/02 21:22:23, TCP port probe, 62.123.127.210, 9
12/10/02 22:17:56, TCP port probe, 62.98.217.216, 36
12/10/02 21:22:28, TCP port probe, 62.98.218.43, 9
12/10/02 21:43:28, TCP port probe, ALLEGRETTI, 9
12/10/02 21:41:27, TCP port probe, B214.pesaro.com, 3
12/10/02 21:06:55, TCP port probe, D5R4F7, 3
12/10/02 21:33:55, TCP port probe, DAVIDE, 3
12/10/02 21:45:42, TCP port probe, DAVIDE, 9
12/10/02 22:46:49, Proxy port probe, DEMON, 3
12/10/02 23:30:13, HTTP port probe, ECOFE, 1
12/10/02 22:05:43, TCP port probe, FEDERICO, 12
12/10/02 21:06:54, TCP port probe, FRANCESCOXP, 3
12/10/02 20:11:12, TCP port probe, G8Y9C0, 1
12/10/02 21:06:53, TCP port probe, GHA-89D4T54DQ4X, 1
12/10/02 22:54:58, NetBIOS port probe, GIUSEPPE, 4
12/10/02 22:31:14, Proxy port probe, HACKER, 2
12/10/02 21:41:57, TCP port probe, K4J2G1, 9
12/10/02 21:25:10, TCP port probe, K8C9B3, 12
12/10/02 21:18:36, TCP port probe, LAGOON, 12
12/10/02 22:51:19, Proxy port probe, LAMBRETTA-ABART, 2
12/10/02 20:11:15, TCP port probe, M1T5M4, 4
12/10/02 19:02:23, NetBus port probe, MORPHEUS, 3
12/10/02 22:38:20, TCP port probe, NETVISTA, 3
12/10/02 21:06:54, TCP port probe, PEELZ-0001, 3
12/10/02 18:34:19, HTTP port probe, PENTIUM3, 3
12/10/02 18:35:52, HTTP port probe, PENTIUM3, 9
12/10/02 18:43:01, DNS UDP port probe, PENTIUM3, 262
12/10/02 18:43:05, DNS UDP port probe, PENTIUM3, 254
12/10/02 19:02:04, DNS UDP port probe, PENTIUM3, 54
12/10/02 19:02:43, DNS UDP port probe, PENTIUM3, 58
12/10/02 20:48:23, DNS UDP port probe, PENTIUM3, 9
12/10/02 20:48:27, DNS UDP port probe, PENTIUM3, 9
12/10/02 20:49:39, DNS UDP port probe, PENTIUM3, 3
12/10/02 20:49:39, DNS UDP port probe, PENTIUM3, 4
12/10/02 21:15:41, DNS UDP port probe, PENTIUM3, 22
12/10/02 21:15:45, DNS UDP port probe, PENTIUM3, 21
12/10/02 20:11:15, TCP port probe, RECEPTION, 3
12/10/02 21:41:49, TCP port probe, RICCARDO, 9
12/10/02 20:11:14, TCP port probe, STRONZO, 4
12/10/02 21:06:56, TCP port probe, STRONZO, 8
12/10/02 22:59:19, TCP port probe, adsl-180-38.37-151.net24.it, 16
12/10/02 21:06:55, TCP port probe, adsl-47-111.37-151.net24.it, 4
12/10/02 23:38:48, TCP port probe, adsl-59-46.37-151.net24.it, 9
12/10/02 18:43:54, TCP port probe, adsl-64-175-44-254.dsl.pltn13.pacbell.net, 96
12/10/02 18:51:53, TCP port probe, adsl-64-175-44-254.dsl.pltn13.pacbell.net, 8
12/10/02 19:01:32, TCP port probe, adsl-64-175-44-254.dsl.pltn13.pacbell.net, 6
12/10/02 19:03:37, TCP port probe, adsl-64-175-44-254.dsl.pltn13.pacbell.net, 3
12/10/02 21:56:25, TCP port probe, adsl-99-35.37-151.net24.it, 9
12/10/02 22:43:45, TCP port probe, fdial-up-to1-89.noicomnet.it, 9
12/10/02 22:10:41, TCP port probe, h255-83-124.BG1.albacom.net, 9
12/10/02 18:44:56, Proxy port probe, host129-208.pool80117.interbusiness.it, 3
12/10/02 23:35:28, TCP port probe, host145-102.pool80116.interbusiness.it, 21
12/10/02 21:06:53, TCP port probe, host167-118.pool80117.interbusiness.it, 1
12/10/02 22:27:51, TCP port probe, host185-82.pool80180.interbusiness.it, 9
12/10/02 22:39:25, TCP port probe, host3-220.pool80117.interbusiness.it, 9
12/10/02 22:04:20, TCP port probe, host30-4.pool80116.interbusiness.it, 9
12/10/02 23:42:03, TCP port probe, host39-43.pool212171.interbusiness.it, 9
12/10/02 22:32:56, TCP port probe, host40-219.pool80181.interbusiness.it, 6
12/10/02 22:54:56, Proxy port probe, host8-21.pool80117.interbusiness.it, 2
12/10/02 21:06:52, TCP port probe, host81-231.pool80116.interbusiness.it, 2
12/10/02 22:45:57, SubSeven port probe, host93-169.pool80104.interbusiness.it, 2
12/10/02 21:49:49, TCP port probe, host95-112.pool80116.interbusiness.it, 9
12/10/02 20:11:13, TCP port probe, p118.palmanova.adriacom.it, 3
12/10/02 22:00:20, TCP port probe, ppp-104-86.29-151.libero.it, 3
12/10/02 18:56:15, NetBus port probe, ppp-106-147.26-151.libero.it, 3
12/10/02 23:25:57, HTTP port probe, ppp-125-52.27-151.libero.it, 3
12/10/02 22:58:51, TCP port probe, ppp-174-42.27-151.libero.it, 19
12/10/02 22:08:50, TCP port probe, ppp-176-8.29-151.libero.it, 12
12/10/02 18:51:36, SOCKS port probe, ppp-18-31.27-151.libero.it, 1
12/10/02 21:06:55, TCP port probe, ppp-217-133-203-107.dialup.tiscali.it, 8
12/10/02 21:22:45, TCP port probe, ppp-217-133-203-60.dialup.tiscali.it, 9
12/10/02 23:48:55, TCP port probe, ppp-221-5.28-151.libero.it, 9
12/10/02 22:36:26, TCP port probe, ppp-23.milano-6.telnetwork.it, 9
12/10/02 21:06:55, TCP port probe, ppp-231-138.27-151.libero.it, 2
12/10/02 21:37:09, TCP port probe, ppp-250-132.26-151.libero.it, 9
12/10/02 21:50:38, TCP port probe, ppp-39-182.24-151.libero.it, 9
12/10/02 21:43:51, TCP port probe, r-ba025-4a20.tin.it, 9
12/10/02 22:15:04, TCP port probe, r-bo060-4a235.tin.it, 9
12/10/02 20:15:53, TCP port probe, r-pa048-5a125.tin.it, 3
12/10/02 21:47:06, TCP port probe, r-pd054-5a42.tin.it, 9
12/10/02 20:10:43, TCP port probe, socks1.fastwebnet.it, 1
12/10/02 23:04:16, TCP port probe, socks1.fastwebnet.it, 12
12/10/02 23:44:51, TCP port probe, socks1.fastwebnet.it, 46
12/10/02 21:26:24, TCP port probe, socks2.fastwebnet.it, 35
12/10/02 23:52:52, TCP port probe, socks4.fastwebnet.it, 122
il worm si chiama W32.Opaserv.Worm ed è presente nelle seguenti varianti
w32.opaserv.worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html)
w32.opaserv.g.worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.g.worm.html)
w32.opaserv.e.worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.e.worm.html)
cosa fa il bastardo ?
1) shara su internet i tuoi hd
2) quando si installa si porta dietro o altri worm o altri virus
3) su winme e winxp usa il ripristino configurazione per ripristinare la sua installazione
4) si piglia semplicemente aprendo una pagina web
5) lo rimuovo TOTALMENTE ma ogni volta che mio padre si collega ad internet e apre IE si reinstalla insieme ad un virus nuovo
6) se hai una lan si diffonde sulla lan
ed è proprio quest'ultimo punto che mi preoccupa
su questo pc ho win2k... norton e pc-cillin non rilevano nulla, ma ho il firewall impazzito
credendo fosse a casua dell'installazione dell'adsl ho disinstallato il firewall e per l'occasione ne ho installato una versione + nuova, si tratta di blackice defender 2.9
il programma segnala pericoli di accesso ripetuti
attacchi ripetuti su + porte anche dalla stessa persona
devo preoccuparmi ? ho il worm in stealth nel mio pc ? anche se sul sito symantec non è dato per worm stealth :(
da stamattina alle 11 fino ad ora (23.50) son stato soggetto a tutti questi allarmi (purtroppo non me li copia tutti il firewall, questi sono solo una piccola parte)
Time, Event, Intruder, Count
12/10/02 19:47:20, BlackICE detection stopped, 0.0.0.0, 1
12/10/02 20:07:11, BlackICE detection started, 0.0.0.0, 1
12/10/02 18:37:45, TCP port probe, 193-152-161-219.uc.nombres.ttd.es, 6
12/10/02 22:32:12, TCP port probe, 194-185-170-155.f4.ngi.it, 9
12/10/02 20:11:11, TCP port probe, 194-185-220-30.f4.ngi.it, 1
12/10/02 22:01:58, HTTP port probe, 202.152.37.58, 2
12/10/02 20:11:11, TCP port probe, 213-140-6-139.fastres.net, 2
12/10/02 22:31:10, TCP port probe, 213-140-6-139.fastres.net, 8
12/10/02 21:06:53, TCP port probe, 213-156-35-135.fastres.net, 1
12/10/02 20:11:14, TCP port probe, 213-156-50-138.fastres.net, 1
12/10/02 22:56:13, TCP port probe, 213-156-50-139.fastres.net, 12
12/10/02 20:11:11, TCP port probe, 213-156-54-139.fastres.net, 3
12/10/02 21:06:54, TCP port probe, 213-156-54-139.fastres.net, 6
12/10/02 20:10:42, TCP port probe, 213-156-57-138.fastres.net, 1
12/10/02 22:49:23, TCP port probe, 213-156-57-138.fastres.net, 9
12/10/02 20:10:43, TCP port probe, 213-156-58-135.fastres.net, 3
12/10/02 21:22:19, TCP port probe, 213.174.175.134, 3
12/10/02 21:22:23, TCP port probe, 62.123.127.210, 9
12/10/02 22:17:56, TCP port probe, 62.98.217.216, 36
12/10/02 21:22:28, TCP port probe, 62.98.218.43, 9
12/10/02 21:43:28, TCP port probe, ALLEGRETTI, 9
12/10/02 21:41:27, TCP port probe, B214.pesaro.com, 3
12/10/02 21:06:55, TCP port probe, D5R4F7, 3
12/10/02 21:33:55, TCP port probe, DAVIDE, 3
12/10/02 21:45:42, TCP port probe, DAVIDE, 9
12/10/02 22:46:49, Proxy port probe, DEMON, 3
12/10/02 23:30:13, HTTP port probe, ECOFE, 1
12/10/02 22:05:43, TCP port probe, FEDERICO, 12
12/10/02 21:06:54, TCP port probe, FRANCESCOXP, 3
12/10/02 20:11:12, TCP port probe, G8Y9C0, 1
12/10/02 21:06:53, TCP port probe, GHA-89D4T54DQ4X, 1
12/10/02 22:54:58, NetBIOS port probe, GIUSEPPE, 4
12/10/02 22:31:14, Proxy port probe, HACKER, 2
12/10/02 21:41:57, TCP port probe, K4J2G1, 9
12/10/02 21:25:10, TCP port probe, K8C9B3, 12
12/10/02 21:18:36, TCP port probe, LAGOON, 12
12/10/02 22:51:19, Proxy port probe, LAMBRETTA-ABART, 2
12/10/02 20:11:15, TCP port probe, M1T5M4, 4
12/10/02 19:02:23, NetBus port probe, MORPHEUS, 3
12/10/02 22:38:20, TCP port probe, NETVISTA, 3
12/10/02 21:06:54, TCP port probe, PEELZ-0001, 3
12/10/02 18:34:19, HTTP port probe, PENTIUM3, 3
12/10/02 18:35:52, HTTP port probe, PENTIUM3, 9
12/10/02 18:43:01, DNS UDP port probe, PENTIUM3, 262
12/10/02 18:43:05, DNS UDP port probe, PENTIUM3, 254
12/10/02 19:02:04, DNS UDP port probe, PENTIUM3, 54
12/10/02 19:02:43, DNS UDP port probe, PENTIUM3, 58
12/10/02 20:48:23, DNS UDP port probe, PENTIUM3, 9
12/10/02 20:48:27, DNS UDP port probe, PENTIUM3, 9
12/10/02 20:49:39, DNS UDP port probe, PENTIUM3, 3
12/10/02 20:49:39, DNS UDP port probe, PENTIUM3, 4
12/10/02 21:15:41, DNS UDP port probe, PENTIUM3, 22
12/10/02 21:15:45, DNS UDP port probe, PENTIUM3, 21
12/10/02 20:11:15, TCP port probe, RECEPTION, 3
12/10/02 21:41:49, TCP port probe, RICCARDO, 9
12/10/02 20:11:14, TCP port probe, STRONZO, 4
12/10/02 21:06:56, TCP port probe, STRONZO, 8
12/10/02 22:59:19, TCP port probe, adsl-180-38.37-151.net24.it, 16
12/10/02 21:06:55, TCP port probe, adsl-47-111.37-151.net24.it, 4
12/10/02 23:38:48, TCP port probe, adsl-59-46.37-151.net24.it, 9
12/10/02 18:43:54, TCP port probe, adsl-64-175-44-254.dsl.pltn13.pacbell.net, 96
12/10/02 18:51:53, TCP port probe, adsl-64-175-44-254.dsl.pltn13.pacbell.net, 8
12/10/02 19:01:32, TCP port probe, adsl-64-175-44-254.dsl.pltn13.pacbell.net, 6
12/10/02 19:03:37, TCP port probe, adsl-64-175-44-254.dsl.pltn13.pacbell.net, 3
12/10/02 21:56:25, TCP port probe, adsl-99-35.37-151.net24.it, 9
12/10/02 22:43:45, TCP port probe, fdial-up-to1-89.noicomnet.it, 9
12/10/02 22:10:41, TCP port probe, h255-83-124.BG1.albacom.net, 9
12/10/02 18:44:56, Proxy port probe, host129-208.pool80117.interbusiness.it, 3
12/10/02 23:35:28, TCP port probe, host145-102.pool80116.interbusiness.it, 21
12/10/02 21:06:53, TCP port probe, host167-118.pool80117.interbusiness.it, 1
12/10/02 22:27:51, TCP port probe, host185-82.pool80180.interbusiness.it, 9
12/10/02 22:39:25, TCP port probe, host3-220.pool80117.interbusiness.it, 9
12/10/02 22:04:20, TCP port probe, host30-4.pool80116.interbusiness.it, 9
12/10/02 23:42:03, TCP port probe, host39-43.pool212171.interbusiness.it, 9
12/10/02 22:32:56, TCP port probe, host40-219.pool80181.interbusiness.it, 6
12/10/02 22:54:56, Proxy port probe, host8-21.pool80117.interbusiness.it, 2
12/10/02 21:06:52, TCP port probe, host81-231.pool80116.interbusiness.it, 2
12/10/02 22:45:57, SubSeven port probe, host93-169.pool80104.interbusiness.it, 2
12/10/02 21:49:49, TCP port probe, host95-112.pool80116.interbusiness.it, 9
12/10/02 20:11:13, TCP port probe, p118.palmanova.adriacom.it, 3
12/10/02 22:00:20, TCP port probe, ppp-104-86.29-151.libero.it, 3
12/10/02 18:56:15, NetBus port probe, ppp-106-147.26-151.libero.it, 3
12/10/02 23:25:57, HTTP port probe, ppp-125-52.27-151.libero.it, 3
12/10/02 22:58:51, TCP port probe, ppp-174-42.27-151.libero.it, 19
12/10/02 22:08:50, TCP port probe, ppp-176-8.29-151.libero.it, 12
12/10/02 18:51:36, SOCKS port probe, ppp-18-31.27-151.libero.it, 1
12/10/02 21:06:55, TCP port probe, ppp-217-133-203-107.dialup.tiscali.it, 8
12/10/02 21:22:45, TCP port probe, ppp-217-133-203-60.dialup.tiscali.it, 9
12/10/02 23:48:55, TCP port probe, ppp-221-5.28-151.libero.it, 9
12/10/02 22:36:26, TCP port probe, ppp-23.milano-6.telnetwork.it, 9
12/10/02 21:06:55, TCP port probe, ppp-231-138.27-151.libero.it, 2
12/10/02 21:37:09, TCP port probe, ppp-250-132.26-151.libero.it, 9
12/10/02 21:50:38, TCP port probe, ppp-39-182.24-151.libero.it, 9
12/10/02 21:43:51, TCP port probe, r-ba025-4a20.tin.it, 9
12/10/02 22:15:04, TCP port probe, r-bo060-4a235.tin.it, 9
12/10/02 20:15:53, TCP port probe, r-pa048-5a125.tin.it, 3
12/10/02 21:47:06, TCP port probe, r-pd054-5a42.tin.it, 9
12/10/02 20:10:43, TCP port probe, socks1.fastwebnet.it, 1
12/10/02 23:04:16, TCP port probe, socks1.fastwebnet.it, 12
12/10/02 23:44:51, TCP port probe, socks1.fastwebnet.it, 46
12/10/02 21:26:24, TCP port probe, socks2.fastwebnet.it, 35
12/10/02 23:52:52, TCP port probe, socks4.fastwebnet.it, 122