How did I get it?

How did I get it?

[Jack Rose]

Could some tell me how the CYGWIN1.DLL ended up on my computer. It seems to
have just appeared at 3:09am yesterday and I know I wasn't working at that
time.

Could this have been uploaded to my machine for malicious purposes? If so,
what else should I be looking for, besides a better firewall and virus
detector?

Any information would be appreciated...

Thanks

Jack Rose
jjrose@columbus.rr.com


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How did I get it?

[Max Bowsher]

Jack Rose <jrose22@columbus.rr.com> wrote:

> Could some tell me how the CYGWIN1.DLL ended up on my computer. It
> seems to have just appeared at 3:09am yesterday and I know I wasn't
> working at that time.
>
> Could this have been uploaded to my machine for malicious purposes?
> If so, what else should I be looking for, besides a better firewall
> and virus detector?
>
> Any information would be appreciated...

Well, someone (apparently not you) installed Cygwin, or a program which uses
a cut down Cygwin install to function.

What is the full path to Cygwin1.dll? If it is in Windows/System(32) or the
equivalent, look in the registry at:

HKLM\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/
(NB: the value name is a single forward slash.),
and the corresponding path in HKCU.

The value of that will provide a hint.

Max.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How did I get it?

[Michael Schaap]

On 14-Dec-2002 10:11, Max Bowsher wrote:
> Jack Rose <jrose22@columbus.rr.com> wrote:
> 
> 
>>Could some tell me how the CYGWIN1.DLL ended up on my computer. It
>>seems to have just appeared at 3:09am yesterday and I know I wasn't
>>working at that time.
>>
>>Could this have been uploaded to my machine for malicious purposes?
>>If so, what else should I be looking for, besides a better firewall
>>and virus detector?
>>
>>Any information would be appreciated...
> 
> 
> Well, someone (apparently not you) installed Cygwin, or a program which uses
> a cut down Cygwin install to function.
> 

And this could indeed be a virus or worm.  There is at least one that 
includes cygwin1.dll:

http://vil.mcafee.com/dispVirus.asp?virus_k=99529

I'd certainly check your PC carefully for viruses, if I were you.

  - Michael


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: SPAM - Re: How did I get it?

[Jack Rose]

Thanks for the response Max.

I tried running regedit. It pops up and then immediately closes itself, the
same thing happens when I attempt to run msconfig.

I found cygwin1.dll in the \windows directory. I also found a new exe -
shiver.exe. A search of the web indicates that this is a trojan.


----- Original Message -----
From: Max Bowsher
To: Jack Rose ; cygwin@cygwin.com
Sent: Saturday, December 14, 2002 4:11 AM
Subject: SPAM - Re: How did I get it?


Jack Rose <jrose22@columbus.rr.com> wrote:

> Could some tell me how the CYGWIN1.DLL ended up on my computer. It
> seems to have just appeared at 3:09am yesterday and I know I wasn't
> working at that time.
>
> Could this have been uploaded to my machine for malicious purposes?
> If so, what else should I be looking for, besides a better firewall
> and virus detector?
>
> Any information would be appreciated...

Well, someone (apparently not you) installed Cygwin, or a program which uses
a cut down Cygwin install to function.

What is the full path to Cygwin1.dll? If it is in Windows/System(32) or the
equivalent, look in the registry at:

HKLM\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/
(NB: the value name is a single forward slash.),
and the corresponding path in HKCU.

The value of that will provide a hint.

Max.


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How did I get it?

[Randall R Schulz]

Gentlemen,

This is a little disappointing... The "MovieWorld" virus described at the 
McAfee site (<http://vil.mcafee.com/dispVirus.asp?virus_k=99529>) appears 
to be unknown to Norton AntiVirus. I tried searching the NAV virus 
encyclopedia using both "MovieWorld," "Cygwin," "Cygwin1.dll" and "SUA.BAT" 
(a file listed as essential to the MovieWorld Trojan on the McAfee site) to 
no avail. This despite the date on the McAfee listing is June 4, 2002.

So, it appears those who use Norton AntiVirus will not detect this Trojan.

Randall Schulz
Mountain View, CA USA


At 04:19 2002-12-14, Michael Schaap wrote:
>On 14-Dec-2002 10:11, Max Bowsher wrote:
>>Jack Rose <jrose22@columbus.rr.com> wrote:
>>
>>>Could some tell me how the CYGWIN1.DLL ended up on my computer. It
>>>seems to have just appeared at 3:09am yesterday and I know I wasn't
>>>working at that time.
>>>
>>>Could this have been uploaded to my machine for malicious purposes?
>>>If so, what else should I be looking for, besides a better firewall
>>>and virus detector?
>>>
>>>Any information would be appreciated...
>>
>>Well, someone (apparently not you) installed Cygwin, or a program which uses
>>a cut down Cygwin install to function.
>
>And this could indeed be a virus or worm.  There is at least one that 
>includes cygwin1.dll:
>
>http://vil.mcafee.com/dispVirus.asp?virus_k=99529
>
>I'd certainly check your PC carefully for viruses, if I were you.
>
>  - Michael


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Re: How did I get it?

[Robert Collins]

[-- Attachment #1: Type: text/plain, Size: 424 bytes --]

On Sat, 2002-12-14 at 23:19, Michael Schaap wrote:


> 
> And this could indeed be a virus or worm.  There is at least one that 
> includes cygwin1.dll:
> 
> http://vil.mcafee.com/dispVirus.asp?virus_k=99529
> 
> I'd certainly check your PC carefully for viruses, if I were you.

I wonder if they included the source :}.

Rob
-- 
---
GPG key available at: http://users.bigpond.net.au/robertc/keys.txt.
---

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: SPAM - Re: How did I get it?

[Jack Rose]

I'd like to thank all who responded to my query. The cygwin1.dll was indeed
used maliciously. I dumped my McAfee and purchased Norton System Works 2003.
It took me a total of 3 days get my infected machine back up and running.
Most of the difficultly came from the fact that the "worm" and its
associated programs remapped a lot of the registry.

Norton identified 3 worms with the main culprit being Backdoor.SubSeven22.
Two of the exe's being used were wlhsnrbw.exe and avill.exe.

Again - many thanks!

Jack Rose

----- Original Message -----
From: Michael Schaap
To: Jack Rose
Cc: cygwin@cygwin.com
Sent: Saturday, December 14, 2002 7:19 AM
Subject: SPAM - Re: How did I get it?


On 14-Dec-2002 10:11, Max Bowsher wrote:
> Jack Rose <jrose22@columbus.rr.com> wrote:
>
>
>>Could some tell me how the CYGWIN1.DLL ended up on my computer. It
>>seems to have just appeared at 3:09am yesterday and I know I wasn't
>>working at that time.
>>
>>Could this have been uploaded to my machine for malicious purposes?
>>If so, what else should I be looking for, besides a better firewall
>>and virus detector?
>>
>>Any information would be appreciated...
>
>
> Well, someone (apparently not you) installed Cygwin, or a program which
uses
> a cut down Cygwin install to function.
>

And this could indeed be a virus or worm.  There is at least one that
includes cygwin1.dll:

http://vil.mcafee.com/dispVirus.asp?virus_k=99529

I'd certainly check your PC carefully for viruses, if I were you.

  - Michael



--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Bug reporting:         http://cygwin.com/bugs.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/