AOMD USERS (especially 3.0) BEWARE (important read)

[_______________Quinn]

I believe it is a very strong possibility that some versions of AOMD are transmitting network packets out to an unknown destination. At the very least, it is CERTAIN that I have one on my system, and AOMD 3.0 is by far the most likely source.

System Background: Very new PC, less than 3 weeks old running a legitimate purchased copy of Windows XP Home Edition. Absolutely nothing transferred from my old system. Never put a floppy or a burned CD in it. Connected to the internet through a 3M cable modem. No anti-virus software installed on this PC at any time. Very very little installed or downloaded on this PC at all in fact. Details to come later in this post.

Events leading me to the conclusion I stated above:

I was playing AO. My girlfriend called, and asked me to log onto AOL and check my email. I minimized AO, logged onto AOL, did some email things, and logged back off within 10 minutes.

Less than an hour later, my girlfriend calls back, very upset. She says she had -just- sent me an IM on AOL saying "Hi". Supposedly, I responded "Busy. Later.". She asks "Are you okay?" Whoever is logged in as me responds "I'm never okay." and logs off.

I spend some time assuring her I had been playing the game and was not logged into AOL at that time, nor did I have any such conversation with her at -any- time. Obviously, someone has my AOL password (it was a rare last name in a different language followed by a random number, not "God" or "Sex" or something equally stupid). I minimize AO again, log on and change it to something completely different, then log off (on the phone with her, so she knows I logged off). I resume playing the game, disturbed, but not sure what I can do about it at this point without more facts.

Not 20 minutes later, she calls me and says "Your screenname was just on -again-. This time there was no response to my IM. Then your screenname logged off."

Now I am -VERY- disturbed. I had -just- changed my password to something completely different and whoever just logged in as me got a hold of it -immediately-. The password I changed it to was not one I had used anywhere else.

It is obvious that something is transmitting my keystrokes out over the internet. So I took stock of everything I have installed on this PC since I installed Windows XP and related drivers.

1) Anarchy Online 7-day trial version, downloaded from official AO site. Not a likely source for an aggressive packet transmitter to some antisocial punk who is "never okay".
2) AOL 7.0, from official AOL site. Ditto.
3) Nano Nanny. Possible, but not nearly as likely as option #4.
4) AOMD 3.0. A program DESIGNED and MEANT to sniff packets.

Hopefully, most will agree that I am not simply jumping to rash conclusions when I evalute #4 as the most likely source of my problem.


The following are web site addresses as taken from my Internet Explorer History, under "3 Weeks Ago". (I am not transforming these addresses into links because I don't want someone randomly clicking them and downloading).

I followed this link from these boards to find AOMD:

http: //kuren.org/ao/aomd

That link now looks different. At the time, 3 weeks ago, the AOMD 3.0 version was the primary link from this page. You will note that as of my posting there is a small link called "Where is version 3.0?". In it, he identifies why it has been removed (I hoped it was because the virus had been detected, sadly, no) and also says "Use at your own risk, run virus checkers and stuff". I did not, because it is very very rare that I download executables from the internet (I think NN and AOMD are the only two executables from an unofficial source I have downloaded in, oh, 4 years or so). I in NO WAY SHAPE OR FORM am saying that whoever sponsors the website is aware that version of the program has a virus. I have no idea who did this. But that someone did, and that there's a packet transmitter associated with something related to AO, seems pretty certain.

IMPORTANT NOTE: Sadly, I cannot be absolutely certain whether or not I actually had AOMD up and running when I minimized AO to log into AOL. It is indeed VERY possible that I did, I do know I was mission shopping very close to both times I logged into AOL. Hopefully, it is only transmitting packets when I actually have AOMD up and running. That is a slim hope though, as there is nothing that would have prevented whoever wrote this program to have the packet transmitter set itself up to start on bootup.


These are the -actual- links, according to my IE history, that I downloaded my version of AOMD from:

Executable:

http: //kuren.org/ao/aomd/AOMD3.0beta.zip

The supposed source code link posted just under that link was:

http: //kuren.org/ao/aomd/AOMD3.0betasrc.zip



I would send an email to whoever is running the kuren.org site, but I don't see an email link on his page. If I missed it, please let me know.

I will be doing a full format of my hard drive soon. I am very worried about downloading -any- versions of AOMD now, and the thought of mission shopping without any version of it makes me rather ill (the AO interface is horrid, or I wouldn't have used AOMD to begin with).

Anyways, I invite any and all responses. Maybe someone can read the above and come up with a more likely source for how someone got my password given the facts I've presented. I do believe my analysis and conclusions are pretty logical though.

If someone cares to investigate, and needs more information (such as my Ctrl-Alt-Delete process list, registry entries, etc.), I will be happy to oblige. I won't reformat my hard drive just yet in order to leave such investigation open to possibility. I just won't enter any personal information that I haven't already entered since I became aware of the packet transmitter.

Crychton
67 Engineer, Rubika2

Qwinn Bladesmith
40 Paladin, Master Weaponcrafter
DAOC, Percival Server

P.S. By the way... assuming for a moment that packets are only being transmitted when I have AOMD up and running, would an antivirus program even find a problem? If it tried to set itself up as bootable, maybe, but if it's only working when I run AOMD I wouldn't think any virus software would catch it.

[_______________Quinn]

The more I think about it, the more possible it is that I did have AOMD up and running when I typed in my passwords. And as I stated in my P.S. of my first post, maybe it only does it when I purposefully start AOMD because any other time would be caught by anti-virus software?

I am quite computer literate, but my focus has always been more Unix than Windows based, so I'm sure there are many others out there who would be far more familiar with what a Windows anti-virus program can and can't catch.

Again, I invite all responses, and will provide any requested info I can to determine what exactly is going on. If someone has a link to an anti-virus program that could potentially find it, I'll be happy to download it - unfortunately, I'm financially strapped right now and can't afford to blow $100 on antivirus software, or I'd have done that already.

[_______________Garzu]

Oki, thanks for warning. I use Clicksaver, MORB has made a nice prog, and he is very open about it, use that one instead.

[Docmax]

This is always the risk with running programs.

There have been a lot of virus's going around the internet in the last 2 weeks, it's also very likely it's one of those.

There are several email addresses listed on kuren.org's site like helpbot_at_kuren.org but don't email him unless you confirm it's AOMD that is causing the problem.

Try running the latest virus checker on your system. Get an undated anti-virus dat file.

Try running ZoneAlarm. I think it can detect which programs are sending out packets.

Let us know how your research goes.

there are some suggestions at
http://vnboards.ign.com/message.asp?...start=28921061

[_______________Quinn]

Reetjoo:

"There have been a lot of virus's going around the internet in the last 2 weeks, it's also very likely it's one of those."

I would agree, if it were not for the fact that I -really did- list everything that is installed on this PC. I haven't even been surfing, I've just been playing AO. If this was a long time established PC I wouldn't assume anything, but given the 4 things I downloaded, I can't figure out where else I could have contracted a virus from.

I'm very addicted to AO, I really haven't done anything with my PC since I got it except play AO and log on for email on AOL

Anyways, thanks for the references to ZoneAlarm and such, I will try to find them and see what I can come up with.

Crychton

[_______________Quinn]

Okay! Tell me what you make of this.

I downloaded the free version of ZoneAlarm. And I love it. Thanks guys. Blocked an unknown access already.

Anyways, yeah, I think I got something.

I figure, if someone got my password within 10 minutes of me having changed it, it must have sent something almost instantly after my logging in.

And when I log into AOL, I get this:

Do you want to allow to act as a server?

Filename:
Version:

Something with no name wants to be a server on my machine? RIGHT after I logged in? Bah! Of course I say no, and AOL works just fine anyways. Can someone confirm this is -not- typical when starting AOL?


ACK!

Just tried booting again (I wanted to confirm the exact text of the message) and this time I got this just by starting up Internet Explorer. No entry into AOL. I didn't get the message when the first thing I did was go to AO though.

So, can anyone tell me if this is normal?

I would think -not-.

[Octo]

Your problem isnt related to AOMD. The distribution on kuren.org is clean. Its more likely that some script-kiddie (very n00b hacker) has installed a "zombie" on your computer. This was done when you ran a program that contained the zombie-program. Maybe an attachment from an email or something? These types of programs activates itself when you are connected to the internet and sends information to the "hacker" that infected you, saying "Here I am, online and ready to go". At which point the "hacker" can access your computer using various commands. Often a keylogger is installed with it, so he can see whatever you typed. Some Zombie-programs can even display your screen to the "hacker" so he can see whats happening on your screen.

I was going to include some links to such programs, but I rather not, since that would only distribute it more.

As the others pointed out, Zonealarm from ZoneLabs works as an application and network firewall, automaticaly detecting programs that tired to connect to the internet. Set the security levels to atleast medium, and you should be fine.

Also I recommend that you download and install an antivirus program. There are several on the market and mostly all of them will detect these types of "zombies" and remove them. If you have a program installed already, make sure you download the latest signatures. I don't know your level of personal real-life computer-litteracy, but I would have a look in ZoneAlarm and try to see where the <blank>-program tries to connect, and then send an email to the ISP of the network the IP-adress relates to, telling them that one of their users has infected your computer. Make sure to see what the IP-adress resolves to. It might be an IRC-server, at which point it would be very difficult to trace it back the the "hacker".


For an indepth study on zombie-programs that run Denial-Of-Service attacks you can read the very informative article on Gibson Research Corp.. This article will make you understand how some "zombies" work.

[________________Txxx]

I also use Zone Alarm Pro and had a version of AOMD attempt to phone home once. Don't recall the version or where I got it from, there are so many versions floating around. I was disturbed, but it was such a nice program that I kept using it and made certain that ZA wouldn't allow it access to the internet. Though even that may not be foolproof.

Good advice from Octo. If you are not making an effort to protect yourself with firewall and anti-virus software, bad stuff can happen when installing software. Even with protection, installing "free" software is risky.

BTW, Quinn, nothing is normal with AOL. The ZA activity may be AOL at work.

[speardancer2]

Definetely get yourself a virus checker.

Windows has more security holes than swiss cheese, especialy if you havn't applied any of the security fixes availiable.

There are viruses out there, where all you need to do is go to an infected web site, and you've got it. Alot of these are the type that will pass along a password

Patch your system, get a virus checker. Just good common sense these days.

[__________Orderangel]

It is so important to assign a password in XP, if not, i've been able to tunnel into other's computers just by using the admin login with no password. From there I can turn on remote access and rearrange your files. In 1 day, I managed to get into 7 computers, each I left a message saying that it was too easy to break into your machine and a step by step instruction list on how to password protect their machines, along wtih my e-mail address if they had questions. XP is FULL of secruity holes.

[_____________Nakomis]

Wow, so I'm not alone...

After downloading AOMD 3.0 Beta, I had some odd things happen on my system. Every time I run AO, I get a pop up window that says "Out of memory! Cannot start program ******.exe". The "******" that it lists is usally a random assortment of letters.

After the first time it happened, it happens on windows start up. So of course I go into msconfig.exe and find the file name that is trying to run this when I start up. After finding the file name, which is always a hidden/shared/read only "wm****.exe" file, located in my windows system directory, I took measures against it. I booted up again, this time to a dos prompt (I'm using 98 SE by the way), since i can't delete it while in windows (says it's currently in use). I go to the windows/system directory, and deltree w****.exe. After deleting it and rebooting, I have no problems.

Until I start AO again. At which point, evidently a new file is randomly generated, and does the same exact thing as before. It's only tied into AO, no other programs. At first I thought that maybe this was because of AO's client nature, but I have tested it with a version of AOL I installed as well, and no problems. I have no idea where the underlying virus is, and can't seem to sniff it out with Norton 2k2.

I should also note that when I actually leave this random file on my system, I go through horrible memory lag. Occasionally the mouse cursor, or whatever is going on on my screen, will lag for a moment, no longer than a half a second or so. When the program is removed....no problems.

Any suggestions? I really don't feel like formatting again, I just formatted about three weeks ago. 180 gigs a pain to do, ends up taking all saturday or so!

Catch ya planetside.

[_________Deaddreamer]

Originally posted by Nakomis
Wow, so I'm not alone...

After downloading AOMD 3.0 Beta, I had some odd things happen on my system. Every time I run AO, I get a pop up window that says "Out of memory! Cannot start program ******.exe". The "******" that it lists is usally a random assortment of letters.

I do tech support for Windows and also did support for Compaq as well. This is one of the instances of a Virus, and may or may not have attached itself to EXE files. Check for this:

HKEY_CLASSES_ROOT\exefile\shell\open\command

The entry in there should be ""%1" %"

If it is anything else, you will most definitely have a very very nasty virus.

Change it to that entry and also go through MSCONFIG and uncheck EVERYTHING. If you want to do it yourself, go to the registry and remark out the exe's in there.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\

also
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\

• Run
• RunOnce
• RunOnceEx
• RunServices
• RunServicesOnce
• RunServicesOnceEx

(Oh yah, DISCLAIMER: BACKUP YOUR REGISTRY FIRST. If you dink around in your registry, something might fork up. Don't say I didn't warn ya. )

In addendum, trojans (especially backorifice) will append a piece of code to the end of dll and exe files. These are (what I remember) are called Stealth or Ninja attachments. The CRC checker should detect these attachments for AO, but there might be something that attached to either AOL or other random executables.

The big warning sign should be the OUT OF MEMORY error. For more information, I usually use the Symantec Anti-virus Research Center to find out about error messages. Sounds most definitely like a password stealer.

[_____________Nakomis]

Thanks bunches and bunches! I just edited my registry, and am gonna reboot in a few minutes. I forgot to mention that every time I start AO after deleting the file, that it tells me one of the files is corrupted, and has to go d/l a new one. Thoughts?

[_________Deaddreamer]

Originally posted by Nakomis
Thanks bunches and bunches! I just edited my registry, and am gonna reboot in a few minutes. I forgot to mention that every time I start AO after deleting the file, that it tells me one of the files is corrupted, and has to go d/l a new one. Thoughts?

Yah, I had that exact same problem when I was installing the beta (waaaay back when) on another computer that was infected. It was the Hybris virus and it was a big pain in the butt. Make sure to also check your system.ini, win.ini, autoexec.bat, config.sys and look for any load= or run= entries. Also, there was a utitlity you can get from SARC to clean it out, once you have defined the virus.

[peterrjg]

Software firewalls like ZoneAlarm = snake oil.
Get yourself a hardware firewall/router.

Netstat -a works wonders as well.

[_________Deaddreamer]

Originally posted by Syzygium
Software firewalls like ZoneAlarm = snake oil.
Get yourself a hardware firewall/router.

Netstat -a works wonders as well.

Nah, get a linux box and use that as a router. It's cheaper and has more functions.

[_____________Swahili]

Configuring a Linux firewall/router is too hard for your average user... Buy a Gigafast EE400-RP. You can find deals on them that put the net cost at $25. That's cheaper than any of my Linux boxes, including the P90 file server!

[_________Deaddreamer]

Well, I was talking about getting best for firewalls.. I didn't say it would easy to do..

[__________________si]

okay then, get the best of both worlds,

linux firewall on a deidicated box and easy to configure and run = Smoothwall

There is even a free version. I've been using it at home for months now and I've never even had to log into it..it just runs and protects.

check out http://www.smoothwall.org

(of course you have to have a spare pc lying around but it runs on a real old one and you don't need a monitor for it (apart from install))

$25 routers don't exist in the UK

[Wingto]

Oh well bang went my afternoon, very interesting read.

Smoothwall looks good. Any suggestions on what flavour of Linux to use. The only ones I know of are Redhat or Mandrake and I thought those where the ones you have to buy.

Might be time to upgrade to Norton Internet Securty 2002 it think.