[ic] VIRUS WARNING !!!!

David Wilson david@wwns.com
Fri, 20 Apr 2001 15:05:39 -0500 (CDT)


OK Guys,

This is not on topic.  I think the best thing to do is to send her a
note and let her know that she has this problem.  Most of these viruses 
are automatically sent to every email address the program can find on a 
system.  I would guess that she probably had no idea that it is on her 
system, or is sending these out.

Especially if you are running a Microsoft email reader you will have to
deal with this.  It is not uncommon for me to see one of these a day, 
sometimes more.  I don't run Outlook for most of my mail and don't have
that problem.

I would recommend that If more notes are sent to the list about this 
virus problem that Mike start eliminating those addresses from the list.
If it was not for the large number of people using Windows based email
I would say when you see a MIME header in a message, kill the message
before it makes it to the list recipients.

My .02

Dave

joachim.richter wrote...
> 
> Hi List,
> 
> I have just received two emails from the following person, answering a question I put on the list this morning
> 
> Return-Path: <3dranger@mpinet.net>
> Received: from localhost (root@localhost [127.0.0.1])	by brainstorm1.usvid (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id SAA31473	for <joachim.richter@localhost>; Fri, 20 Apr 2001 18:29:56 +0200
> Received: from 212.43.90.100	by localhost with POP3 (fetchmail-5.3.0)	for joachim.richter@localhost (single-drop); Fri, 20 Apr 2001 18:29:56 +0200 (MEST)
> Received: from fl-mta02.durocom.com (fl-mta02.durocom.com [216.53.195.243])	by thundertaste.bpaserver.net (8.9.3/8.9.3) with ESMTP id RAA40208	for <joachim.richter@usvideocenter.de>; Fri, 20 Apr 2001 17:13:47 +0200 (CEST)
> Received: from computer ([216.53.218.107]) by fl-mta02.durocom.com with SMTP id <20010420144137.PERJ1198.fl-mta02@computer> for <joachim.richter@usvideocenter.de>; Fri, 20 Apr 2001 10:41:37 -0400
> Message-ID: <00c801c0c9a9$0ffa6ce0$6bda35d8@computer>
> 
> From: "Suzanne Thompson" <3dranger@mpinet.net>
> 
> To: <joachim.richter@usvideocenter.de>
> Subject: Re: Fwd: Re: [ic] URL DISPLAY  
> MIME-Version: 1.0
> Content-Type: multipart/mixed;	boundary="----=_NextPart_000_00C5_01C0C987.85818600"
> X-Mailer: Microsoft Outlook Express 5.50.4522.1200
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
> Date: Fri, 20 Apr 2001 10:41:44 -0400
> X-UIDL: 2cd42d92cc596ff6a9524ff64bccf340
> 
> 
> The attachment was the new Virus I-Worm.Badtrans
> 
> 
> This worm can be detected using AVX Professional ftp://ftp.avx.com/avxdesktop/setupavxpro.exe 
> 
> Manually removing an infection from your computer can put your data at risk for damage that may or may not be recoverable. Central Command strongly recommends that you backup all of your data prior to attempting to remove an infection or repair any damage causes by an infection.
> 
> 
> Details:
> ----------
> 
> Name: I-Worm.Badtrans
> Alias: W32.Badtrans.13312@mm
> Detection added : April 12, 2001
> Spread Method : Via E-Mail (A copy of the worm will be sent as a reply message to all unread emails in the users Inbox folder)
> 
> 
> Description:
> ------------
> 
> Worm part:
> -------------
> 
> When the attachment is executed the worm drops the trojan "hkk32.exe" into the Windows folder and executes itself. A copy of worm is created under the file name inetd.exe in Windows folder. The following line is added to "win.ini" in [windows] section: run=c:\windows\inetd.exe.
> 
> Trojan part:
> --------------
> 
> The hkk32.exe is a trojan called: Trojan.PSW.Hooker. This trojan drops a file called hksdll.dll used later as hook component to intercept pressed keys. A copy of the worm called kern32.exe is created in Windows folder and the original file hkk32.exe is deleted.
> 
> It also add the following key to registry in order to be executed every time windows loads:
> 
> HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 
> kernel32 = c:\windows\system\kern32.exe
> 
> It sends information from infected computers to the email address: ld8dl1@mailandnews.com
> 
> 
> 
> regards Joe
>  .
> .
>  .
> .
> 
> US Video Center Medien GmbH
> Heimsheimer Str 22
> 70499 Stuttgart
> 
> Tel 0711 880252 0
> Fax 0711 880252 22
> Email joachim.richter@usvideocenter.de
> 
> 
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@lists.akopia.com
> http://lists.akopia.com/mailman/listinfo/interchange-users
> 


-- 
David R. Wilson  WB4LHO
World Wide Network Services
Nashville, Tennessee USA
david@wwns.com