Warning ! Virus Activity from Forum Members

Sim

Administrator
From: Sim' Hampel


I have just received several emails from people on the forum which contained email viruses.

Apparently several other people have too.

I haven't investigated further, but I would imagine (guess only) that this is the result of people using Microsoft Outlook becoming infected with an email virus which then causes an email to be sent to everyone in their address books.

PLEASE, PLEASE, PLEASE do yourself and everyone else a favour... get yourself a good antivirus program which automatically scans your emails as you download them

I use and highly recommend Symantec's Norton Antivirus product. The 2000, 2001 and new 2002 versions all support email scanning. This product is available at most computer stores (including Harvey Norman and Harris Technology). Norton AntiVirus 2002 V8 for Win98/ME/NT/2000/XP is the current version and costs between $85 and $100. More information can be found at http://www.symantec.com
I am not affiliated with Symantec in any way.

Get it. Install it. Make sure you configure the email protection.

For the curious among you, the emails I (and others) received have attachments named:

New_Napster_Site.MP3.pif
Me_nude.MP3.scr
Sorry_about_yesterday.MP3.pif

THESE ARE NOT MP3 FILES the extension that Windows uses is the part after the final dot... so ".pif" and ".scr". These are executable scripts on Windows platforms, so when you double click on them to supposedly open the attachment, you are actually executing the virus program (a trojan horse) causing your computer to become infected.

The attachments contained the W32.Badtrans.B@mm worm which although does not do much damage to your local machine, does have a keystroke logger in it which can potentially detect things like your passwords and credit card details.

With this type of information, someone could access your online banking information (assuming it had a log of your session) and transfer money from your account to someone elses

More information about this worm can be found at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html

In my opinion, anyone who uses email programs without suitable email virus scanning is being incredibly foolish and irresponsible. This is especially true for Microsoft Outlook, which is extremely vulnerable to email viruses, worms and trojans.

If anyone wants to discuss these issues further or needs some technical help, please feel free to email me.

 
Last edited:
Reply: 1
From: Sue J


Sim,
I can recommend Symantec as well. I do not have any association with them. I installed their program about 6 months ago & it is amazing how many virus's it has picked up via my email. I never realised how often it could happen.
Nothing worse than a virus messing up your system or worse being able to access personal information from your PC.
Great info Sim...I hope everyone listens.
Regards

SueJ
 
Last edited by a moderator:
Reply: 2
From: Robert Forward


Hi everyone

I to have been receiving quite a number of virus emails from people in the last few days. You can also help your self out by installing a firewall this one has had a good write up and has a single use free download, so check it out at http://www.zonealarm.com/

To add to the above here is a good website to read up on about the type of viruses that are going around. Read here at this site http://grc.com/default.htm

This link is for a .PDF file which is similar to a "Word" document though you can't retype it. This is a very good read on how viruses are spread and why. http://media.grc.com/files/grcdos.pdf

Cheers
Robert

The Sydney "Freestylers" Group Leader.

PS: "Be Not Afraid Of Growing Slowly, Be Afraid Of Only Standing Still."
 
Last edited by a moderator:

Sim

Administrator
Reply: 2.1
From: Sim' Hampel


Thanks Rob, I was about to write a followup that said exactly what you did. Saved me the trouble ;-)

 
Last edited:
Reply: 3
From: Yuch .


Hi forum,

The worm could also be W32.Sircam.Worm@mm, which does similar things to your PC as W32.Badtrans.B@mm worm. (My PC just got infected with W32.Sircam.Worm@mm - took me half a day to clean it up.....)

W32.Sircam.Worm@mm contains its own SMTP engine, and propagates in a manner similar to the W32.Magistr.Worm.
Due to what appears to be a bug, W32.Sircam.Worm@mm does not replicate under Windows NT or 2000.

W32.Badtrans.B@mm is a MAPI worm that emails itself out using different file names. It also creates the file \Windows\System\Kdll.dll. It uses functions from this file to log keystrokes.

For the cure, go visit:

For W32.Badtrans.B@mm

http://securityresponse.symantec.com/avcenter/venc/data/w32.badtrans.b@mm.html

For W32.sircam.worm@mm

http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html


Regards
yuchun
~ The secret to success is to start from scratch and keep on scratching. ~
 
Last edited by a moderator:
W

WebBoard

Guest
Reply: 3.1.1
From: Donna Larcos


If anyone has been sending me the
"Snow White" virus please stop it
immediately before I wring your bloody
neck (and hers as well!!!) Fortunately, I
have a firewall and a son in the computer
industry but every so often something
pops up. We all got Snow White recently
on our Macs at work as well.
 
Last edited by a moderator:

Sim

Administrator
Reply: 3.1.1.1
From: Sim' Hampel


I get that regularly (not from any local source)... I have my email program set to automatically delete it when it downloads (once I calm the antivirus software down that is).

 
Last edited:
Reply: 4
From: Cathy Baxter


Sim

Thanks for your advice - but what if you do that already - I have NAV - whatever the version available in September 2001 was, I get live updates weekly - but have increased that since this latest one started. It is supposed to scan incoming and outgoing email - but I am still receiving them and only appears to scan outgoing mail - not successfully though because I have had advice that I have sent infected email.

The file they (Symantec) advise to delete on the info from their website does not exist in my registry.

I asked for specific information from them and all they do is refer me back to this original document. I checked out their forum and there were many others who had similar problems to me but no answer on how to fix them.

I also have ZoneAlarm firewall which seems to have done nothing to prevent any of this.

I'm at my wit's end.

What to do?

Cathy
 
Last edited by a moderator:
Reply: 4.1
From: Jas


Try this

http://www.zdnet.com/zdnn/stories/comment/0,5859,2827352,00.html

Jas

> -----Original Message-----
> From: propertyforum Listmanager
> [mailto:listmanager@bne003w.webcentral.com.au]
> Sent: Friday, 30 November 2001 7:54 PM
> To: Recipients of 'propertyforum' suppressed
> Subject: Warning ! Virus Activity from Forum Members
>
> From: "Cathy Baxter" <cmbaxter@tpg.com.au>
>
> Sim
>
> Thanks for your advice - but what if you do that already - I have NAV
-
> whatever the version available in September 2001 was, I get live
updates
> weekly - but have increased that since this latest one started. It is
> supposed to scan incoming and outgoing email - but I am still
receiving
> them and only appears to scan outgoing mail - not successfully though
> because I have had advice that I have sent infected email.
>
> The file they (Symantec) advise to delete on the info from their
website
> does not exist in my registry.
>
> I asked for specific information from them and all they do is refer me
> back to this original document. I checked out their forum and there
were
> many others who had similar problems to me but no answer on how to fix
> them.
>
> I also have ZoneAlarm firewall which seems to have done nothing to
prevent
> any of this.
>
> I'm at my wit's end.
>
> What to do?
>
> Cathy
>
>
>
> To reply: mailto:propertyforum.16723@bne003w.webcentral.com.au
> To start a new topic: mailto:propertyforum@bne003w.webcentral.com.au
> To login: http://bne003w.webcentral.com.au:80/~wb013
 
Last edited by a moderator:

Sim

Administrator
Reply: 4.2
From: Sim' Hampel


On 11/30/01 6:54:00 PM, Cathy Baxter wrote:

>It is supposed to
>scan incoming and outgoing
>email - but I am still
>receiving them and only
>appears to scan outgoing mail
>- not successfully though
>because I have had advice that
>I have sent infected email.

Without having seen your setup, I cannot comment. The only thing I would suggest is to make sure you have correctly configured the incoming email scanning. This is not activated by default, you must turn it on yourself.

>I also have ZoneAlarm firewall
>which seems to have done
>nothing to prevent any of
>this.

Unfortunately ZoneAlarm will not help with the types of worms that are going around at the moment. They come in via email (POP), and spread via email (SMTP), which means that you cannot block them without blocking your other email as well.

Can I suggest that you consider ZoneAlarm Pro ? It contains some extra functionality that the free version of ZoneAlarm does not contain. The one that may help in this case is the "Advanced MailSafe-email attachment protection", which "Recognizes and quarantines over 37 suspect attachment types" and allows you to "Rely on ZoneAlarm Pro to discover and protect you from potentially dangerous email attachments".

>I'm at my wit's end.
>
>What to do?

Some other advice...

1. One of the simplest solutions is don't use Outlook. Most of the worms and viruses that cause the largest amount of grief directly exploit vulnerabilities in Outlook. Try some other email program. Personally I use an old POP mail client called PMMail (http://www.pmmail2000.com/). It's a very powerful mail client and I've used it for years. However it's getting a bit old now and it's not as user friendly as Outlook and some of the other email programs out there.

An example of how effective a simple choice like this is, is in our own corporate mail environment at IBM. Unlike a lot of corporate clients who use Outlook as their mail client, we use Lotus Notes (an IBM product funnily enough). Now simply because it is not subject to the same vulnerabilities that Outlook is means that we have not suffered the same fate in regards to worms and viruses internally as many other companies have. These problems have literally crippled some corporate email systems, leading to enormous amounts of lost time and even money. This is not just an "IBM is great" thing... other non-Outlook mail clients will have exactly the same benefit in not suffering from the Outlook vulnerabilities.

I will note that some of the worms that are out there at the moment are not only a danger to Outlook users. If I was to double click on one of the attachments I have received in infected emails recently, my system would have become infected (if I didn't have antivirus software protecting my system). The problem with Outlook is that it is particularly vulnerable due to it's automatic execution of certain types of files and attachments when they are viewed.

2. The other advice I would give you is to keep your system updated with the latest patches from Microsoft. Use the Windows Update feature and make sure you download the critical security updates they recommend. These updates are often released to address known vulnerabilities in Outlook and Internet Explorer once an exploit has been exposed.

3. If you are having no joy with Norton Antivirus, maybe you should try a diffent program. I have had an antivirus program called Nod32 recommended to me (http://www.nod32.com/). I have not used this myself, so cannot comment on how well it works. The information on their website looks impressive. I will be trying this software myself on another computer soon.

Hope this helps.

 
Last edited:
Reply: 4.3
From: Jane B


A QUICK FIX

One suggestion is that you add a bogus address to the start and end of your e-mail
address book to stop a virus from sending itself out to all of your
contacts.

All you have to do is add a new contact to your address book with no
e-mail address. This will cause an error to occur if a virus attempts to
send itself to the entire list.

To put an address at the start of your address book input;

!0000 (exclamation zero zero zero zero)

as both the first and last name and leave the e-mail addresses field empty.

To put an address at the end of your address book input;

zzzz

as both the first and last name and leave the e-mail addresses field empty.

When you view your address book you should see these contacts appear
at the start and the end of the list without e-mail addresses.

Not only will this prevent a virus from sending itself to your contacts but you
will become aware of its presence when a message window pops up with an
error stating that 'One or more recipients don't have a valid e-mail address'.

--------------------------------------------------------------------------------

THE BEST FIX

Do the above as well as nti-virus software with online updating.

Journeywoman
 
Last edited by a moderator:
Reply: 4.3.1
From: Felicity W.


The only problem with this "fix" is that most of these worms don't actually start at the beginning of you address book and work their way through, they choose addresses at random....
Keep smiling
Felicity :cool:
 
Last edited by a moderator:

Sim

Administrator
Reply: 4.3.1.1
From: Sim' Hampel


And some have their own internal SMTP engines for sending mail directly (not via Outlook)

In short... this suggested fix is not going to protect you particularly well.

 
Last edited:
Top