[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Viruses
Thats funny I found the fix to bad trans at McAffee website I think. Just
found it too. I think you have to run msconfig before you can delete it
too... If anyone has questions I should be on alot tonight and I have 4
main chat programs if someone wants help...
Shane
Virus Characteristics
This mass mailing worm attempts to send itself using Microsoft Outlook by
replying to unread email messages. It also drops a remote access trojan
(detected as Backdoor-NK.svr with the 4134 DATs; detected heuristically as
New Backdoor prior to the 4134 DAT release).
When run, the worm displays a message box entitled, "Install error" which
reads, "File data corrupt: probably due to a bad data transmission or bad
disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an
entry is entered into the WIN.INI file to run INETD.EXE at startup.
KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a valid keylogger DLL) are
written to the WINDOWS SYSTEM directory, and a registry entry is created to
load the trojan upon system startup.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe
Note: Under WinNT/2K, an additional registry key value is entered instead of
a WIN.INI entry:
HKEY_USERS\Software\Microsoft\Windows NT\
CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE
Once running, the trojan attempts to mail the victim's IP Address to the
author. Once this information is obtained, the author can connect to the
infected system via the Internet and steal personal information such as
usernames, and passwords. In addition, the trojan also contains a keylogger
program which is capable of capturing other vital information such as credit
card and bank account numbers and passwords.
The next time Windows is loaded, the worm attempts to email itself by
replying to unread messages in Microsoft Outlook folders. The worm will be
attached to these messages using one of the following filenames (note that
some of these filenames are also associated with other threats, such as
W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
AVERT first received an intended version of this worm (10,623 bytes) on
April 11 from a company in New Zealand.
----------------------------------------------------------------------------
----
Send This Virus Information To A Friend?
----------------------------------------------------------------------------
----
Indications Of Infection
- Presence of the file %WinDir%\INETD.EXE
- Presence of the file %SysDir%\KERN32.EXE
- Email correspondence noting that you've sent them an attachment when you
did not.
Method Of Infection
This worm utilizes MAPI messaging to mail itself to regular email
correspondence. It will arrive as an attachment that is 13,312 bytes in
length and uses one of the following names (note that some of these
filenames are also associated with other threats, such as W95/MTX.gen@M):
Card.pif
docs.scr
fun.pif
hamster.ZIP.scr
Humor.TXT.pif
images.pif
New_Napster_Site.DOC.scr
news_doc.scr
Me_nude.AVI.pif
Pics.ZIP.scr
README.TXT.pif
s3msong.MP3.pif
searchURL.scr
SETUP.pif
Sorry_about_yesterday.DOC.pif
YOU_are_FAT!.TXT.pif
The message body may contain the text:
Take a look to the attachment.
Removal Instructions
Use specified engine and DAT files for detection and removal.
Manual Removal Instructions
Restart the computer in MS-DOS mode
Delete the files mentioned
Restart Windows
Delete the registry keys as mentioned
Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files
automatically to the C:\_Restore folder. This means that an infected file
could be stored there as a backup file, and VirusScan will be unable to
delete these files. These instructions explain how to remove the infected
files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the
the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5
remove the check mark next to "Disable System Restore". The infected file's
are removed and the System Restore is once again active.
Virus Information
Discovery Date: 4/11/01
Origin: Unknown
Length: 13,312
Type: Virus
SubType: Internet Worm
Risk Assessment: Medium
Aliases
Backdoor-NK.svr , BadTrans (F-Secure), I-Worm.Badtrans (AVP),
W32.Badtrans.13312@mm (NAV)
----- Original Message -----
From: "-RJ-" <TranquilityBase at NetZero_Net>
To: <killietalk at aka_org>
Sent: Saturday, April 28, 2001 4:56 AM
Subject: RE: Viruses
> Hi Ernie,
>
> You could try to rename the file, then it can not be called and you can
> delete it at your convenience. See my other post for additions info.
>
> -RJ-
>
> -----Original Message-----
> From: owner-killietalk at aka_org [mailto:owner-killietalk at aka_org]On
> Behalf Of Ernest E. May
> Sent: Friday, April 27, 2001 7:05 PM
> To: killietalk at aka_org
> Subject: Re: Viruses
>
>
> Tom,
> I was able to delete some of the files, but there are 10 files
> I finally managed to quarantine. Attempts at deletion resulted
> in "Cannot Delete A0007287.CPY. Access denied. The source file
> may be in use." Any suggestions?
> erny
>
>
>
> ----- Original Message -----
> From: "Tom Grady" <tgrady at twcny_rr.com>
> To: <killietalk at aka_org>
> Sent: Friday, April 27, 2001 3:59 PM
> Subject: Re: Viruses
>
>
> > Yes Karl is aware ... I called him on the phone a night ago and we
tried
> > to remove it ... Thought we had it all, but obviously some part of it
> > sneaked through ...
> >
> > <shrugs> He is definitely trying to get his end fixed - as most people
> > know already - McAffee does not recognize it yet .. they may on their
next
> > update tho.
> >
> > Personally I think its a neat little virus ... doesn't hurt the personal
> > machines just clogs up the mail servers a bit ... and of course passes
on
> > your passwords to the author <grins>
> >
> > I do suggest if you actually had the virus operate from your machine -
you
> > change your passwords to sensitive stuff. The author may not want
your -
> > but you never can tell.
> >
> > If people need it - I will repost the info on how to remove it without a
> > virus removal program.
> >
> > Tom Grady ... resident virus ... uhm remover ...
> >
> >
> >
> >
> > At Friday 04:58 PM 4/27/01, you wrote:
> > >I wonder if Karl is even aware that he is participating
> > >in the spread of this virus?
> > >erny
> > >----- Original Message -----
> > >From: "Drummond Howard" <drummondhoward at hotmail_com>
> > >To: <killietalk at aka_org>
> > >Sent: Friday, April 27, 2001 5:50 AM
> > >Subject: Re: Viruses
> > >
> > >
> > > > I also received it twice today. Hotmail didn't see it, good thing I
> have
> > > > Norton on my computer.... Altought it apparently anly affects
> Outlook....
> > > >
> > > > Drummond
> > > >
> > > >
> > > > >From: Jeremy Adams <killifish at home_com>
> > > > >Reply-To: killietalk at aka_org
> > > > >To: "killietalk at aka_org" <killietalk at aka_org>
> > > > >Subject: Viruses
> > > > >Date: Thu, 26 Apr 2001 16:41:16 -0700
> > > > >
> > > > >Today I have received 3 viruses from 3 different list members.
> Luckily
> > > > >none of them affect my Mac, but windows users may want to beware
> > > > >
> > > > >Obviously not blaming here, but I received viruses from:
> > > > >
> > > > >"Karl Doering" <kilikarl at bignet_net> Sent: hamster.ZIP.scr
> > > > >"Ernest E. May" <emay1 at wi_rr.com> Sent: Me_nude.AVI.pif
> > > > >"-----Cypher-----" <cypher at cromas_net> Sent: s3msong.MP3.pif
> > > > >
> > > > >All of these were addressed specifically to me, not to the list.
> > > > >
> > > > >The accompanying text looks as follows, and then there is an
> attachment
> > > > >for the Virus
> > > > >
> > > > >
> > > > > > Subject:
> > > > > > Re: Re: Electronic BNL
> > > > > > Date:
> > > > > > Thu, 26 Apr 2001 07:39:03 -0400
> > > > > > From:
> > > > > > "Karl Doering"
> > > > > > To:
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > 'Jeremy Adams' wrote:
> > > > > > ====
> > > > > > - > It is indeed not the general trend and I dare say few of us
> are
> > > > >willing OR
> > > > > > - > anxious
> > > > > > - > to be stuck with a BNL that is only on the computer screen.
> > > > > > - >
> > > > > > - > To try to save money by removing a service sounds more like
> > > > >Wallstreet and
> > > > > > - > less
> > > > > > - > like a club of hobbyists.
> > > > > > - >
> > > > > > - I don't think this has been suggested? I think what has been
> > >suggested
> > > > > > - is to give people the choice of paper or electronic. The
people
> who
> > >do
> > > > > > - it electronically would save the AKA money. Th ...'
> > > > > >
> > > > > >
> > > > > > > Take a look to the attachment.
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >Jeremy
> > > > >
> > > > >--
> > > > >
> > > > >
> > > > >
> > > > >~~~~~~~~~~~~~My Life Story~~~~~~~~~~~~~~~~
> > > > >Jeremy Adams - Corvallis, Oregon USA
> > > > >Killifish-Frogs-Toads-Aquatic Plants-Fish Ponds
> > > > >Bombina orientalis web page:
> > > > ><http://members.home.net/killifish/bombina.html>
> > > > >Loyal Macintosh user since 1988
> > > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > >
> > > > >
> > > > >---------------
> > > > >See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> > > >
> > > > _________________________________________________________________
> > > > Get your FREE download of MSN Explorer at http://explorer.msn.com
> > > >
> > > > ---------------
> > > > See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> > >
> > >
> > >---------------
> > >See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> >
> > ---------------
> > See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> >
>
>
> ---------------
> See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
>
>
>
> NetZero Platinum
> No Banner Ads and Unlimited Access
> Sign Up Today - Only $9.95 per month!
> http://www.netzero.net
> ---------------
> See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
>
---------------
See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
Follow-Ups:
References:
- RE: Viruses
- From: "-RJ-" <TranquilityBase at NetZero_Net>