[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Viruses

To: <killietalk at aka_org>
Subject: Re: Viruses
From: "Shane Fisher" <shane123 at ptd_net>
Date: Sat, 28 Apr 2001 14:38:36 -0400
References: <BEEGJHMNGIFDFICMLNEAKEPPCDAA.TranquilityBase at NetZero_Net> <002f01c0cfc9$f3848ba0$d94fe518 at msns_leh.ptd.net> <000701c0d008$e6f97dc0$0200a8c0 at wi_rr.com>
well where do you live? and the only type of beer i like is Root beer but
thats good too.  But glad to see you've fixed it.  I too have Win. ME.
----- Original Message -----
From: "Ernest E. May" <emay1 at wi_rr.com>
To: <killietalk at aka_org>
Sent: Saturday, April 28, 2001 1:30 PM
Subject: Re: Viruses


> Hello Shane,
> The fix you described, the one specific for Windows Me, was very
> useful in deleting the infected files. A complete scan came up
> clean; thank you. If you are ever in my neighborhood I'll buy you a
> beer. Actually all you can drink!
> erny
>
>
>
> ----- Original Message -----
> From: "Shane Fisher" <shane123 at ptd_net>
> To: <killietalk at aka_org>
> Sent: Saturday, April 28, 2001 4:59 AM
> Subject: Re: Viruses
>
>
> > Thats funny I found the fix to bad trans at McAffee website I think.
Just
> > found it too.  I think you have to run msconfig before you can delete it
> > too...   If anyone has questions I should be on alot tonight and I have
4
> > main chat programs if someone wants help...
> >
> > Shane
> >
> > Virus Characteristics
> >
> > This mass mailing worm attempts to send itself using Microsoft Outlook
by
> > replying to unread email messages. It also drops a remote access trojan
> > (detected as Backdoor-NK.svr with the 4134 DATs; detected heuristically
as
> > New Backdoor prior to the 4134 DAT release).
> > When run, the worm displays a message box entitled, "Install error"
which
> > reads, "File data corrupt: probably due to a bad data transmission or
bad
> > disk access." A copy is saved into the WINDOWS directory as INETD.EXE
and
> an
> > entry is entered into the WIN.INI file to run INETD.EXE at startup.
> > KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a valid keylogger DLL)
are
> > written to the WINDOWS SYSTEM directory, and a registry entry is created
> to
> > load the trojan upon system startup.
> >
> > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
> > RunOnce\kernel32=kern32.exe
> >
> > Note: Under WinNT/2K, an additional registry key value is entered
instead
> of
> > a WIN.INI entry:
> >
> > HKEY_USERS\Software\Microsoft\Windows NT\
> > CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE
> >
> > Once running, the trojan attempts to mail the victim's IP Address to the
> > author. Once this information is obtained, the author can connect to the
> > infected system via the Internet and steal personal information such as
> > usernames, and passwords. In addition, the trojan also contains a
> keylogger
> > program which is capable of capturing other vital information such as
> credit
> > card and bank account numbers and passwords.
> >
> > The next time Windows is loaded, the worm attempts to email itself by
> > replying to unread messages in Microsoft Outlook folders. The worm will
be
> > attached to these messages using one of the following filenames (note
that
> > some of these filenames are also associated with other threats, such as
> > W95/MTX.gen@M):
> >
> > Card.pif
> > docs.scr
> > fun.pif
> > hamster.ZIP.scr
> > Humor.TXT.pif
> > images.pif
> > New_Napster_Site.DOC.scr
> > news_doc.scr
> > Me_nude.AVI.pif
> > Pics.ZIP.scr
> > README.TXT.pif
> > s3msong.MP3.pif
> > searchURL.scr
> > SETUP.pif
> > Sorry_about_yesterday.DOC.pif
> > YOU_are_FAT!.TXT.pif
> >
> > The message body may contain the text:
> > Take a look to the attachment.
> >
> > AVERT first received an intended version of this worm (10,623 bytes) on
> > April 11 from a company in New Zealand.
> >
>
> --------------------------------------------------------------------------
> --
> > ----
> >
> > Send This Virus Information To A Friend?
> >
>
> --------------------------------------------------------------------------
> --
> > ----
> >
> > Indications Of Infection
> > - Presence of the file %WinDir%\INETD.EXE
> > - Presence of the file %SysDir%\KERN32.EXE
> > - Email correspondence noting that you've sent them an attachment when
you
> > did not.
> >
> > Method Of Infection
> > This worm utilizes MAPI messaging to mail itself to regular email
> > correspondence. It will arrive as an attachment that is 13,312 bytes in
> > length and uses one of the following names (note that some of these
> > filenames are also associated with other threats, such as
W95/MTX.gen@M):
> >
> > Card.pif
> > docs.scr
> > fun.pif
> > hamster.ZIP.scr
> > Humor.TXT.pif
> > images.pif
> > New_Napster_Site.DOC.scr
> > news_doc.scr
> > Me_nude.AVI.pif
> > Pics.ZIP.scr
> > README.TXT.pif
> > s3msong.MP3.pif
> > searchURL.scr
> > SETUP.pif
> > Sorry_about_yesterday.DOC.pif
> > YOU_are_FAT!.TXT.pif
> >
> > The message body may contain the text:
> > Take a look to the attachment.
> >
> > Removal Instructions
> > Use specified engine and DAT files for detection and removal.
> >
> > Manual Removal Instructions
> >
> >
> > Restart the computer in MS-DOS mode
> > Delete the files mentioned
> > Restart Windows
> > Delete the registry keys as mentioned
> > Windows ME Info:
> > NOTE: Windows ME utilizes a backup utility that backs up selected files
> > automatically to the C:\_Restore folder. This means that an infected
file
> > could be stored there as a backup file, and VirusScan will be unable to
> > delete these files. These instructions explain how to remove the
infected
> > files from the C:\_Restore folder.
> >
> > Disabling the Restore Utility
> >
> > 1. Right click the My Computer icon on the Desktop.
> > 2. Click on the Performance Tab.
> > 3. Click on the File System button.
> > 4. Click on the Troubleshooting Tab.
> > 5. Put a check mark next to "Disable System Restore".
> > 6. Click the Apply button.
> > 7. Click the Close button.
> > 8. Click the Close button again.
> > 9. You will be prompted to restart the computer. Click Yes.
> > NOTE: The Restore Utility will now be disabled.
> > 10. Restart the computer in Safe Mode.
> > 11. Run a scan with VirusScan to delete all infected files, or browse
the
> > the file's located in the C:\_Restore folder and remove the file's.
> > 12. After removing the desired files, restart the computer normally.
> > NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5
> > remove the check mark next to "Disable System Restore". The infected
> file's
> > are removed and the System Restore is once again active.
> >
> >
> > Virus Information
> >  Discovery Date: 4/11/01
> >  Origin: Unknown
> >  Length: 13,312
> >  Type: Virus
> >  SubType: Internet Worm
> >  Risk Assessment: Medium
> >
> >
> > Aliases
> > Backdoor-NK.svr , BadTrans (F-Secure), I-Worm.Badtrans (AVP),
> > W32.Badtrans.13312@mm (NAV)
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "-RJ-" <TranquilityBase at NetZero_Net>
> > To: <killietalk at aka_org>
> > Sent: Saturday, April 28, 2001 4:56 AM
> > Subject: RE: Viruses
> >
> >
> > > Hi Ernie,
> > >
> > > You could try to rename the file, then it can not be called and you
can
> > > delete it at your convenience. See my other post for additions info.
> > >
> > > -RJ-
> > >
> > > -----Original Message-----
> > > From: owner-killietalk at aka_org [mailto:owner-killietalk at aka_org]On
> > > Behalf Of Ernest E. May
> > > Sent: Friday, April 27, 2001 7:05 PM
> > > To: killietalk at aka_org
> > > Subject: Re: Viruses
> > >
> > >
> > > Tom,
> > > I was able to delete some of the files, but there are 10 files
> > > I finally managed to quarantine. Attempts at deletion resulted
> > > in "Cannot Delete A0007287.CPY. Access denied. The source file
> > > may be in use." Any suggestions?
> > > erny
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Tom Grady" <tgrady at twcny_rr.com>
> > > To: <killietalk at aka_org>
> > > Sent: Friday, April 27, 2001 3:59 PM
> > > Subject: Re: Viruses
> > >
> > >
> > > > Yes Karl is aware ...  I called him on the phone a night ago and we
> > tried
> > > > to remove it ... Thought we had it all, but obviously some part of
it
> > > > sneaked through ...
> > > >
> > > > <shrugs>   He is definitely trying to get his end fixed - as most
> people
> > > > know already - McAffee does not recognize it yet .. they may on
their
> > next
> > > > update tho.
> > > >
> > > > Personally I think its a neat little virus ... doesn't hurt the
> personal
> > > > machines  just clogs up the mail servers a bit ... and of course
> passes
> > on
> > > > your passwords to the author <grins>
> > > >
> > > > I do suggest if you actually had the virus operate from your
machine -
> > you
> > > > change your passwords to sensitive stuff.  The author may not want
> > your -
> > > > but you never can tell.
> > > >
> > > > If people need it - I will repost the info on how to remove it
without
> a
> > > > virus removal program.
> > > >
> > > > Tom Grady ... resident virus ... uhm  remover ...
> > > >
> > > >
> > > >
> > > >
> > > > At Friday 04:58 PM 4/27/01, you wrote:
> > > > >I wonder if Karl is even aware that he is participating
> > > > >in the spread of this virus?
> > > > >erny
> > > > >----- Original Message -----
> > > > >From: "Drummond Howard" <drummondhoward at hotmail_com>
> > > > >To: <killietalk at aka_org>
> > > > >Sent: Friday, April 27, 2001 5:50 AM
> > > > >Subject: Re: Viruses
> > > > >
> > > > >
> > > > > > I also received it twice today.  Hotmail didn't see it, good
thing
> I
> > > have
> > > > > > Norton on my computer....  Altought it apparently anly affects
> > > Outlook....
> > > > > >
> > > > > > Drummond
> > > > > >
> > > > > >
> > > > > > >From: Jeremy Adams <killifish at home_com>
> > > > > > >Reply-To: killietalk at aka_org
> > > > > > >To: "killietalk at aka_org" <killietalk at aka_org>
> > > > > > >Subject: Viruses
> > > > > > >Date: Thu, 26 Apr 2001 16:41:16 -0700
> > > > > > >
> > > > > > >Today I have received 3 viruses from 3 different list members.
> > > Luckily
> > > > > > >none of them affect my Mac, but windows users may want to
beware
> > > > > > >
> > > > > > >Obviously not blaming here, but I received viruses from:
> > > > > > >
> > > > > > >"Karl Doering" <kilikarl at bignet_net> Sent:  hamster.ZIP.scr
> > > > > > >"Ernest E. May" <emay1 at wi_rr.com>  Sent:  Me_nude.AVI.pif
> > > > > > >"-----Cypher-----" <cypher at cromas_net> Sent:  s3msong.MP3.pif
> > > > > > >
> > > > > > >All of these were addressed specifically to me, not to the
list.
> > > > > > >
> > > > > > >The accompanying text looks as follows, and then there is an
> > > attachment
> > > > > > >for the Virus
> > > > > > >
> > > > > > >
> > > > > > > > Subject:
> > > > > > > >                     Re: Re: Electronic BNL
> > > > > > > >         Date:
> > > > > > > >                     Thu, 26 Apr 2001 07:39:03 -0400
> > > > > > > >       From:
> > > > > > > >                     "Karl Doering"
> > > > > > > >             To:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > 'Jeremy Adams' wrote:
> > > > > > > > ====
> > > > > > > > - > It is indeed not the general trend and I dare say few of
> us
> > > are
> > > > > > >willing OR
> > > > > > > > - > anxious
> > > > > > > > - > to be stuck with a BNL that is only on the computer
> screen.
> > > > > > > > - >
> > > > > > > > - > To try to save money by removing a service sounds more
> like
> > > > > > >Wallstreet and
> > > > > > > > - > less
> > > > > > > > - > like a club of hobbyists.
> > > > > > > > - >
> > > > > > > > - I don't think this has been suggested? I think what has
been
> > > > >suggested
> > > > > > > > - is to give people the choice of paper or electronic. The
> > people
> > > who
> > > > >do
> > > > > > > > - it electronically would save the AKA money. Th ...'
> > > > > > > >
> > > > > > > >
> > > > > > > > > Take a look to the attachment.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >Jeremy
> > > > > > >
> > > > > > >--
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >~~~~~~~~~~~~~My Life Story~~~~~~~~~~~~~~~~
> > > > > > >Jeremy Adams - Corvallis, Oregon  USA
> > > > > > >Killifish-Frogs-Toads-Aquatic Plants-Fish Ponds
> > > > > > >Bombina orientalis web page:
> > > > > > ><http://members.home.net/killifish/bombina.html>
> > > > > > >Loyal Macintosh user since 1988
> > > > > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > > > >
> > > > > > >
> > > > > > >---------------
> > > > > > >See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> > > > > >
> > > > > >
_________________________________________________________________
> > > > > > Get your FREE download of MSN Explorer at
http://explorer.msn.com
> > > > > >
> > > > > > ---------------
> > > > > > See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> > > > >
> > > > >
> > > > >---------------
> > > > >See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> > > >
> > > > ---------------
> > > > See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> > > >
> > >
> > >
> > > ---------------
> > > See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> > >
> > >
> > >
> > > NetZero Platinum
> > > No Banner Ads and Unlimited Access
> > > Sign Up Today - Only $9.95 per month!
> > > http://www.netzero.net
> > > ---------------
> > > See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> > >
> >
> > ---------------
> > See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
> >
>
>
> ---------------
> See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
>

---------------
See http://www.aka.org/AKA/subkillietalk.html to unsubscribe
Follow-Ups:
Re: Viruses
From: "Ernest E. May" <emay1 at wi_rr.com>
References:
RE: Viruses
From: "-RJ-" <TranquilityBase at NetZero_Net>
Re: Viruses
From: "Shane Fisher" <shane123 at ptd_net>
Re: Viruses
From: "Ernest E. May" <emay1 at wi_rr.com>
Prev by Date: Re:Whisper 1000 - Searching
Next by Date: Re: AKA site question
Prev by thread: Re: Viruses
Next by thread: Re: Viruses
Index(es):
- Date
- Thread