does anyone know what this IRC-Worm.Bnc.A is i have the free avg anti virus i harly know anything about this stuff i have done two online scans and both of them turned up 3 coruptd files and said it was trojon horse irc backdoor .flood but when it list the files it said it was infected with irc-worm.bnc.A so i am so confused this is what showed up when i did the online scan with bitdefender oh please help me just give me a clue what to do now avg said it was "healing" it but then it said it was uncleanable can i just delet them?


Memory ok
Master Boot Record 80 ok (DOS, WinNT4.0, Win95)
Partition Boot 1 (primary) (active) ok (Windows NT 2000 NTFS)
Partition Boot 2 ok (Win95 OSR2, Win98 FAT32)
Boot Sector of Drive A: ok (Read Error)
C:\WINNT\system32\NT32.INI infected: IRC-Worm.Bnc.A
C:\WINNT\system32\ocxdll.exe/NT32.ini infected: IRC-Worm.Bnc.A
C:\WINNT\system32\ocxdll.exe/(ZIP Sfx)/NT32.ini infected: IRC-Worm.Bnc.A

As long you act promptly and correctly, things may not be too bad.

There are people here better qalified than me to advise, but first PLEASE read what is set out in the link below:

http://www.cyberangels.org/virus/rid.html

It looks as if your computer has been infected by the worm/virus which you have identified in your posting AND YOU MUST GET RID OF IT, ASAP!

How you deal with it depends a lot on what you have on your harddrive. If you have valuable and unreplaceable files, you will want to try to clean it out if at all possible. If you don't have any files that you absolutely have to keep, you may want to opt to reformat your HD, possibly even at the most basic level and reinstall your programs. Either way, keep in mind that any files that are writable and that have come in contact with your computer lately are likely to be infected and will reestablish the infection if you try to use them without a great deal of protection before you reload them. Most of the time, it is best to just toss any floppies, CDRs, CDRWs or other writable media unless you absolutely have to keep those files.

Don't panic. Worms, trojans, virii, are all extremely irritating, but generally the damage done is limited and manageable. You just need to treat it like an infection you don't want to spread.

Good luck,
Budfred

Jan

This critter is what you've got!

IRC_BNC.A

This is a File Infector virus. It is detected by the latest Trend Microsystems pattern file.

Am very surprised that AVG missed it!

Hi Jen

Here's some more info which u might find useful :)

File infecting viruses

File infecting viruses infect executable programs (generally, files that have extensions of .com or .exe). Most such viruses simply try to replicate and spread by infecting other host programs - but some inadvertently destroy the program they infect by overwriting some of the original code. There is a minority of these viruses that are very destructive and attempt to format the hard drive at a pre-determined time or perform some other malicious action. In many cases, a file-infecting virus can be successfully removed from the infected file. If the virus has overwritten part of the program's code, the original file will be unrecoverable

If AVG found malware and couldnt "heal" it then it probably quarantined the files in its vault. First Run AVG (not the control center) and then from the Program Menu Select AVG Virus Vault and see if these files are in there. If they are then you are quite safe.

To totally remove them off your computer, Right Click on them and choose Delete. Just make a note of their names so that you can replace any if they are system files etc. You can leave them in the vault until you are happy that your pc is working properly and always delete them later.

Just run another complete and up-to-date scan (of all files) to make sure you are clean. If you want to confirm this use another antivirus and an adaware program and an anti-trojan. See THIS PCG THREAD (http://www.pcguide.com/vb/showthread.php?s=&threadid=15179) for some links.

And there was I thinking that what we need now is for Paul Komski to come along and get involved in this thread!

Right on Paul, right on :D

ok i did check the vault theres one file there so i ran it again and it is telling me that is still infected by trojan horse irc/back door flood?????

Its hard to find any really good definitions anywhere. The nearest I could find so far was HERE (http://www.trendmicro.com/vinfo/virusencyclo/defaul5.asp?TROJ_BNCDROPPR.A).

Now according to Sophos "Trojans infect computers, but do not infect files. They can simply be identified and deleted. However, they often make registry or startup file changes so that they are executed on boot-up." Admittedly that is at variance to what was posted earlier.

Since Trend seem to have this in their dat files, I would go to HouseCall Free OnLine Scanner (http://housecall.antivirus.com/) and run the scan from there. Be prepared to wait while it sets it up for the first time.

All the indications I have come across are that this is a low threat piece of malware, which harms by flooding irc channels with messages. The files can probably just be safely deleted; that is if AVG will let you even access the files, while it still has its Resident Shield running.

Suggest that you see how you get on with HouseCall and post back. BTW, which file was in the AVG vault??

Afterthought: Since all the files are in the NT folder, you could just run a Custom Test from AVG (Tests Menu) and browse to the NT folder and click the Start Button on the bottom; this will speed things up; and perhaps it is only stripping the files one by one.

Further research. Symantec's nearest definitions Backdoor.IRC.Flood (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood.html) are not identical but indicate a very similar pattern. I think this is a Win2000 Hacking Vulnerability as described (from the French) HERE (http://translate.google.com/translate?hl=en&sl=fr&u=http://www.communautech.com/actualites/&prev=/search%3Fq%3D%2522nt32.ini%2522%26hl%3Den%26lr%3D% 26ie%3DUTF-8%26oe%3Dutf-8)

Hacking on Windows 2000 (05/09)
The PPS (Product Support Services) Security TEAM de Microsoft has just published an alarm making state of a strong recrudescence of activities of "hacking", aiming the systems Windows 2000 in particular.

According to this document, the symptoms characteristic of these attacks would be:

- the presence of Trojan horses, such as Backdoor.IRC.Flood and its alternatives
- modification of the policy of safety of the controllers of field, of which the effects can be:
* the reactivation of beforehand decontaminated invited accounts
* modification of permissions on the waiters or in Active Directory
* impossibility of connecting itself to the field starting from all the working stations
* impossibility of opening snap-ins Activates Directory in the MMC
* of multiple unfruitful attempts at connection in the newspapers of events

In addition, the following files were also found on the systems compromised by these attacks:
- Gg.bat
Gg.bat tries to be connected to other waiters as "Administrator", "Admin", or "a Root". It seeks then Flashfxp and Ws_ftp on the waiter, then copies there several files, of which Ocxdll.exe.
Gg.bat uses the Psexec program thereafter to carry out orders on the distant waiter.
- Cesed.bat
Cesed.bat modifies the policy of safety.
- Nt32.ini
- Ocxdll.exe
- Psexec
- Ws_ftp
- Flashfxp
- Gates.txt

Also I cant find the ocxdll.exe or nt32.ini files on my Win2000 so they don't seem to be system files and should be safe to delete (if AVG and Housecall between them haven't already got rid of them).

The only remaining question is how to tighten up the vulnerability in Win2000. Good Luck.

This one seems to just be starting.....

ok well last night i couldnt get to the house call online scan it kept saying i had either a bad connection or bad traffic so i downloaded pc cillan and ran that in just my winnt folder and found 3 more infected files they got quarenteened then later last night i ran avg on my whole computer again it found one more and healed it so i think im ok now and i just ran it again and no viruses were found !!!!!!! so thank you so much for all the help you guys are wonderful!!!!!!!!!!!!

Dear Jen:

Please check your regisrty, this trojoan loads at startup

Please read the following: (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.flood.html)

oh no now im confused i read that page i see what you mean thjough i did a search for the uninstal file and it couldnt find it so does that mean its gone and next how do i check the registry ?

Read the message carefully, your looking in teh registry for the wSys.exe to registry under the following key:


HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices.

If you can't find the file on your system and you cant find the key in your registry you should be clean.

Post back with any additional questions.

I know I will ignite a storm of controversy by saying this, I think Norton is the best AV program out there. They update weekly and if you have cable modem, it will update itself. It will also check for updates daily and if they, Symantec, find a new threat and post an update, you will be coevered for that. I know it's more of a system hog than some others, but I still think they are the best.

Good Luck

ok i did a search in the registry and it said can not find key so im good -i hope if im not is there away to tell?will it install a virus everytime i start my conmputer

If that key is NOT in the regsitry than you should be fine.

You need to get a good anti-virus program and update regularly.

Good Luck

She said she uses AVG and, if so, she can only better her protection with NAV - not free of course, although NAV 2001 can be obtained in the States for, I think, under $10 now!!

As I said in an earlier post, it's quite surprising that AVG didn't pick it up, although it probably came with an Email and that's where AVG is a bit lacking - unless you're running OE that is.

IMHO both AVG and NAV are very good a/v programs; I use them to complement each other rather than seeing them as direct competitors. Incidentally, after the last AVG update it discovered a Trojan, which the latest NAV update hadn't detected.

As for which is the best eMail protector. That depends on which eMail client you use. Move away from Outlook/OE (or clients that are merely "skins" for them) and your security has probably immediately increased dramatically, regardless of your a/v.

Hi Paul

On the subject of Email protection, do you know anything about a freebie prog called VCatch Basic at: www.vcatch.com

I'm trying it out at the moment, but unless someone sent you an infected email, or you downloaded an infected file, it's almost impossible to analyse its performance.

All I've seen so far are warning about specific downloads, all which have proved to be "false"?

I'd value your views.:) :)

Mitch. I have not used it and see that it is relatively new on the scene but is quite a popular download. It doesn't (yet anyway) appear on the icsa list (http://www.icsalabs.com/html/communities/antivirus/certification/certprod.shtml) for what that is worth.

I just think it is wise to run at least two antiviruses and more importantly to avoid M$ apps where possible and to have good "habits" with respect to how one's applications are configured and where and how one "travels" in the virtual world and who or what can or does access one's pc. ;)

I have almost totally moved to only "downloading/viewing" Email in plain text, treating attachments as if they have leprosy and have most settings in IE set to disable or prompt but allow "specific trusted" sites much more freedom.

Making regular image files of one's system on removable media is probably one of the best strategies for peace of mind with respect to the day when one eventually gets screwed. :p

Hi Paul

In response, do you run your two anti-virus progs concurrently, or is one simply a backup to the other?

Which two have you got BTW, AVG and NAV?

Do you think at this late stage, NAV 2001 could be brought up to date, so far as virus definitions are concerned?

Regards:) :)

Mitch,

I run NAV 2001 still and update the definitions regularly. They are good for a year from registering the program. I have a copy of 2002 ready to install when 2001 expires.

Budfred

Yep. NAV2001 and AVG.