Dear Ardi
Some bastard (I use the word advisedly!) has launched another virus. The FBI
has just warned about it according to the BBC report I heard.
Down load the zone alarm prog I told you to look at. It is VERY effective!!
Gbnt
Soroush
VIRUS
-
Sara Klein Ridgley PhD
- Posts: 88
- Joined: Wed Apr 08, 2020 3:48 pm
Re: VIRUS
Dr.Taji,
Your computer is sending out a malicious virus, I just got one. Please
clean up your computer immediately, this is a bad one and luckily my
Norton Utilities quarantined it upon opening. The title of the email
that came from you was
Re: [Minutus] Psilocybe Caerulescens
which was the last post I sent to the list. So obviously the virus is
automatically sending itself out to everyone that has reached your email
box.
Please take care of this, as you can infect your entire address book and
then some...
Yours
Sara
PLEASE DO NOT RESPOND to this email until you clean out your computer.
I am now blocking all emails coming from you until you announce on
Minutus that the problem has been cleared out.
Dr. Waqar Taji wrote:
Your computer is sending out a malicious virus, I just got one. Please
clean up your computer immediately, this is a bad one and luckily my
Norton Utilities quarantined it upon opening. The title of the email
that came from you was
Re: [Minutus] Psilocybe Caerulescens
which was the last post I sent to the list. So obviously the virus is
automatically sending itself out to everyone that has reached your email
box.
Please take care of this, as you can infect your entire address book and
then some...
Yours
Sara
PLEASE DO NOT RESPOND to this email until you clean out your computer.
I am now blocking all emails coming from you until you announce on
Minutus that the problem has been cleared out.
Dr. Waqar Taji wrote:
-
Tanya Marquette
- Posts: 5602
- Joined: Tue Oct 30, 2001 11:00 pm
Re: VIRUS
Sara,
what does this virus do?
tanya
[Non-text portions of this message have been removed]
what does this virus do?
tanya
[Non-text portions of this message have been removed]
-
Sara Klein Ridgley PhD
- Posts: 88
- Joined: Wed Apr 08, 2020 3:48 pm
Re: VIRUS
tanya marquette wrote:
BadTrans is a worm spreading with e-mail messages from Win32 systems.
The worm sends email messages with infected attached files, as well as
installs a spying trojan component to steal information from infected
systems. The worm was discovered in-the-wild on April 12 2001.
The worm itself is Win32 executable file (PE EXE file). It was found
in-the-wild in a compressed form, and is about 13Kb long. Being
decompressed the worm's file length increases to about 40Kb.
The worm has a multi-component structure. It consists of two different
components that are dropped on a hard disk as three different files and
are run as stand-alone programs (email Worm and Trojan). The worm
routine is the main component, it keeps trojan program body in its code
and installs it into a system while infecting a new machine.
The worm component operates similar to I-Worm.ZippedFiles (aka
ExploreZip) worm: by using Windows MAPI functions it gets access to
Inbox and "answers" all unread messages. This routine has a bug and may
cause transport overload (see below).
The trojan component itself is a variant of already known
passwords-stealing trojan (see Trojan.PSW.Hooker). It sends information
from infected computers to the email address:
ld8dl1@mailandnews.com
When an infected file is run (when a user clicks on attached file and
activates it) the worm code gets control. First of all it drops
(installs) its components to the system. The worm copies itself to
Windows directory with INETD.EXE name and drops the trojan component to
Windows directory with HKK32.EXE name. The trojan component is executed
then, it moves itself to Windows system directory with KERN32.EXE name,
drops an additional library (key logger) with HKSDLL.DLL name.
The worm then registers itself (the INETD.EXE file) in auto-run sections
in the system. Under Win9x it writes "run=" command to [windows] section
to WIN.INI file, for example:
[windows]
load=
run=C:\WINDOWS\INETD.EXE
Under WinNT/2000 the following registry key is created:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
RUN = C:\WINDOWS\INETD.EXE
The trojan registers itself in the Registry in RunOnce key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
kernel32 = kern32.exe
Because this is "run once" key, the trojan on each start rewrites it,
and keeps Windows loading trojan file on each restart.
To hide its activity when installation into a new machine is complete
the worm displays the fake message and exits:
Install error
File data corrupt:
probably due to bad data transmission or bad disk access.
It looks like that:
The worm does not send any messages out of infected machine at first
start, it does that on next Windows restarts instead. The spreading
routine is activated on next Windows restart when the worm copy is
activated from INETD.EXE file (this file is run automatically because it
is referred from "run" key in WIN.INI file or system registry).
The worm registers itself as hidden (service) process, and sleeps for
about 5 minutes before activating its spreading routine.
While spreading the worm gets access to Windows MAPI functions, opens
and reads all unread messages, "answers" on them with infected messages.
The worm does not terminate, and is active till Windows restart, and
sends infected message each time a new message arrives.
The infected message has text and attached file. Attached file name is
randomly selected from the following variants:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
The Subject field in worm messages is the same as in
BadTrans is a worm spreading with e-mail messages from Win32 systems.
The worm sends email messages with infected attached files, as well as
installs a spying trojan component to steal information from infected
systems. The worm was discovered in-the-wild on April 12 2001.
The worm itself is Win32 executable file (PE EXE file). It was found
in-the-wild in a compressed form, and is about 13Kb long. Being
decompressed the worm's file length increases to about 40Kb.
The worm has a multi-component structure. It consists of two different
components that are dropped on a hard disk as three different files and
are run as stand-alone programs (email Worm and Trojan). The worm
routine is the main component, it keeps trojan program body in its code
and installs it into a system while infecting a new machine.
The worm component operates similar to I-Worm.ZippedFiles (aka
ExploreZip) worm: by using Windows MAPI functions it gets access to
Inbox and "answers" all unread messages. This routine has a bug and may
cause transport overload (see below).
The trojan component itself is a variant of already known
passwords-stealing trojan (see Trojan.PSW.Hooker). It sends information
from infected computers to the email address:
ld8dl1@mailandnews.com
When an infected file is run (when a user clicks on attached file and
activates it) the worm code gets control. First of all it drops
(installs) its components to the system. The worm copies itself to
Windows directory with INETD.EXE name and drops the trojan component to
Windows directory with HKK32.EXE name. The trojan component is executed
then, it moves itself to Windows system directory with KERN32.EXE name,
drops an additional library (key logger) with HKSDLL.DLL name.
The worm then registers itself (the INETD.EXE file) in auto-run sections
in the system. Under Win9x it writes "run=" command to [windows] section
to WIN.INI file, for example:
[windows]
load=
run=C:\WINDOWS\INETD.EXE
Under WinNT/2000 the following registry key is created:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
RUN = C:\WINDOWS\INETD.EXE
The trojan registers itself in the Registry in RunOnce key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
kernel32 = kern32.exe
Because this is "run once" key, the trojan on each start rewrites it,
and keeps Windows loading trojan file on each restart.
To hide its activity when installation into a new machine is complete
the worm displays the fake message and exits:
Install error
File data corrupt:
probably due to bad data transmission or bad disk access.
It looks like that:
The worm does not send any messages out of infected machine at first
start, it does that on next Windows restarts instead. The spreading
routine is activated on next Windows restart when the worm copy is
activated from INETD.EXE file (this file is run automatically because it
is referred from "run" key in WIN.INI file or system registry).
The worm registers itself as hidden (service) process, and sleeps for
about 5 minutes before activating its spreading routine.
While spreading the worm gets access to Windows MAPI functions, opens
and reads all unread messages, "answers" on them with infected messages.
The worm does not terminate, and is active till Windows restart, and
sends infected message each time a new message arrives.
The infected message has text and attached file. Attached file name is
randomly selected from the following variants:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
The Subject field in worm messages is the same as in
-
Tanya Marquette
- Posts: 5602
- Joined: Tue Oct 30, 2001 11:00 pm
Re: VIRUS
how do you deal with this virus. i did not open the message from taji this morning--there was one. but when i hit the delete button, a window opened momentarily and something got copied onto my computor. Now i cant get the e-mail to open correctly. I did take the suggestion and add the !000000 address to my address book prior to deleting the tagi message
tanya
tanya
-
Sara Klein Ridgley PhD
- Posts: 88
- Joined: Wed Apr 08, 2020 3:48 pm
Re: VIRUS
Tanya,
You will need an Anti Virus software, which is a good idea anyway.
Norton Utilities is what I like, but MacAfee is also a good one and
there are many others.
Why don't you go to the sites quoted and search a bit, maybe you find a
solution?
Sara
You will need an Anti Virus software, which is a good idea anyway.
Norton Utilities is what I like, but MacAfee is also a good one and
there are many others.
Why don't you go to the sites quoted and search a bit, maybe you find a
solution?
Sara
-
Sara Klein Ridgley PhD
- Posts: 88
- Joined: Wed Apr 08, 2020 3:48 pm
Re: VIRUS
Tanya,
here is somewhere to start:
http://www.virusbtn.com/
good luck
S
Sara Klein Ridgley PhD wrote:
here is somewhere to start:
http://www.virusbtn.com/
good luck
S
Sara Klein Ridgley PhD wrote:
-
Dr. Waqar Taji
- Posts: 15
- Joined: Wed Apr 01, 2020 10:00 pm
Re: VIRUS
Well it is time let everyone know that the virus problem has been sorted out.
with regards,
waqar
with regards,
waqar