swft
Needs a life
Full throttle!
Posts: One MEEEEEELLION
|
posted September 18, 2002 08:42 PM
Email virus from Hans
Opened a mail from hans@debotech.com.
It was an email virus. If any of you have recieved mail from me in the past 48 hours, don't open it, delete it. The virus went through my address book and sent out replicants of itself to everyone in the address book. I've gotten replies back from people, with copies of the virus attached. Since then, I've formatted the drive and installed McAfee Virus Scan and Firewall. But the worm did get out of the bottle...
  
|
redelk
Moderator
Please... speak to the hand.
Posts: 3212
|
posted September 18, 2002 09:42 PM
 Edited By: redelk on 18 Sep 2002 22:46
I got W32.Datom.Worm at work. I'm guessing it was sometime between last Thursday and last Sunday, while I was out of town. I'm not blaming anyone, nor am I really angry about it since nothing was lost (but my time a patience a few times). Believe it or not, since I do a lot of work with state and local agencies, I get e-mailed viruses (unintentionally) from them every week. Sometimes several times a week.
I was unaware of any problems until I rebooted the computer. While rebooting, during the start up of Windows 2000 Professional, I got the dreaded "Black Screen" stating something might be wrong with my boot drive (which is part of a mirror array). I told Windows to continue and after it completed it's start up, the virus was executed.
My McAfee caught it right away, but there was a few slight problems. I guess because of it's "official" looking nature and having been called to by the registry, my virus software could not initially "clean" or delete the replicating file (MSVXD32.DLL). It would only allow me to "quarantine" it. Another problem was that it was replicating at such a rate, everytime I quarantined it, another one would pop right back up.
Only after a four hour "fight" between me quarantining it and it replicating itself, did it finally give up. That's when I went the quarantine log and started deleting the files that were in there. Then it started all over again. In frustration, I turned the computer off and figured that I'd deal with it the following day.
Fortunately, in my race to delete the quarantined files, I deleted the MSVXD.EXE and MSVXD16.DLL files. I was so paranoid over the fact that it might be a "critical Windows operational file" I was deleting. It's file name just sounded so "official".
I'm assuming that since I got rid of the EXE file, that's what kept me from starting the battle all over again when I rebooted on Monday. That's when I finished deleting the replicated MSVXD32.DLL files in the quarantine log. There were literally more then a 100 copies of that file. After that, I removed it from my registry. I was just lucky that I caught it before it had a chance to get to my artist's computer via our "two computer network" or send itself out using my address book.
This is McAfee's description of what I got...
Virus Characteristics:
This worm arrives as one .exe and two .dll files and are copied to the %Windir% folder:
MSVXD32.DLL
MSVXD16.DLL
MSVXD.EXE
Two techniques are used to ensure that it is run on subsequent system startups. The worm looks for the Start Menu startup directory and tries to create a link to itself called "VxD Manager". The following registry entry is also created:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\_
Run ="MSVXD" %WinDir%\MSVXD.EXE 1632
The version information in the files' properties is used to camouflage its true intentions:
Description: Windows VxD integrity check
Copyright: Copyright (C) Microsoft Corp. 1995
Company Name: Microsoft Corporation
Product Name: Microsoft® VxD
This worm does not have a damaging payload, it only spreads via shared drives.
(NOTE: What ever. I'd assume any replicating worm virus would be "damaging")
Indications Of Infection:
Presence of the file %WinDir%\MSVXD.EXE
Presence of the file %WinDir%\MSVXD32.DLL
Presence of the file %WinDir%\MSVXD16.DLL
Disables Zone Alarm by terminating its processes
(I have no clue what that last one means)
Method Of Infection:
This worm spreads through open shares
Removal Instructions:
Use specified engine and DAT files for detection and removal. Delete files found to contain this detection. As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.
Aliases:
W32.Datom.Worm (NAV), Win32.Datom (CAI), Worm.Win32.Datom (AVP)
____________
There are only three sports: bullfighting, motor racing, and mountaineering; all the rest are merely games.
-Ernest Hemingway
|
frEEk
Administrator
ummm... yeah
Posts: 9660
|
posted September 19, 2002 12:04 AM
what a perfect opportunity to remind everyone to buy anti-virus software! it's generally quite cheap & it's huge protection! i got mcaffee, norton is widely used too. this is a place where u dont wanna be cheap people! if u get email or download a program, u'r susceptible. its generally quite easy to protect urselves!
|
DaveInDaytona
Pro
Posts: 1696
|
posted September 19, 2002 07:46 AM
quote:
Disables Zone Alarm by terminating its processes
(I have no clue what that last one means)
Firewall software.
____________
DaytonaSportbikes Forum
|
beansbaxter
Needs a life
Posts: 5911
|
posted November 16, 2002 01:47 AM
I have tried emailing Hans twice over the last couple weeks, with no response. Anyone know of another way to contact him?
|
beansbaxter
Needs a life
Posts: 5911
|
posted November 16, 2002 02:06 AM
Doesnt Hans still sell all that carbon fiber stuff for the 12?
|
EastBayDave
Needs a job
Posts: 2245
|
posted November 16, 2002 07:24 AM
Norton/Symantec Anti-Virus guys; it works. Checks everything incoming & outgoing. Tells me a mail has a virus without opening it, so I can delete/quarintine it before it gets me...
Cool... 
____________
Enjoy the ride!
02' ZRX1200
00' ZX12R sold
|
swft
Needs a life
Full throttle!
Posts: One MEEEEEELLION
|
posted November 16, 2002 01:01 PM
No shit...I have Norton on one machine, and McAffee on the other.
|
beansbaxter
Needs a life
Posts: 5911
|
posted November 18, 2002 11:53 AM
Anyone gotten a hold of Hans in the last month??....still havent heard from him.
|
DaveInDaytona
Pro
Posts: 1696
|
posted November 18, 2002 08:02 PM
Call him. 704-902-4443
____________
DaytonaSportbikes Forum
|
beansbaxter
Needs a life
Posts: 5911
|
posted November 18, 2002 08:49 PM
Thank you.
|
|
|
HOME
NEW TOPIC