Is this a virus?

[Woody182]

I noticed my internet connection was acting slow and then my friend wrote me an email stating that he received an email from me that his campus' tech team stopped from going through saying:

Dear Email Recipient:

This message was changed by the Notre Dame central email system administered by the OIT in the following way:

The attachment to this email message named "new__price.zip" was deleted because it was identified as a dangerous file:
Found the W32/Bagle.aq!zip (ED) virus !!!
The attachment was automatically deleted to protect your computer from becoming damaged by the dangerous file. If you were expecting this attachment, please contact the owner to get a clean version of the file. If you have questions or concerns, please contact the....


What can I do about this virus? I'm running XP SP1 and have norton antivirus with most recent updates. I did a full scan, didn't find anything. Any ideas?
Thanks so much.

[Woody182]

To add to this, I can go to this site, but not yahoo. This is another confusing part about it, I haven't heard or encountered something like this before.

[Mephisto2]

McAfee released a new DAT file yesterday (4384). That's what I use, so I can't really comment about Norton.

It sounds like a virus to me.


Mr Mephisto

[beejay]

If you go to Norton's or McAfee's site, you can get a cleaning tool. It surely can't hurt to download and run it - even if you don't have Bagle.

Here is the link for McAffee's tool: http://vil.nai.com/vil/stinger

From the web site:

Mail Propagation

The virus which is downloaded contains the propagation code. The details are as follows:

From : (address is spoofed)
Subject : (blank)

Body Text:

new price
There is indication in the file that it may also try to password-protect some ZIP files, in which case it will add one of the following to the message body:

The password is
Password:
The password will then be contained in an embedded image file.

Attachment: (may be one of the following)

price.zip
price2.zip
price_new.zip
price_08.zip
08_price.zip
newprice.zip
new_price.zip
new__price.zip
The ZIP file contains PRICE.EXE and PRICE.HTML, as described above.

If the ZIP file is opened with Windows Explorer (rather than a stand-alone ZIP handler such as WinZip or PKzip) the HTML file will be visible along with a folder which contains the EXE file. When the HTML file is run on a vulnerable system, it will run the EXE file.

When the EXE file is run (either manually or automatically by the HTML file), it will copy itself to the Windows System directory as WINDIRECT.EXE. For example:

C:\WINNT\SYSTEM32\WINdirect.exe
It also drops a DLL file in this directory:

_dll.exe
The DLL file is injected into the Explorer.exe process, so its actions will appear to have originated from Explorer.exe.

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe
Once the virus executable is downloaded and run by the downloader trojan, the virus copies itself into the Windows System directory as WINDLL.EXE . For example:

C:\WINNT\SYSTEM32\windll.exe
It also creates other files in this directory to perform its functions:

C:\WINNT\SYSTEM32\windll.exeopen
C:\WINNT\SYSTEM32\windll.exeopenopen
The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "erthgdr" = "C:\WINNT\SYSTEM32\windll.exe"
Additionally, the following Registry keys are added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Ru1n

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
____--->>>>U<<<<--____
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
The worm opens port 80 (TCP) and a random UDP port on the victim machine.

Top of Page

Symptoms
Port 80 (TCP) open on the victim machine
Outgoing messages matching the described characteristics
Files/Registry keys as described

[bendsley]

http://housecall.trendmicro.com

This is TrendMicro's online virus scan and remover. It is free and works much better than anything Symantec or McAfee could ever hope for.

[hrdwareguy]

Quote:

Originally posted by beejay
From the web site:

Mail Propagation

The virus which is downloaded contains the propagation code. The details are as follows:

From : (address is spoofed)
Subject : (blank)

And there you have it. The From email is spoofed. Someone that has both your email address and your friends email address in their address book is the guilty party that has the virus.

The virus randomly picked your email addy from the address list and made you the from person and then sent itself to everyone else in the adderss book.