Tour Madrid with MadridMan! BACK TO
MadridMan.com!
Sponsored Links

Page 2 of 4 < 1 2 3 4 >
Topic Options
#61085 - 11/28/01 08:19 PM Re: URGENT!!! VIRUS WARNING!!
Wolf Offline
Member

Registered: 01/25/01
Posts: 1235
Loc: Rockford, IL/Milton, WI, USA
Tara,

You may be right. A virus directed at the punsters out here. Someone who just can't take a joke is trying to get even with us. But we'll win, because we can tell more bad jokes than they can make up bad viruses... wink

I think I eliminated the beast from my computer, since my McAfee virus package protected me enough that it wouldn't let it nest itself into vital areas.

I've always wondered what it is that makes people who are capable of designing a program as complex as a virus are doing, wasting their time. It seems that anyone with that much ability would put it to work for their own good, making money, honestly. The only thing they can get from a virus like this is a nice term in prison, where they can become "Nancy" for some hairy ape doing life... eek Hardly a prospect I'd wish on anyone, but in their case, I might be willing to make an exception. wink

Well, it was an exciting day. Let's hope we don't see any more like it.

Wolf

Top
#61086 - 11/29/01 01:45 PM Re: URGENT!!! VIRUS WARNING!!
Jaime Offline
Member

Registered: 08/19/00
Posts: 147
Does anyone know what exactly the virus can do? What kind of files its corrupts??

Top
#61087 - 11/29/01 06:19 PM Re: URGENT!!! VIRUS WARNING!!
DavidB Offline
Member

Registered: 09/25/00
Posts: 63
Loc: Adelaide, SA, Australia
Hi Jaime

For you and any others out there that are interested, the following is exactly what "Badtrans-B" Virus does. It may seem a little long but this is a very complex and malicious Virus. However, if you have an up to date Anti Virus Program then you should be OK. If not, follow the path in my previous posting to get the information regarding removal of the Virus.

Anyway here's the full description:-


W32/Badtrans-B is an email-aware worm which uses MAPI to spread. The worm forwards itself to addresses found on the infected computer as an email message with no message text.

The worm finds addresses to send itself to by searching the address book. Additionally it searches the internet cache and "My Documents" folders for webpages, looking for further email addresses to which to send itself.

If the worm is replying to mail found on the infected machine, it will use the infected user's address in the From: field of the email, otherwise it will use one of the following addresses in the From: field:

" Anna" <aizzo@home.com>
"JUDY" <JUJUB271@AOL.COM>
"Rita Tulliani" <powerpuff@videotron.ca>
"Tina" <tina0828@yahoo.com>
"Kelly Andersen" <Gravity49@aol.com>
" Andy" <andy@hweb-media.com>
"Linda" <lgonzal@hotmail.com>
"Mon S" <spiderroll@hotmail.com>
"Joanna" <joanna@mail.utexas.edu>
"JESSICA BENAVIDES" <jessica@aol.com>
" Administrator" <administrator@border.net>
" Admin" <admin@gte.net>
"Support" <support@cyberramp.net>
"Monika Prado" <monika@telia.com>
"Mary L. Adams" <mary@c-com.net>

The email uses a known exploit in certain versions of Outlook Express 5 in order to launch the attached file automatically. Microsoft has released a patch which reportedly addresses this vulnerability. (see previous post for a link to Microsofts site for the patch)

The worm generates a subject line by reading email on the infected machine and "replying" to it. For instance,

Re: <subject found by reading mail on infected machine>

For email addresses found via webpages in the internet cache or the "My Documents" folder, the subject line is simply "Re:" with no further text.

The worm attempts to create a name for the attached infected file by randomly generating it from three separate parts. The first part is taken from the list:

CARD
DOCS
FUN
HAMSTER
NEWS_DOC
HUMOR
IMAGES
info
ME_NUDE
New_Napster_Site
PICS
README
S3MSONG
SEARCHURL
SETUP
Sorry_about_yesterday
stuff
YOU_ARE_FAT!

The second from the list:

.DOC.
.MP3.
.ZIP.

(a bug inside the worm means that it never selects the ".ZIP." option)

and the last from:

pif
scr

For this reason the attached file can be called a large number of different names, including:

card.DOC.pif
docs.DOC.pif
fun.MP3.pif
HAMSTER.DOC.PIF
Humor.MP3.scr
IMAGES.DOC.pif
Me_nude.MP3.scr
New_Napster_Site.MP3.pif
Pics.DOC.scr
README.MP3.scr
S3MSONG.DOC.scr
SEARCHURL.MP3.pif
SETUP.DOC.scr
Sorry_about_yesterday.MP3.pif
Sorry_about_yesterday.MP3.scr
stuff.MP3.pif
YOU_ARE_FAT!.DOC.pif
YOU_are_FAT!.MP3.scr

If the attached file is run it may copy itself to the Windows or Windows system directory with the filename kernel32.exe and change the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce so that the worm runs the next time Windows is started. Note that the registry key will refer to the original attachment if the worm has not created a copy in the Windows or Windows system directories.

The worm also drops a file named kdll.dll, which is the Troj/PWS-AV password-stealing Trojan horse.

W32/Badtrans-B uses the Trojan Troj/PWS-AV to log a user's keystrokes in a file named cp_25389.nls in the Windows system directory. The log of keystrokes may be encrypted.

W32/Badtrans-B will attempt to send the log to one of the following email addresses:

ZVDOHYIK@yahoo.com
udtzqccc@yahoo.com
DTCELACB@yahoo.com
I1MCH2TH@yahoo.com
WPADJQ12@yahoo.com
fjshd@rambler.ru
smr@eurosport.com
bgnd2@canada.com
muwripa@fairesuivre.com
rmxqpey@latemodels.com
eccles@ballsy.net
suck_my_prick@ijustgotfired.com
suck_my_prick4@ukr.net
thisisno_****ing_good@usa.com
S_Mentis@mail-x-change.com
YJPFJTGZ@excite.com
JGQZCD@excite.com
XHZJ3@excite.com
OZUNYLRL@excite.com
tsnlqd@excite.com
cxkawog@krovatka.net
ssdn@myrealbox.com

So now you have it. Unfortunately there is no short way of describing what it does. Please link to the site in my previous post regarding removal of the virus as its not as simple as just deleting files.

Hope this helps.

David

smile
_________________________
“Travel light and with an open mind and a smile”

Top
#61088 - 11/29/01 06:56 PM Re: URGENT!!! VIRUS WARNING!!
expressdance Offline
Member

Registered: 03/10/01
Posts: 65
Loc: Boston, Ma USA
Yes, my computer contracted this virus yesterday. Yesterday morning I received an e-mail from PALOISAC and since the end of the address was an .es instead of .com, I figured it may be someone I know from Spain on a different address. Apparently not. I opened the e-mail only to find it was empty, with two empty attachments. Don't worry Pim, I know this wasn't an intentional thing. After logging onto the MM website, I read the virus warning, and then looked up a way to get rid of it, which takes about 10 minutes. You can't just go in and delete it, because it will tell you that windows needs it to run. Finally, I got my computer into safe mode and got rid of the bug! If anyone else has it and needs the deletion directions just let me know! That will teach me to open stuff from addresses I don't know!

P.S. Even though it seemed that the attachments didn't open, my computer still got the virus. So still, pim and the rest who got it and it didn't seem to open, search for these files:

KERN32.EXE
KERNEL32.EXE
KDLL.DLL
HKSDLL.DLL
INETD.EXE

[ 11-29-2001: Message edited by: MadridMan ]

Top
#61089 - 11/29/01 07:27 PM Re: URGENT!!! VIRUS WARNING!!
Tia Offline
Member

Registered: 02/18/01
Posts: 170
That´s exactly what happened to me, too.
I opened those two e-mails from Wolf and Pim (no hard feelings!) at my work and was very surprised since there was neither text nor attachment in them. I deleted them at once and when I had read the virus warning on the MMboard I called the support desk immediately. Thanks a bunch for all the information!

Tia (who hates hackers) mad

Top
#61090 - 11/30/01 05:41 AM Re: URGENT!!! VIRUS WARNING!!
Eddie Offline
Executive Member

Registered: 06/05/00
Posts: 1713
Loc: Phila., PA, USA
***********************
DO NOT OPEN any emails with "WTC Survivor" as the subject. It is a virus that will erase your whole "C" drive. It will come to you in the form of an E-Mail from a familiar person. If you receive an email called "WTC Survivor" do not open it. Delete it right away! This virus removes all dynamic link libraries ( .dll files) from your computer.
************************

I have recently received five (5) e-mails, apparently 5-copies of the same message (virus?) with the subject line blank. Each was 40k in size. The senders were supposed to be names I would recognize. I did what I considered to be the prudent course and deleted them. An e-mail that large doesn't really need an attachment for the 'worm' to do its dirty work. rolleyes

When I originally posted this message, there were three. It's up to five!

[ 11-30-2001: Message edited by: Eddie ]

Top
#61091 - 11/30/01 07:50 AM Re: URGENT!!! VIRUS WARNING!!
Antonio Offline


Executive Member

Registered: 05/07/00
Posts: 1176
Loc: Madrid (Spain)
From what Eddie said, it all seemed to be a hoax not a virus. Not surprisingly, I found the following information:

WTC survivor is not a virus but a hoax .

[http://www.hoaxinfo.com/]Hoaxinfo.com[/URL] has information and links about hoaxes.

[ 11-30-2001: Message edited by: Antonio ]

[ 11-30-2001: Message edited by: MadridMan ]
_________________________
The best tips from your favourite hostal in Madrid.
Hostal Chelo at http://www.chelo.com

Top
#61092 - 11/30/01 08:43 AM Re: URGENT!!! VIRUS WARNING!!
zero262quick Offline
Member

Registered: 08/02/01
Posts: 63
Loc: Eastern Shore of Maryland
Everyone...

Here is a temporary fix for this virus.

Create a new contact in your address book called 000! (three zeroes and an exclamation point). This new contact will be the first in the address book. When the virus tries to send itself to everyone in your address book, it will try to send to 000! and will not be able to because it is an invalid format. It will then stop the process, and therefore not mail itself to anyone else.
I would also recommend obtaining the patch from microsoft.

Forget virus software, no one needs it anyway. It is almost impossible to keep updated and it slows your system down considerably. Delete it. If you don't open unknown email attachments you shouldn't get any viruses.

Ben
pbchamp@intercom.net
_________________________
Ben
pbchamp@intercom.net
------------------------
I think there is a world market for maybe five computers.
- Thomas Watson (1874-1956), Chairman of IBM, 1943

"The more I meet new people, the more I like my dog."

Be happy while you're living, for you're a long time dead.
- Scottish Proverb

Top
#61093 - 11/30/01 09:18 AM Re: URGENT!!! VIRUS WARNING!!
Wolf Offline
Member

Registered: 01/25/01
Posts: 1235
Loc: Rockford, IL/Milton, WI, USA
Ben,

I understand that several governments have come up with a plan to ferret out all hackers. All people who are capable of creating a virus are going to be rounded up, and placed in big stadiums around the world. Then law enforcement agencies will use a crop duster to spray the stadium with a mixture of water, sodium pentathol (truth serum), and viagra. Naturally the hackers that create viruses will automatically stand up.

Wolf (Who dislikes hackers as much as Tia!)

[ 11-30-2001: Message edited by: Wolf ]

Top
#61094 - 11/30/01 10:28 AM Re: URGENT!!! VIRUS WARNING!!
churrocaliente Offline
Member

Registered: 10/29/01
Posts: 159
Loc: Miami Beach, FL
Hello, I have been quietly lurking through this thread but not posting. There are two things I have always wondered about, so since we are on the topic:

1) Don't all viruses have some funky three-letter attachment name after the "."
(like .pif, .vbs, .scr)? Is this the one sure way of knowing it's a virus and not a legit document?

2) Aren't most viruses designed to mess up windows pc operating systems? (I have a macintosh and my understanding is that mac os is generally immune.)

oh and of course ... Wolf ... don't quite follow your logic ... what if the hacker is a woman? They don't make viagra for ladies.

smile churrito
_________________________
Meridian: A Spain Travel Memoir

http://beachwriter.blogspot.com

Top
Page 2 of 4 < 1 2 3 4 >

Moderator:  MadridMan 
Welcome to the ALL SPAIN Message Board!
MadridMan's Live WebCam
Shout Box

Newest Members
LauraG, KoolKoala, bookport, Jake S, robertsg
7780 Registered Users
Today's Birthdays
No Birthdays
Who's Online
0 registered (), 1645 Guests and 1 Spider online.
Key: Admin, Global Mod, Mod
MadridMan.com Base Menu

Other Martin Media Websites: BarcelonaMan.com MadridMan.com Puerta del Sol Plaza Santa Ana Madrid Tours Madrid Apartments