Old PCs: The Gift That Keeps on Giving

A friend gave me an old Aptiva, upon which I was going to install Puppy Linux.

But, first I let it start up Win ME just for old time’s sake. What the heck, it’s a classic.

The first thing up is a prompt asking permission to install Compuserve, which I really don’t need. As is usually the case with shovelware, that program doesn’t show up in the Start Menu, so I did some rummaging around.

Firing up msconfig and looking at the auto-started stuff revealed, among the usual stuff, this interesting file:

c:\windows\nav.exe                   .vbs

That pretty much pushes the Compuserve popup to the back of the queue.

Note the long string of blanks in the middle. That, in combination with Windows Explorer’s default “Hide known file extensions” setting, is an old trick, but, then, this is an old box.

Sooo, at one time there was a virus on that box masquerading as good ol’ Norton AntiVirus. The offending file seems to be missing now, so something killed it without removing its auto-start setting.

Either my friend removed NAV, too, or the virus shot it in the head. There’s all manner of NAV config files and clutter lying around, but no executables.

In goes the Puppy CD, reboot, and I install its slightly backlevel ClamAV package. No problem with that; it’ll use the most recent virus signatures and, heck, any problems on this box are half a decade old.

After mulling over the Windows ME partition for a while, ClamAV reported:

/mnt/sda1/Program Files/Netscape/Users/Default/Mail/Trash: W95.Matrix.SCR FOUND
/mnt/sda1/Program Files/Netscape/Users/Default/Mail/Inbox: W32.Magistr.B FOUND
/mnt/sda1/_RESTORE/ARCHIVE/FS346.CAB: Worm.Kido-18 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 513471
Engine version: 0.91.2
Scanned directories: 1821
Scanned files: 44557
Infected files: 3
Data scanned: 10721.32 MB
Time: 73200.595 sec (1220 m 0 s)

Feeding the obvious keywords into Google produces the comforting result that these are all old news:

However, Kido is a Conficker / Downadup variant, which is disturbing. The hit is almost certainly a false positive, as it’s in a CAB file, we don’t run any Windows machines, and they’re behind a hardware firewall that’s in full effect.

Handing the offending file to VirusTotal shows that ClamAV is the outlier and all the others are perfectly happy: Current status: finished Result: 1/39 (2.57%)

To quote Ripley: “I say we take off and nuke the entire site from orbit. It’s the only way to be sure.

Memo to Self:

  • Run ClamAV (not ClamWin) before booting Windows
  • Do not plug in the network cable until the box is known-clean
  • It’s time for a reverse wireless firewall when our young lady invites friends over

Windows: http://www.clamwin.com/

Linux: http://www.clamav.net/