cancel
Showing results for 
Search instead for 
Did you mean: 

I have a virus????????? Ooohhhhh No I don't................

hektorshouse
Grafter
Posts: 59
Registered: 10-08-2007

I have a virus????????? Ooohhhhh No I don't................

I was surfing last night and I was suddenly redirected to the PLUSNet Virus warning page informing me I have a virus and I should check my system. I checked my system and there is no virus on the system.

I am hot on the subject of the virus, trojan and worm. I keep an uptodate virus checker (AVG), never read unexpected emails, never open attachments (even from people I know) until I receive confirmation they were sent puposely (If I don't know who its from - its binned). I haven't had a virus in a good three years (Only ever had the one virus).

My system secruity is tight - very tight - although there always lies a hacking possibility in any system - I run two routers, a good firewall etc.

I state all this becuase Iwas surprised that I got the message. Anyone know why a virus should be detected by PlusNet when it was never there?
4 REPLIES
csogilvie
Grafter
Posts: 5,852
Registered: 04-04-2007

I have a virus????????? Ooohhhhh No I don't................

From memory, that page appears if you're connection has made an outbound connection on Port 135, which was the port used by MS Blaster.
N/A

I have a virus????????? Ooohhhhh No I don't................

Colin is right. When an outbound connection is seen destined for port 135, temporary changes are made to your connection parameters at PlusNet.

All outbound traffic (a small issue) is stopped until you attempt to browse a website. At this time, it is redirected to the virus page.

Once the page has been show to you, the blocks are released from your connection, and you can use it freely again. With the exception that outbound ICMP is blocked (you can't ping people and they can't ping you).

Resetting your internet connection (lose sync, force your modem to logout, or anything else that causes the link loss with PlisNet) will reset this, and you can continue with unblocked operation.

I sugest blocking all outbound port 135 connections at your own network broundry to stop this.
Community Veteran
Posts: 14,469
Registered: 30-07-2007

I have a virus????????? Ooohhhhh No I don't................

Try scanning your system with alternative anti-virus software - there are a few online ones you can try. No anti-virus scanner is 100% in detecting viruses so an alternate one may spot something AVG missed. See General: Essential Security software.
N/A

This is not acceptable

Quote
Colin is right. When an outbound connection is seen destined for port 135, temporary changes are made to your connection parameters at PlusNet.

All outbound traffic (a small issue) is stopped until you attempt to browse a website. At this time, it is redirected to the virus page.

Once the page has been show to you, the blocks are released from your connection, and you can use it freely again. With the exception that outbound ICMP is blocked (you can't ping people and they can't ping you).

Resetting your internet connection (lose sync, force your modem to logout, or anything else that causes the link loss with PlisNet) will reset this, and you can continue with unblocked operation.

I sugest blocking all outbound port 135 connections at your own network broundry to stop this.


This may be acceptable to the average windows user but, as a non-windows user who runs servers and is involved in network testing and other similar activities, I think there is a serious problem here.

Firstly, checking outgoing traffic on port 135 is NOT a sensible way to detect a virus. Ok, so there may be no need for traffic on port 135 but you could just block it - there is no need to do what happens next...

Second, there are two assumptions in this system (apart from the one on viruses above):
1) The user is actually sitting at their machine
2) They will access a web page at some point

These are just so so wrong and limiting. Let me give an example.

I am in manchester, my computer is in birmingham (on the adsl line). I am ssh'd into my machine and running security checks on a new network configuration (this has happened btw) and bang, my ssh connection as well as access to my mail server, webdav and all the other servers running on my machine suddenly stops. What am I to do? I could ring up a friend but they don't have a key to my house so I have to travel all the way back from manchester or live without my services until I do.

Am I the only one who considers this unacceptable?

Silly me, I thought the reason I paid plus.net was to try and keep me connected to the internet as much as possible, not for them to deliberately disconnect me (I could use Openworld and run Windows if I was after regular disconnection and disruption to my work...)!!!

My suggestion to the support people (who, by the way, ignored everything I said, told me that disconnecting my 24/7 adsl line from the internet would unblock my connection and then pointed me here...) was to have an advanced button somewhere to disable this and any future 'helpful' initiatives from the guys working on plus.net security. Normal users would leave the service on - they have no reason not to - but those of us who really really don't want our connection to be randomly blocked while we are not actually sitting at them could choose to opt out and accept the responsibility of checking for viruses ourselves.

So far, I have not even had an adequate response to my request for a complete and accurate list of all the actions that can trigger the block and all the actions needed to release it again.

I am not happy.