08-09-2004, 05:40 PM | #1 (permalink) |
Crazy
Location: Near Chicago, IL
|
Is this a virus?
I noticed my internet connection was acting slow and then my friend wrote me an email stating that he received an email from me that his campus' tech team stopped from going through saying:
Dear Email Recipient: This message was changed by the Notre Dame central email system administered by the OIT in the following way: The attachment to this email message named "new__price.zip" was deleted because it was identified as a dangerous file: Found the W32/Bagle.aq!zip (ED) virus !!! The attachment was automatically deleted to protect your computer from becoming damaged by the dangerous file. If you were expecting this attachment, please contact the owner to get a clean version of the file. If you have questions or concerns, please contact the.... What can I do about this virus? I'm running XP SP1 and have norton antivirus with most recent updates. I did a full scan, didn't find anything. Any ideas? Thanks so much.
__________________
If I fall in love, will you forgive me? If I lose my way, will you choose me? If I change my mind, will you change me? -Smashing Pumpkins |
08-09-2004, 06:02 PM | #2 (permalink) |
Crazy
Location: Near Chicago, IL
|
To add to this, I can go to this site, but not yahoo. This is another confusing part about it, I haven't heard or encountered something like this before.
__________________
If I fall in love, will you forgive me? If I lose my way, will you choose me? If I change my mind, will you change me? -Smashing Pumpkins |
08-10-2004, 09:46 PM | #4 (permalink) |
Insane
Location: Just West of Hell
|
If you go to Norton's or McAfee's site, you can get a cleaning tool. It surely can't hurt to download and run it - even if you don't have Bagle.
Here is the link for McAffee's tool: http://vil.nai.com/vil/stinger From the web site: Mail Propagation The virus which is downloaded contains the propagation code. The details are as follows: From : (address is spoofed) Subject : (blank) Body Text: new price There is indication in the file that it may also try to password-protect some ZIP files, in which case it will add one of the following to the message body: The password is Password: The password will then be contained in an embedded image file. Attachment: (may be one of the following) price.zip price2.zip price_new.zip price_08.zip 08_price.zip newprice.zip new_price.zip new__price.zip The ZIP file contains PRICE.EXE and PRICE.HTML, as described above. If the ZIP file is opened with Windows Explorer (rather than a stand-alone ZIP handler such as WinZip or PKzip) the HTML file will be visible along with a folder which contains the EXE file. When the HTML file is run on a vulnerable system, it will run the EXE file. When the EXE file is run (either manually or automatically by the HTML file), it will copy itself to the Windows System directory as WINDIRECT.EXE. For example: C:\WINNT\SYSTEM32\WINdirect.exe It also drops a DLL file in this directory: _dll.exe The DLL file is injected into the Explorer.exe process, so its actions will appear to have originated from Explorer.exe. The following Registry keys are added to hook system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe Once the virus executable is downloaded and run by the downloader trojan, the virus copies itself into the Windows System directory as WINDLL.EXE . For example: C:\WINNT\SYSTEM32\windll.exe It also creates other files in this directory to perform its functions: C:\WINNT\SYSTEM32\windll.exeopen C:\WINNT\SYSTEM32\windll.exeopenopen The following Registry key is added to hook system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "erthgdr" = "C:\WINNT\SYSTEM32\windll.exe" Additionally, the following Registry keys are added: HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Ru1n A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine: 'D'r'o'p'p'e'd'S'k'y'N'e't' _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_ [SkyNet.cz]SystemsMutex AdmSkynetJklS003 ____--->>>>U<<<<--____ _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_ The worm opens port 80 (TCP) and a random UDP port on the victim machine. Top of Page Symptoms Port 80 (TCP) open on the victim machine Outgoing messages matching the described characteristics Files/Registry keys as described
__________________
Pimps and Ho's - it's this generation's cowboys and indians |
08-12-2004, 06:22 AM | #5 (permalink) |
Professional Loafer
Location: texas
|
http://housecall.trendmicro.com
This is TrendMicro's online virus scan and remover. It is free and works much better than anything Symantec or McAfee could ever hope for.
__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane." |
08-12-2004, 08:12 AM | #6 (permalink) | |
"Officer, I was in fear for my life"
Location: Oklahoma City
|
Quote:
The virus randomly picked your email addy from the address list and made you the from person and then sent itself to everyone else in the adderss book. |
|
Tags |
virus |
|
|