Results 1 to 12 of 12
  1. #1
    Join Date
    Apr 2004
    Posts
    31

    Red face Unanswered: I got a virus. Can I delete system.exe

    I have discovered a virus (using housecall.trendmicro.com) on my computer. The infected file is C:\Oracle\ora81\sysman\admin\system.exe.

    Now, is that a file that i can delete without harming my oracle-installation? It seems that i can not get rid of it by cleaning... I have tried other anti-virus programs but none of them even detects the virus in question...

    Any sugestions? please say that system.exe is not a part of oracle

    (im using 8i by the way)
    Last edited by Zcumbag; 08-22-04 at 16:56.

  2. #2
    Join Date
    Aug 2003
    Location
    Where the Surf Meets the Turf @Del Mar, CA
    Posts
    7,776
    Provided Answers: 1
    >please say that system.exe is not a part of oracle
    OK, system.exe is not part of Oracle. Feel better now?
    You can lead some folks to knowledge, but you can not make them think.
    The average person thinks he's above average!
    For most folks, they don't know, what they don't know.
    Good judgement comes from experience. Experience comes from bad judgement.

  3. #3
    Join Date
    Apr 2004
    Posts
    31
    ok... fantastic news. I discovered more (4) .exe files in the same folder with suspisous dates connected to them... They also pose as such things as Microsoft process kill utility?! wierd? its in a oracle directory...

    I also found a dll named ml_hconf.dll wich I googled and found only 5 hits.. all saying that it is some sort of a trojan-virus-helper... this is some stuff...

    wierd files:
    fport.exe
    kill.exe
    sc.exe
    system.exe
    tlist.exe
    and ml_hconf.dll

    so the question is:
    Should I attempt to delete theese files? or maybe just the system.exe?
    Last edited by Zcumbag; 08-22-04 at 18:36.

  4. #4
    Join Date
    Apr 2002
    Location
    California, USA
    Posts
    482
    They are not wierd at all:

    fport.exe will show the open ports on your Windows. Nice was for a hacker to get in, once it knows which ports to use.

    kill.exe will allow him to kill running proceses

    tlist.exe lets you list all the processes running on your machine and the associated task name and memory usage

    ml_hconf.dll is the config file for Troj/Servu-T - hacked version of a legitimate FTP server application.

    You can safely delete all these files.


    Hope that helps,

    clio_usa - OCP DBA 8/8i/9i

  5. #5
    Join Date
    Apr 2004
    Posts
    31
    ok thanks a lot! they are now deleted...

    can anyone point me in the right direction now... I have made quite a few virus-scans ad ad-aware and what have you... the viruses must have gotten in somehow...

    I realize that this probably isn't the forum for virus questions but I am a but afraid that it got acess to any of my oracle databases...

  6. #6
    Join Date
    Jun 2004
    Location
    Liverpool, NY USA
    Posts
    2,509
    The most reliable way to stop viruses is to switch to unix, however if that is not an option, are you up to date with your virus signatures. What package are you using. How often do you perform the update?
    Bill
    You do not need a parachute to skydive. You only need a parachute to skydive twice.

  7. #7
    Join Date
    Apr 2004
    Posts
    31
    I have scanned with just updated viruslists with Norton, AVG and housecall.rendmico.com... nothing...

    In my taskmanager I see two oracle.exe hogging alot of memory... are they legit oracle-files or just viruses posing as oracle-files?

  8. #8
    Join Date
    Jun 2004
    Location
    Liverpool, NY USA
    Posts
    2,509
    As a general rule, Do NOT run multiple automatic virus scanners on the same system. They tend to get in each others way. And if you are using norton, you should be using the automatic scanner, not just the on-demand scanner. and you should be checking for and updating on a daily basis the virus signatures from norton. On a server that I administered, I checked every 5 minutes for updates.
    Bill
    You do not need a parachute to skydive. You only need a parachute to skydive twice.

  9. #9
    Join Date
    Apr 2004
    Posts
    31
    Ok... thanks for all your tips. I uninstalled AVG.

    what about the c:\oracle\ora81\bin\oracle.exe file? is it legit? It suppose to be a Oracle RDBMS Kernel Executable... whatever that is

  10. #10
    Join Date
    Jun 2004
    Location
    Liverpool, NY USA
    Posts
    2,509
    It should be ok. That is the name of the oracle kernal process on windows.
    Bill
    You do not need a parachute to skydive. You only need a parachute to skydive twice.

  11. #11
    Join Date
    Oct 2003
    Posts
    706
    Quote Originally Posted by beilstwh
    The most reliable way to stop viruses is to switch to unix, however if that is not an option...
    Actually, you can do a lot of the same thing in Windows if you go to the trouble of setting up a separate user-ID which "owns" the Oracle files, and grant only read/execute access to those materials to "other" users. Then make sure that no one routinely logs-on to the system as an Administrator, or has equivalent access to the system.

    Many sysops are lazy: they make it easy on themselves. So, when a virus tries to do nasty things to the system ... which it necessarily does only "on behalf of the user who happens to be executing the virus code" ... amazingly, it finds all of the doors unlocked! Every nefarious request it makes... is granted! No wonder viruses are able to do so much harm.

    Even in Windows, it doesn't have to be so. No one should be able to programmatically "modify system.exe" or whatever. Ample facilities exist in Windows to prevent it, but they're almost never used. If you really need to be able to update these files, simply log-on as the Windows user which is authorized to do such things. Otherwise disable the account.
    ChimneySweep(R): fast, automatic
    table repair at a click of the
    mouse! http://www.sundialservices.com

  12. #12
    Join Date
    Jun 2004
    Location
    Liverpool, NY USA
    Posts
    2,509
    I don't want to start a flame war on Unix vs windows. I built a windows machine at home and I user Unix and window machine at work. What I was refering to was that the kernel of unix was designed with security in place and it is dificult to write a virus that will be able to effect anything beyond the immediate user. The windows kernel was written to support interaction between the various modules and ease of use. Any security was written using applications and is not an integeral part of the kernel. Because of this, it is fairly easy to write a virus that will trash a windows system. Windows is getting better, but every patch they write to lock something down, breaks something else.
    Bill
    You do not need a parachute to skydive. You only need a parachute to skydive twice.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •