|
Just to re-iterate, you need an up to date anti-virus system which checks e-mails as they are received, this should then flag up and quarantine any suspect incomings.
|
|
Yes, we use InnoculateIT very good and takes care of the majority of viruses out there.
|
A new mass mailing virus has just been found. If you do not want to catch and send the virus to all your motoring friends (motoring link!), here are the details to be aware of:
START of Virus Info:
Discovered on: June 24, 2002
W32.MyPower.B@mm is a variant of the W32.MyPower@mm worm. It is a mass-mailing worm that sends itself to all contacts that it finds in the Microsoft Windows Address Book. The subject of the email randomly chosen from the following four possibilities
New, Patch for, Crack For, The Best
microsoft, Borland, ZDnet
Tucows, Windows, Program
Animated, Protection, Saver, Fixed, Saving, Games, 3DFx Studio
The attachment is also randomly chosen from a predetermined list of 8 possibilities, ending in either a .exe or .scr extension.
Message: The message is one of the following:
Hey this is the program you been ask for, save it to disk and run this program, give me feed back ASAP OK...!
Dear Customer
Thanks for your attentions to our programs, we glad you like it this is the other program you been asking about, save it to Disk and run it
Hi..friends.., check out this screen saver, it's very cute.. ;) just save to disk or run it from your current location..!
This file is needed by your antivirus program, save it to your disk, and run this patch your Antivirus security Patch will be updated soon..!
Dear Visitor,
Thanks for submiting to our site, this is the file you ask for..:) after you run this program you can access our site with no Password required..!
To : Microsoft Windows User
Dear Users, after we analize the problems you have been asking,with this file you can fix the problem in your MS-Windows, save this file to disk, and extract it in current Folder, and you will be prompt for installation folder.., and follow program instructions.
END of virus INFO.
So if you see any of the above in any e-mails you receive, do not open the e-mail or its attachnment, but Delete the e-mail using Shift+Delete keys.
Update your virus software to prevent infection.
|
|
Useful info. This one is genuine...
|
|
|
I am fairly sure that I had the
"Hi..friends.., check out this screen saver, it's very cute.. ;) just save to disk or run it from your current location..!"
version arrive at home yesterday, which I deleted.
I have AAAAA at the beginning of the address book and ZZZZZ at the end, so it shouldn't have been passed on (I hope).
More worryingly, it was not stopped by Norton Antivirus, which is on my computer and the virus list was updated last Friday.
I have also just looked on the McAfee antivirus site and W32.MyPower is not listed there either, so the antivirus people may not all have cottoned onto this one yet!
|
To check if you have been infected, here is some further info.:
Technical Details
When W32.MyPower.B@mm runs, it does the following:
It displays the following fake message: Cannot find setup files, some files is missing.....
It then copies itself as the following files:
A:\Setup.exe
C:\%System%\I386.exe
C:\%System%\3DFX.scr
C:\%System%\Setup98_Microsoft_patch120679.exe
C:\%System%\ Borland_Install32_Beta080279.exe
C:\%System%\Install32_Beta12061979_Fixed.exe
C:\%System%\ Install_Wizard.exe
C:\%System%\ 3DFxText_FULL281058_DEMO.exe
C:\%System%\ Fx3d_FULL_291182_DEMO.exe
C:\%System%\ Nude_Patch_10110001_BETA.exe
C:\%System%\ Animations_PATCH_SETUP.scr
C:\My Documents\Setup98_Microsoft_patch120679.exe
C:\My Documents\ Borland_Install32_Beta080279.exe
C:\My Documents\ Install32_Beta12061979_Fixed.exe
C:\My Documents\ Install_Wizard.exe
C:\My Documents\ 3DFxText_FULL281058_DEMO.exe
C:\My Documents\ Fx3d_FULL_291182_DEMO.exe
C:\My Documents\ Nude_Patch_10110001_BETA.exe
C:\My Documents\ Animations_PATCH_SETUP.scr
NOTES: %System% is a variable. The worm locates the \System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
It adds the value
I386 C:\%System%\I386.exe
to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
The worm also adds the following section in the C:\Windows\Win.ini file:
[EMAIL]
MAILED=TRUE
The worm then sends itself to all contacts in Windows Address Book. The email message has the following characteristics:
Subject: The subject line is randomly chosen using a word from each of the following lines:
New, Patch for, Crack For, The Best
microsoft, Borland, ZDnet
Tucows, Windows, Program
Animated, Protection, Saver, Fixed, Saving, Games, 3DFx Studio
After the worm sends the email message, it inserts these additional lines into C:\Windows\Win.ini:
WORM NAME= I-Worm.Iwing
MY STATUS= IS HERE..!
MY LINKS= http:/ /www.indovirus.net
The worm then deletes the following previously dropped files:
C:\%System%\ Borland_Install32_Beta080279.exe
C:\%System%\Install32_Beta12061979_Fixed.exe
C:\%System%\ Install_Wizard.exe
C:\%System%\ 3DFxText_FULL281058_DEMO.exe
C:\%System%\ Fx3d_FULL_291182_DEMO.exe
C:\%System%\ Nude_Patch_10110001_BETA.exe
C:\%System%\ Animations_PATCH_SETUP.scr
|
|
|
Brian
Norton AV update of 26 June covers this one, so get on to liveupdate.
What always amazes me is that these guys can have the ability to understand the intimate details of computer systems and so write these viruses, but are unable to write the hoax messages which accompany them in correct English. The benefit is, I suppose that this is often a clue to the malicious nature of the e-mail.
Regards
John S
|
Thanks for that, John
When you boot up it usually tells you if there is an update of virus definitions available, trouble is that last night I was not the one who turned the computer on so I don't know what came up.
I will make sure that I do a live update tonight then a complete scan to clear out any nasties.
|
|
|
John S: These virus writers are often based in Eastern Europe or the Far East. They do not need good English to learn programming skills.
Another warning for today. The warning below about the hoax is real, but the "virus-warning" it tells you about relates to a Hoax. The "Hoax Virus" will not be covered by anti-virus software but is described on
hoaxbusters.ciac.org/HBHoaxIndex.html.
The real warning is as follows:
Start warning: "
If you get an E-Mail with the subject VIRUS INSTRUCTIONS - PLEASE READ !!,
with a procedure to clean it that asks you to delete a file with a teddy bear icon with the name jdbgmgr.exe, DO NOT DO THIS.
This file is a normal Windows file and deleting it will cause problems.
" End warning.
|
|
|
|
Very often Asian-origin. Your verbatim quote sounds very much like Korean or Chinese "English" to my ear.
|
|
|
|
'Liveupdates' are normally done on Wednesdays - 'Intelligent Updates' are more frequent, but require manual operation. More on this at: securityresponse.symantec.com/avcenter/venc/data/w...l
|
|
|
|
|
|
|
