|
Is this a virus?
I noticed my internet connection was acting slow and then my friend wrote me an email stating that he received an email from me that his campus' tech team stopped from going through saying:
Dear Email Recipient: This message was changed by the Notre Dame central email system administered by the OIT in the following way: The attachment to this email message named "new__price.zip" was deleted because it was identified as a dangerous file: Found the W32/Bagle.aq!zip (ED) virus !!! The attachment was automatically deleted to protect your computer from becoming damaged by the dangerous file. If you were expecting this attachment, please contact the owner to get a clean version of the file. If you have questions or concerns, please contact the.... What can I do about this virus? I'm running XP SP1 and have norton antivirus with most recent updates. I did a full scan, didn't find anything. Any ideas? Thanks so much. |
To add to this, I can go to this site, but not yahoo. This is another confusing part about it, I haven't heard or encountered something like this before.
|
McAfee released a new DAT file yesterday (4384). That's what I use, so I can't really comment about Norton.
It sounds like a virus to me. Mr Mephisto |
If you go to Norton's or McAfee's site, you can get a cleaning tool. It surely can't hurt to download and run it - even if you don't have Bagle.
Here is the link for McAffee's tool: http://vil.nai.com/vil/stinger From the web site: Mail Propagation The virus which is downloaded contains the propagation code. The details are as follows: From : (address is spoofed) Subject : (blank) Body Text: new price There is indication in the file that it may also try to password-protect some ZIP files, in which case it will add one of the following to the message body: The password is Password: The password will then be contained in an embedded image file. Attachment: (may be one of the following) price.zip price2.zip price_new.zip price_08.zip 08_price.zip newprice.zip new_price.zip new__price.zip The ZIP file contains PRICE.EXE and PRICE.HTML, as described above. If the ZIP file is opened with Windows Explorer (rather than a stand-alone ZIP handler such as WinZip or PKzip) the HTML file will be visible along with a folder which contains the EXE file. When the HTML file is run on a vulnerable system, it will run the EXE file. When the EXE file is run (either manually or automatically by the HTML file), it will copy itself to the Windows System directory as WINDIRECT.EXE. For example: C:\WINNT\SYSTEM32\WINdirect.exe It also drops a DLL file in this directory: _dll.exe The DLL file is injected into the Explorer.exe process, so its actions will appear to have originated from Explorer.exe. The following Registry keys are added to hook system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe Once the virus executable is downloaded and run by the downloader trojan, the virus copies itself into the Windows System directory as WINDLL.EXE . For example: C:\WINNT\SYSTEM32\windll.exe It also creates other files in this directory to perform its functions: C:\WINNT\SYSTEM32\windll.exeopen C:\WINNT\SYSTEM32\windll.exeopenopen The following Registry key is added to hook system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "erthgdr" = "C:\WINNT\SYSTEM32\windll.exe" Additionally, the following Registry keys are added: HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Ru1n A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine: 'D'r'o'p'p'e'd'S'k'y'N'e't' _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_ [SkyNet.cz]SystemsMutex AdmSkynetJklS003 ____--->>>>U<<<<--____ _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_ The worm opens port 80 (TCP) and a random UDP port on the victim machine. Top of Page Symptoms Port 80 (TCP) open on the victim machine Outgoing messages matching the described characteristics Files/Registry keys as described |
http://housecall.trendmicro.com
This is TrendMicro's online virus scan and remover. It is free and works much better than anything Symantec or McAfee could ever hope for. |
Quote:
The virus randomly picked your email addy from the address list and made you the from person and then sent itself to everyone else in the adderss book. |
| All times are GMT -8. The time now is 06:13 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project