Results 1 to 8 of 8

Thread: March 7 alerts

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    682

    Exclamation March 7 alerts

    W32.Simile
    Discovered on: March 6, 2002
    Last Updated on: March 7, 2002 at 09:03:23 AM PST


    W32.Simile is a very complex virus that uses entry-point obscuring, metamorphism, and polymorphic decryption. It infects files in folders on all fixed and remote drives that are mapped at the time that the virus is executed. The virus contains no destructive payload, but infected files may display messages on certain dates.

    http://sarc.com/avcenter/venc/data/w32.simile.html



    Win32.Fbound
    Alias: WORM_CRYPTZ.A , W32/Fbound.a@MM , Win32/ZCrypt.Worm
    Category: Win32
    Type: Worm
    CHARACTERISTICS
    Fbound is a worm spreading via the e-mail system.
    The worm arrives in a message with the Subject line:
    “Important”
    The message body is blank and the attached file is called:
    “check.exe”
    When the attachment is executed the worm obfuscates the screen:


    http://www3.ca.com/virus/virus.asp?ID=11469


    W32/MyLife@MM
    Virus Information
    Discovery Date: 03/07/2002
    Origin: Unknown
    Length: 30,720 bytes (UPX packed)
    Type: Virus
    SubType: E-mail

    Virus Characteristics
    This mass-mailing worm written in Visual Basic 6 uses Microsoft Outlook to send itself to all addresses in the Outlook Address book. It arrives in an email containing the following information:

    Subject: my life ohhhhhhhhhhhhh
    Attachment: MY LIFE.SCR

    The attachment is a UPX packed PE file. When executed on the local machine, the following image is displayed whilst the worm copies itself to the System folder, and uses Outlook to propagate itself to all address found in the Outlook Address book:

    http://vil.nai.com/vil/content/v_99381.htm
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    108
    thx for news on the virus...i wish ppl would get a new hobby & stop making viruses & worms

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    i wish ppl would get a new hobby & stop making viruses & worms
    along those lines

    http://www.vnunet.com/News/1129861

    "Online virus generator will return
    By James Middleton [07-03-2002]
    'I never did no harm to nobody,' claims kid coder
    The creator of the now infamous online virus generator, shut down earlier this week after vnunet.com's exposé, has vowed to bring the site back.
    The 15 year-old Romanian coder, who only identifies himself as Smecher Piratul, which translates as 'sly pirate', told vnunet.com that "the site will be resurrected for sure somewhere else".

    His homepage, which housed the Instant Macro Virus Maker was closed down earlier this week by its free hosting provider, Freeservers.com. "



    at least W32.Similie looks like it took some brains to contruct....
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  4. #4
    AO Soccer Mom debwalin's Avatar
    Join Date
    Mar 2002
    Posts
    2,185

    Angry Let me tell you a little something about this virus!!!!!

    Yesterday afternoon I was a relatively attractive 28 year old woman. Tonight, I have gray hair, I drool, I have this strange tic in the side of my face.....lol.
    This one is a booger, and I had no help with it when I was trying to get rid of it yesterday evening....apparently my av software (McAfee) could identify it, but when I went to NUMEROUS websites and download MANY different fixes for different strands of this virus....none of them worked!!
    I finally gave up, reformatted the hard drive, and reinstalled my OS....I imagine there was probably an easier way....but I DAMN SURE COULDN'T FIND IT!!!!
    Please forgive me all of the caps, I am normally a very calm, cool, collected, friendly, happy person. But again....that was yesterday!
    Outside of a dog, a book is man's best friend. Inside of a dog it's too dark to read.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    hehe deb...we've all been there...and oooo do we feel for ya....curious as to which virus tho..i posted 3 alerts...

    i'm interested because i have an informal back of my brain poll going on as to which av soft is better...my experience has been that NAV is at least the best when it comes to publishing virus findings...i get more alerts from sarc than anywhere else...as for scan and detect...well...i've used both NAV and mcaffee..and found NAV better...
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  6. #6
    AO Soccer Mom debwalin's Avatar
    Join Date
    Mar 2002
    Posts
    2,185

    Wink I won't ever be using McAfee again....

    It was the W32/nimda.enc....at least that's what McAfee said it was....but I'm pretty dang sure I downloaded the repair tool for one that said it fixed that....I don't know for certain. BUT I DO KNOW.....used Norton for 3 years, no viruses, no problems. I used McAfee for a week, and boom....there it was. But I am curious....I know absolutely without a doubt I didn't open any email attachments....how the heck did it get there? I am the only user on this computer, and like I said, I didn't open any attachments, so is it possible that I got it just by opening and reading an email? Please forgive the ignorance....I'm not too clear on how all these viruses (or Worms, as McAfee identified it) work. I thought as long as I was running av software and didn't open any attachments, I was okay. I also run a firewall, which if I understand correctly doesn't exactly help with viruses, it just keeps unauthorized people from accessing my computer remotely (I think!).
    If you have the time, I'd love a little clearing-up....And just to add to your back of the brain poll...I will faithfully and forever use Norton!
    Outside of a dog, a book is man's best friend. Inside of a dog it's too dark to read.

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    nimda is a pretty smart worm...it spreads in many different ways...it uses exploits in IIS (m$ webserver) and IE

    it infects a webserver by sending a malformed url which in effect gives it control over the server, allowing it to set up a html file on that server which will infect certain visitors to that website. these visitors can be prompted to download a file which has the malicous attachment.

    now comes the fun part...the attachment uses a mime exploit in IE which fools IE into thinking it is a .wav file but is an exe file....IE will run the attachment without even a warning message...any email client which uses the IE rendering engine is susceptible...this includes outlook and eudora...so just by visiting an infected website, you can be infected if you are using an unpatched version of IE.

    the other way nimda spreads is by direct email...it uses its own smtp engine to mail itself out to people in email address books...

    so if you received an infected email...

    I am the only user on this computer, and like I said, I didn't open any attachments, so is it possible that I got it just by opening and reading an email
    so yes...it is not only possible...but very likely that this is how you were infected.

    the other things is that nimda.e was a new and improved version...which employed some techniques to hide itself from av software...so it is quite possible that mcaffee missed it...

    you probably did the right thing in reformatting...nimda can allow complete remote control of your system...and even if you do remove all traces of it...there is no way to know what else has been done...

    so there's a couple things you can do...first of all make sure you have the right repair tool...not sure a mcafee's tool but NAV had specific tools for the different verisons of nimda a and e being the most prevelant...the A tools wouldn't remove the E worm...so that might have been your prob...i'd also try a couple of vendors tools...they're free anyways...just to be sure...

    but....the number one thing you can do...is never...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever...ever use Outlook for email...now to be fair...the exploit was in IE and not outlook in this case...but...well
    Searched the web for outlook exploit. Results 1 - 10 of about 93,500.
    simply put...if you had been using a different client...you might not have been infected in the way you were...i'd suggest eudora ...there's a free version...which works great...is not completely full of holes...

    Searched the web for eudora exploit. Results 1 - 10 of about 7,750
    it's not perect...but it's not outlook...

    to really protect yourself...use a client which doesn't rely on IE rendering...

    to protect yourself in the future...make sure your browser and email client is completely update with their patches...and your AV software and definitions are up to date...and most importantly..stay informed..which you've got a good start on by hanging out here.


    if you want to read up on nimda...

    http://www.sarc.com/avcenter/venc/da...imda.a@mm.html
    http://securityresponse.symantec.com...imda.e@mm.html
    http://www.microsoft.com/technet/tre...n/ms00-078.asp
    http://www.microsoft.com/technet/tre...n/MS01-020.asp
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  8. #8
    AO Soccer Mom debwalin's Avatar
    Join Date
    Mar 2002
    Posts
    2,185

    Thumbs up Wow, Thanks!

    Well, when I reformatted, I did NOT set my email up to go through Outlook this time...picked that up pretty quick here! I downloaded NAV, and ran updates for a couple of hours, just kept running it til it said there were no more...and I re-installed Zone Alarm. So, hopefully no more cooties.
    As for the tools to get rid of it, I downloaded both A and E, and ran them (which took a bit of time, let me tell you) and both of them said they were not needed on my computer, as I was not infected with that virus. I tried the version from McAfee AVERT, as well, and had it down to one file that I couldn't get rid of, got aggravated and turned the computer off for a while. When I came back, it was completely re-infected (McAfee got cleaned all the same files I had cleaned before) so I went to the Microsoft site, and they had Command Prompt lines that were supposed to get rid of the one file I couldn't get rid of, and I'm not sure, but I think I heard the damn thing laughing at me when I tried that. I posted a thread on here asking for help, and got references to all the things I had tried, and then KorpDeath (I think) told me about it opening a back door to my computer so people could get in, and in my inexperience, I didn't have any idea how I would know about it, or how to fix it, so I reformatted and re-installed....lol.
    Thank you again for all of the answers to my questions. I do feel better knowing it's possible that I could have gotten it just by reading my email (well....sort of!) I really do appreciate all them time you took to answer all those questions!!
    Outside of a dog, a book is man's best friend. Inside of a dog it's too dark to read.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •