Loading ...
Sorry, an error occurred while loading the content.

Re: virus attack

Expand Messages
  • Gary C Moore
    ... From: Mike MacArthur To: Gary C Moore Cc: Eric Oliver Sent: Monday, October 08, 2001
    Message 1 of 1 , Oct 8, 2001
    • 0 Attachment
      ----- Original Message -----
      From: Mike MacArthur <wilmac@...>
      To: Gary C Moore <gottlos75@...>
      Cc: Eric Oliver <Eric061450@...>
      Sent: Monday, October 08, 2001 1:20 AM

      Subject: virus attack
      MIKE MACARTHUR:

      > I was hoping you would have got back to me. There is some confusion in
      > the ranks, based on whether you knowingly forwarded a virus or not. That
      > a virus was forwarded under your name is confirmed, but you might not
      > have known about it.

      GARY C MOORE:
      I spent most of the day re-re-re-installing a anti-virus system all day long
      that I left to my daughter to finish after I went to bed. Maybe she has
      already sent you a message about this. She is the computer expert, not I.
      She said she had been neglecting the anti-virus system for a while, that
      this happened to her more than a week ago but did not think it was a virus
      at the time which was exactly what I thought until you first wrote me. We
      have (supposedly: I thought I had just installed one 3 months ago, but
      apparently it didn't work or was installed wrong or should have been check
      more thoroughly, all of which are things I need to learn more about)
      installed another anti-virus protector. She received some instructions on
      all to get rid of it I have pasted on below. I am very sorry about this. I
      am going to leave the various lists I belong to anyway. This has been very
      depressing. But I am going to send this letter out to everybody before I do.

      Gary C. Moore


      >
      > I am willing to believe you did not, and that you have lost control of
      > your station to some degree. Perhaps the whole thing is being run by a
      > sophisticated virus on your own machine. If your Mcaffee says you have a
      > rogue file and you cannot see it, don't be surprised. That's the point
      > about viruses - they hide. The trouble is that if others are running
      > your mails without your knowledge, or a virus has taken over your
      > mailer, your address remains a danger to others.
      >
      > Did you take in my advice to take out a new ISP account with a new
      > alias? That is the only way you can be sure of regaining control unless
      > it's a virus you have on board. In that case you need to do a scan and
      > clean at once. From what you tell me you should do that anyway. Are your
      > definitions up to date? If not, update them first.
      >
      > The list owner biffed you before he saw the full development of this
      > thing I'm afraid, but I have asked him to reinstate you. Even so I will
      > be filtering anything that comes under your name until you change your
      > addy or get back to us that you have found the virus (if that's what's
      > driving things) and eliminated it..
      >
      > I know it's a damned nuisance, and makes for a lot of extra housework on
      > your part, particularly if its coming from outside your box, and
      > rejoining groups etcetera, but it really is the only way to get out from
      > under this thing in that case. Please get back to me about this. What
      > steps have you taken at your end? Please do not ignore this. It is
      > important to you and everyone else you communicate with.
      >
      > mac
      >

      ----- Original Message -----
      From: Jennifer Moore
      To: Gary C Moore
      Sent: Monday, October 08, 2001 1:45 AM
      Subject: Re: VIRUS ALERT



      ----- Original Message -----
      From: Gary C Moore
      To: Gary C Moore
      Sent: Sunday, October 07, 2001 6:25 PM


      I got this virus. Hopefully your computer detected it. Here is the info I
      found about it.

      The virus is called W32/Badtrans@mm and it's one of th
      Due to the decreased number of reports, the threat level for this worm has
      been downgraded from 4 to 3. It is a MAPI worm that replies to all unread
      messages in your email message folders and drops a backdoor Trojan.

      Also Known As: W32/Badtrans-A, W32/Badtrans@MM, BadTrans, IWorm_Badtrans,
      I-Worm.Badtrans, TROJ_BADTRANS.A, Pws-AV Trojan
      Type: Worm
      Infection Length: 13312
      Virus Definitions: April 11, 2001
      Threat Assessment:

      Wild:
      High Damage:
      Medium Distribution:
      High

      Wild:
      Number of infections: 50 - 999
      Number of sites: More than 10
      Geographical distribution: High
      Threat containment: Easy
      Removal: Easy
      Damage:

      Payload:
      Large scale e-mailing: It replies to all unread messages in the message
      folders within the default MAPI email program.
      Compromises security settings: It drops a backdoor Trojan.
      Technical description:

      When the worm is executed, it drops the backdoor Trojan Hkk32.exe into the
      \Windows folder and executes it. It then copies itself into the \Windows
      folder as inetd.exe, adds a run= line to the Win.ini file, and displays the
      following message:


      The next time that the computer is restarted, the worm waits for five
      minutes and then uses MAPI to find all unread email messages and reply to
      all of them. The worm attaches itself to the message using one of the
      following file names:

      Pics.ZIP.scr
      images.pif
      README.TXT.pif
      New_Napster_Site.DOC.scr
      news_doc.scr
      hamster.ZIP.scr
      YOU_are_FAT!.TXT.pif
      searchURL.scr
      SETUP.pif
      Card.pif
      Me_nude.AVI.pif
      Sorry_about_yesterday.DOC.pif
      s3msong.MP3.pif
      docs.scr
      Humor.TXT.pif
      fun.pif

      Removal instructions:

      Because W32.Badtrans.13312@mm affects different operating systems in
      different ways, how you remove this worm depends on your operating system.
      Follow the instructions in the order given.

      To remove the worm:
      1. Run LiveUpdate to make sure that you have the most recent virus
      definitions.
      2. Start Norton AntiVirus (NAV), and run a full system scan, making sure
      that NAV is set to scan all files.
      3. Delete any files detected as W32.Badtrans.13312@mm. What you do next
      depends on whether NAV was able to delete files that it detected as infected
      with W32.Badtrans.13312@mm

      If NAV was able to delete all the files that it detected as infected, do one
      of the following:
      If you are running Windows 95/98/Me, skip to the section To edit the Win.ini
      file.
      If you are running Windows NT/2000 and NAV was able to delete all the
      infected files, you are finished.
      If NAV was not able to delete all files that it detected as infected, go on
      to the next section and see the instructions for your operating system.

      To remove files that cannot be deleted by NAV:
      Follow the instructions for your operating system only if NAV could not
      delete files that it detected as infected with W32.Badtrans.13312@mm.

      Windows 95/98/Me
      1. Restart the computer in Safe Mode. For instructions on how to restart in
      Safe Mode, see the document How to restart Windows 9x or Windows Me in Safe
      Mode.
      2. Run the scan again, and delete any files detected as
      W32.Badtrans.13312@mm.
      3. When the scan is finished, skip to the section To edit the Win.ini file.
      Windows NT/2000
      1. Press Ctrl+Alt+Delete one time.
      2. Click Task Manager.
      3. Click the Processes tab.
      4. Click the "Image Name" column header two times to sort the processes
      alphabetically.
      5. Scroll through the list and look for inetd.exe. If you find the file,
      click it and then click End Process.
      6. Scroll through the list and look for Kern32.exe. If you find the file,
      click it and then click End Process.
      7. Close the Task Manager.
      8. Right-click the My Computer icon on the Windows desktop, and click
      Explore.
      9. Do one of the following:
      If you are running Windows NT, click the View menu and click Options.
      If you are running Windows 2000, click the Tools menu and click Folder
      Options.
      10. Click the View tab.
      11. Do one of the following:
      If you are running Windows NT, click "Show all files," uncheck "Hide file
      extensions for known file types," and then click OK.
      If you are running Windows 2000, click "Show hidden files and folders" and
      uncheck "Hide file extensions for known file types."
      12. In the left pane of Windows Explorer, right-click drive C and then click
      Find (Windows NT) or Search (Windows 2000).
      13. In the In the "Named" or "Search for..." box, type--or copy and
      paste--the following file names:

      inetd.exe kern32.exe hkk32.exe hksdll.dll

      14. Click Find Now or Search Now.
      15. When the search is finished, write down the names and locations of the
      files that are displayed.
      16. Click the Edit menu, and click Select All.
      17. Hold down the Shift key down, and press the Delete key. Continue to hold
      down the Shift key until you are prompted to confirm the deletion. Click
      Yes. (Holding the Shift key while pressing the Delete key bypasses the
      Recycle Bin.)
      18. Close Windows Explorer.
      19. Go on to the section To edit the registry.

      To edit the registry:

      CAUTION: We strongly recommend that you back up the system registry before
      making any changes. Incorrect changes to the registry could result in
      permanent data loss or corrupted files. Please make sure you modify only the
      keys specified. Please see the document How to back up the Windows registry
      before proceeding. This document is available from the Symantec
      Fax-on-Demand system. In the U.S. and Canada, call (541) 984-2490, select
      option 2, and then request document 927002.
      1. Click Start, and click Run. The Run dialog box appears.
      2. Type regedit and then click OK. The Registry Editor opens.
      3. Navigate to the key

      HKEY_LOCAL_MACHINE\Software\Microsoft\
      Windows\CurrentVersion\RunOnce

      4. In the right pane, delete the value

      Kernel32 KERN32.EXE

      5. Navigate to the key

      HKEY_CURRENT_USER\Software\Microsoft\
      Windows NT\CurrentVersion\Windows

      6. In the right pane, delete the value

      run <path>\Inetd.exe

      7. Exit the Registry Editor.
      8. Restart the computer.
      9. Run the scan again, and delete any files detected as
      W32.Badtrans.13312@mm. This completes the removal procedure for users of
      Windows NT/2000.

      To edit the Win.ini file:
      If you are running Windows 95/98/Me, you must also do the following:
      1. Click Start, and click Run.
      2. Type the following and then click OK:

      edit c:\windows\win.ini

      NOTE: If you installed Windows in a different location, make the appropriate
      substitution.

      3. In the [windows] section, locate the run= line. It will look similar to
      the following:

      run=c:\windows\inetd.exe

      4. Remove the text to the right of the = sign, so that the line now reads

      run=

      5. Save your changes, and exit the MS-DOS Editor.


      Write-up by: Peter Ferrie
      ose that just goes through your address book list and mails pretty much
      everyone who's on it.
    Your message has been successfully submitted and would be delivered to recipients shortly.