Google Answers Logo
View Question
 
Q: security ( Answered,   3 Comments )
Question  
Subject: security
Category: Computers
Asked by: copierman-ga
List Price: $5.00
Posted: 14 Jan 2003 01:49 PST
Expires: 13 Feb 2003 01:49 PST
Question ID: 142423
a company called UUNET TECHNOLOGIES,INC hacked into my computer using
a program called BACKDOOR/SUBSEVEN TROJAN HORSE IP ADDRESS
63.34.210.152 Who are they,and what do they want.
Answer  
Subject: Re: security
Answered By: sycophant-ga on 26 Jan 2003 03:47 PST
 
Hi Copierman, 

Based on the details in your question I suspect I can safely assume
that you are running a personal firewall of some type, and it is this
firewall that has collected this information.

The simple fact that you have this data is probably a pretty good
indicator that you were not in fact hacked, instead there was simply
an attempt to make a connection to you from the IP address the
included. Your firewall detected this attempt and logged it. It also
did a rudimentary search for details of that IP address, which is
where the UUNET reference came from.

The IP address in question is a dynamically allocated IP address to
dial-up internet customers in Melbourne, Australia. Your firewall
simply supplied you with information about the company that owns the
rights to that particular block of internet address space.

I imagine, if you continue running this firewall software, you will
probably discover that you receive quite a lot of these simple
connection attempts, all of which will be similarly logged. These are
nothing to worry about in terms of your computer's security, as this
is exactly why you have the firewall, it should prevent these attempts
from actually connecting to your computer.

The SubSeven trojan mentioned is a type of virus, it would have to
exist on your computer already for it to cause any problems to you. If
you run regularly updated anti-virus software you should be able to
avoid being infected in the first place. If you had been infected and
the connection had not been stopped by your firewall, it is possible
that someone on a remote computer may have been able to control and
manipulate your computer.

As per the information in simplyinsane80's comment below, UUNET is
owned by WorldCom and provide internet services in many countries
worldwide. You can visit the Australian WorldCom page at the following
link:
http://www.worldcom.com/au/

The type of connection you experienced is forbidden by WorldCom's
acceptable use policy with the following condition:

“SYSTEM AND NETWORK SECURITY
Violations of system or network security are prohibited, and may
result in criminal and civil liability. UUNET will investigate
incidents involving such violations and will involve and will
co-operate with law enforcement if a criminal violation is suspected.
Examples of system or network security violations include, without
limitation, the following :

   1. Unauthorised access to or use of data, systems or networks,
including any attempt to probe, scan or test the vulnerability of a
system or network or to breach security or authentication measures
without express authorisation of the owner of the system or network;”

(http://www.worldcom.com/au/aup/)

You can make a complaint by emailing details (ie. a log from your
firewall, including timestamp and IP address) to abuse@wcom.com.au

You can find additional information about the SubSeven trojan at the
Symantec Security Response website:
http://www.symantec.com/avcenter/venc/data/backdoor.subseven.html

I hope this clears everything up for you. You have certainly taken the
right steps by running a firewall application, and hopefully you have
up-to-date anti-virus protection too. It's up to you whether you
choose to complain about the attacks your firewall logs, however for
the most part, if they are being logged, they are not working, so you
are generally safe.

Regards,
sycophant-ga
Comments  
Subject: Re: security
From: simplyinsane80-ga on 14 Jan 2003 03:10 PST
 
UUNET is owned by World Com and is and internet provider.The IP ws
assigned to a user of their service. To report this contact them at
AbusePhone:  +1-800-900-0241
-or-
AbuseEmail:  abuse-mail@wcom.com
Subject: Re: security
From: helpbot_57-ga on 22 Jan 2003 07:05 PST
 
Backdoor.SubSeven is a Trojan horse, similar to Netbus or Back
Orifice. It enables unauthorized people to access your computer over
the Internet without your knowledge. When the server portion of the
program is running on a computer, it is possible for the person who is
accessing the computer remotely to do the following:

Set it up as an FTP server
Browse files on that system
Take screen shots
Capture real-time screen information
Open and close programs
Edit information in currently running programs
Show pop-up messages and dialog boxes
Hang up a dial-up connection
Restart a computer remotely
Open the CD-ROM
Edit registry information


-------------------------------------

When it is run, BackDoor.Subseven makes the following changes to the
system:
Drops (adds) a copy of itself and a randomly named executable file,
such as Eutccec.exe, to the \Windows or \Windows\System folder.
Adds the dropped file to the load= and run= lines of the Win.ini file.
Adds the dropped file name to the shell=explorer.exe line of the
System.ini file.
Creates the WinLoader value and sets it equal to the dropped file name
in the following registry keys.
Modifies the (Default) value from "%1" %* to, for example, eutccec.exe
"%1" %* in the following registry keys:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

----------------------------------

To remove BackDoor.Subseven, follow these steps:

NOTE: These removal instructions are for versions of BackDoor.Subseven
that are currently being seen by Symantec Technical Support virus
removal technicians. The original version of BackDoor.Subseven did not
have the random file name behavior, and made different changes to the
system. Although Symantec Technical Support has not received reports
in some time for the original version, with its somewhat different
behavior it is still possible that it exists, and that unprotected
computers could be infected by it. If the information in this document
does not fit your situation, then see the section at the end of the
Removal Instructions section titled Removal instructions for older
versions of Backdoor.Subseven.

To remove Backdoor.Subseven do the following:

Run LiveUpdate to make sure that you have the most recent definitions.
Run a full system scan, making sure that NAV is set to scan all files.
Make a copy of the Regedit.exe file with the .com extension (if
necessary).
Remove the references added to the Win.ini and System.ini files.
(Windows 95/98/Me computers).
Remove the references added to the Windows registry.

-------------------------------------------------

Removal instructions for older versions of Backdoor.SubSeven

CAUTION: Follow these instructions only if the instructions in the
previous sections did not remove the Trojan.

To remove this Trojan, you need to do the following:
1. Restart the computer in Safe mode.
2. Remove the following registry key that was placed there by the
Trojan:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System
Traylcon

3. Restart in MS-DOS mode, and then delete the
\Windows\Systemtrayicon.exe file.
4. Restart Windows, and then rename the Watching.dll file.

The details for each of these steps follows:

Restart the computer in Safe mode
Before you edit the registry, you need to restart Windows in Safe
mode. This can take several minutes.

NOTE: In Safe mode, Windows uses default settings: VGA monitor, no
network, Microsoft mouse driver, and the minimum device drivers
required to start Windows. You will not have access to CD-ROM drives,
printers, or other devices.

Windows 95:
1. Exit all programs.
2. Click Start, and then click Shut Down. The Shut Down Windows dialog
box appears.
3. Click Shut Down, and then click OK.
4. Click Yes to confirm the shut down.
5. Turn off the computer (if necessary) and wait 30 seconds.

NOTE: You must turn off the power to remove the virus from memory. Do
not use the Reset button.

6. Turn on the computer.
7. When "Starting Windows 95..." appears on the screen, press F8. The
Windows 95 Startup Menu appears.
8. Press the number that corresponds to Safe mode, and then press
Enter. Windows will start in Safe mode.
Windows 98:
1. Click Start, and then click Run.
2. Type msconfig and then click OK. The System Configuration Utility
dialog box appears.
3. Click Advanced on the General tab.
4. Check Enable Startup Menu, click OK, and then click OK again.
5. Exit all programs.
6. Click Start, and then click Shut Down. The Shut Down Windows dialog
box appears.
7. Click Shut Down, and then click OK.
8. Click Yes to confirm the shut down.
9. Turn off the computer and wait 30 seconds.

NOTE: You must turn off the power to remove the virus from memory. Do
not use the Reset button.

10. Turn on the computer, and wait for the Windows 98 Startup menu.
11. Press the number that corresponds to Safe mode, and then press
Enter. Windows will start in Safe mode.

Edit the registry
Follow these steps to remove the entry that the Trojan placed in the
registry:

CAUTION: We strongly recommend that you back up the system registry
before making any changes. Incorrect changes to the registry could
result in permanent data loss or corrupted files. Please make sure you
modify only the keys specified. Please see the document How to Back Up
the Windows 95/98/NT Registry before proceeding.

1. Click Start, and then click Run.
2. Type regedit and then press Enter.
3. Navigate to and select the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, select SystemTrayIcon, press Delete, and then
click Yes to confirm.

------------------------------------------------------
Subject: Re: security
From: helpbot_57-ga on 22 Jan 2003 07:25 PST
 
As far as the UUNET by world com that is the service that they were
using to hack into your computer in my previous comment it shows how
to remove Backdoor.SubSeven.

Since you have the ip address of the person report them by filling out
this form:

http://www.worldcom.com/us/contact/support.xml

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy