NCMONTGO-L Archives

Archiver > NCMONTGO > 2001-04 > 0987354255


From: "Cathy Cranford-Ailstock" <>
Subject: [NCMONTGO] Important Please Read Worm Warning, Real Just happened
Date: Sun, 15 Apr 2001 13:04:15 -0400


Hi folks,

Please read this folks, I am trying to protect you, not bother you. I know
that this is not supposed to be posted to these lists but I sometimes
warnings on these lists have kept me aware and bug free. I am sorry to
disturb you with this warning, but I feel the need to warn you all.

My mother is on some mailing lists that are in the UK. On the average of
once a day, she has been sent viruses, worms, etc that are coming through
somehow. Of course, I always save attachments to my hard drive then scan
with the antivirus. Only last night, that did not work. Let me explain
what happened.

She wrote to the list asking for help on a certain subject. Immediately
someone responded in a reply to her message. The ONLY words on this reply
to my mom's message (which also held the words of my mom's message) was
this:
"Please see attachment." This sentence rested right under my mother's
message for help. My mother called me into the room to check out the
attachment and to let her know if it was safe to open or not. I saved what
was called (without the quotations) "readme.txt.pif"

As soon as I saved it to my hard drive, it changed the attachment to a
"MS-DOS ReadMe" file. I tried to scan this file with my antivirus scanner,
but the option was missing. Another thing to warn you about, this has an
icon in the beginning that looks much like a html page, like if I sent you
my website's address in an attachment. So I figured that it was ok to
open. I double clicked to open and it told me that the file was corrupted.
Remember this as this is important. "File Corrupted." You will need this
as it is the one that shows you which worm you are infected with. If you
go to Norton's and type in "readme" you will get 5 or 6 worms to come up
and you have to go thru each one to find which one has hit you.

ALSO, this is how we knew we were infected. As soon as I had double
clicked that MS-DOS Readme file, her mail's outbox came up, and stayed up.
Mail started to appear at a rapid rate (161) in less than a blink of an eye
in her outbox, each had an attachment hooked to it. These names and
addresses were NOT from her address book, but her INBOX instead. This worm
grabs addresses from all points of your mail program. So if you have 2000
emails in your inbox, you will send out 2000 emails with attachments. IF
you click on those attachments (I was able to stop the sending process,
don't ask how, I don't know, I was freaking out at the time) you will see
that each message is has a different attachment. Most worms send out the
same attachment, not this one. Some were screensavers, (hamster), some
were attachments named, "nude photo of me" etc. There were about 8
attachments in all, replicated over and over in about 161 emails, that I
somehow kept from going out. A few may have escaped though.

When you open that initial attachment the one called "ReadMe" it will wait
until you reboot your machine, after you reboot, it has about 5 minutes and
it infects all that it is going to infect and changes files on your hard
drive to allow Trojans to enter your machine. The firewall I have
installed on her machine, immediately picked up that data was being sent
from her machine and an .exe file (those are self exploding files) was
opening and working her computer. Trojans are baddies. They take data,
such checkbooking accounts, passwords, etc and send the data to the person
who made the bug. It also looks for other vulnerable machines that are
networked to that machine, such as my machine is networked into hers. My
firewall kept me from being infected. Thank God.

Now, here is my warning and please, please heed it. Do not open any
attachment from anyone, even if it is sent by myself, unless, I write to
tell you that I am sending a attachment and what the attachments name is,
and only open if you are expecting me to send. Even then, save it to your
hard drive first. Scan it. If you do not have the option that you
normally have to scan with your virus checker, DON'T open. Don't be silly
like I was. We had to dump several files in order to dump this off her
machine and it took several additional runs of scanning her entire machine
with her virus checker to make sure all was gone. NOW here is the real
KICKER:

When you are infected, it will not show up when you scan with your virus
checker. Ours is updated each week and it did not pick it up. However,
when my brother went to norton's and updated her protection files, and then
promptly scanned again, it did pick up the worm. So if you are or think
you are infected, update your protection first. Then scan again. The REAL
Name of this bug/worm is:
W32.BADtrans.13312@mm
and I do not have a clue as to why that is highlighted so don't click on it
to find out. Maybe it is the "at" symbol, that caused it to just
highlight, but don't click on it, just in case. haha, talk about becoming
paranoid. I am that for sure at this point.

Anyhow, please, please remember, I think this is a new worm, and it is a
biggie, as far as what it does. It comes on a reply message, hooked to
your original message that you sent out. All that will be said, is "please
see attachment" and if you were like my mom, and had just asked for help,
you would assume that someone is helping you and directing you some place.
WRONG.

To get rid of it, dump all files that are infected. Don't worry about it,
dump them. Don't repair them. Dump them. You do not need them. Promise
you. But make sure before you do, that you are infected with this certain
one.

Update now. Update often. Update twice a week. Can't hurt. Once a week
was not good enough for us. And watch these lists. They are good grounds
to pass on these worms. And worms do not need help to spread like viruses
do.

Good Luck and Happy Easter, everyone. May the Heavens shine on you today.

Cathy Cranford-Ailstock

http://homepages.rootsweb.com/~cranford/cathy1.html
Listowner for Montgomery County, NC

Listowner for The A*I*L*S*T*O*C*K, B*R*U*T*O*N,
C*R*A*N*F*O*R*D, F*O*X*H*A*L*L, H*A*T*H*C*O*C*K,
J*U*R*Y & O*Z*I*E*R Lists
***
To see one's self more clearly
One needs to seek the past.
C.C. Ailstock






This thread: