RootsWeb: OKMCCURT-L Re: [OKMCCURT] Virus!!!!

OKMCCURT-L Archives

Archiver > OKMCCURT > 2001-05 > 0990064924

From: "Peggy" <>
Subject: Re: [OKMCCURT] Virus!!!!
Date: Wed, 16 May 2001 21:02:04 -0500
References: <200105160451.f4G4phV09612@cgi.rootsweb.com> <20010516162927.CVPE26368.mtiwmhc26.worldnet.att.net@home> <00c601c0de27$3de543e0$4898413f@computer>

I got it too. But not from the person you named in a previous email. The one I got it from, I tried to email back to warn him he had a virus, and the email returned to me. Guess he changed his email address. This virus was sneaky. I didn't open the thing, I knew what it was. I deleted it, and deleted the trash. I thought I had got it all. But when I got home tonight, when I started the computer up, it activated. We had to go through a lot to get it off. It was trying to send out emails when I stopped it. I will paste my husband's email below to help in case one of you don't know how to get rid of this thing. Peggy Hamlett I am sending you this notice that I discovered a VIRUS upon opening my email this afternoon. Thankfully it appears this one started out by selecting junk mail from the trash, stripped HTML formatting from it, then sent it back to the entity that sent it and also sent it to me. Cute but not something I want automatically accomplished, thank you very much. Anyway, I downloaded the latest definitions created yesterday for Norton as the initial scan using last weeks definitions showed nothing. The newest definitions revealed the virus as being in the file INETD.EXE and identified the virus as w32Badtrans.1332@mm Virus.. In other words the virus apeared within the past week so hopefully none of you have it. This is a heads up. Above describes how it acted on our system. On the emails it creates it recreates itself in an attachment. The names of the attachment differ. On the five it created and sent before we caught it today the names of the attachments were, card.pif , card.pif, hamster.zip.scr , README.TXT.pif , SETUP.pif ... As you can see the most common thread is the ".pif" extension. ".pif" is usually used on windows systems to indicate a product information file. These files are run to create a set of system variables and create an environment for a particular program to run. The icons on your desktop are this type of file, they include a shortcut method of reaching the actual programs location on your hard disk and may provide any necessary additional data in the run command initiated when you double click the desk top icon. The "scr" extension is reserved for screen saver programs. All of the files the virus creates as attachments are 13.3KB in size regardless of the name or "." extension. Another name it creates which is the one we received as a reply to a genealogy inquiry is "MeWord.avi.pif" and "Me_Nude.avi.pif" It too was 13.3KB in length. The virus checker did not catch that because it is too new. Anyway The GOOD NEWS, the thing is easily removed. If you notice that your out box is suddenly showing up as having messages to send when you have not created any and are not sending any then stop the internet connection by logging off. I'm uncertain that the "INETD.EXE" is the file name created by the virus in every instance but it is the name used by the program on our system. To remove it I took the following steps. >From the "Start" Menu, I opened "run" and entered "msconfig" then clicked "OK" This brings up the "System Configuration Utility" There are six tabs at the top of the utility, "General", "Config.sys", "Autoexec.bat", "System.ini", "Win.ini", and "Startup" The tab to select is "Startup" This brings up a list of program options to be started "run" each time the system initializes. Not all of the items may be checked and the list varies from computer to computer depending on the hardware configuration. I admonish you to not begin checking and unchecking boxes as this may enable or disable programs and functions you may not desire. What I looked for was something new in the list but if you have not done this before you will not have a reference for that. I found the "INETD.EXE" program file had been added and simply removed the check mark in the box on the left to disable it from being loaded next time I turned on the system. If the virus behaves in the same manner it did on my system and creates a file named "INETD.EXE" it will add itself to the startup list by creating a "run = C:/WINDOWS/INETD.EXE" entry. Uncheck that option in msconfig then click apply at the bottom of the "System Configuration Utility" window. When you close System Configuration it will prompt you to restart your computer. You should do this. When the system completes rebooting you can then open windows explorer to the Windows Directory or wherever the path statement in the list indicates it is, locate the INETD.EXE file and Delete it. That completes removing the virus from your system. You can remove it from the trash and be certain it is GONE. We received it yesterday. We closed down the system this morning and on rebooting this afternoon the virus began operating. In other words the virus does not begin affecting your system until the next time you turn the system on. That then allows the entry it makes in your startup list to take effect. Hope nobody else receives the thing but if you do, you now have some clues as to what it is, how it behaves, and best of all how to get rid of it. Getting rid of it easily is the best part. Hope this is useful. ----- Original Message ----- From: "David Reid" <> To: <> Sent: Wednesday, May 16, 2001 11:42 AM Subject: Re: [OKMCCURT] Virus!!!! Thanks, I received it again this morning. The message was sent directly to my address not the list. David -------------------------------------- ----- Original Message ----- From: Gene Philips <> To: <> Sent: Wednesday, May 16, 2001 10:47 AM Subject: Re: [OKMCCURT] Virus!!!! > At 07:59 AM 05/16/2001 -0500, you wrote: > >I wrote Tawasha Hubbard about this problem April 7th and have not received a > >reply. The name on the one I received was "Cunningham". I Assume it to be > >from that person but they may not be aware of it. Might just be passing it > >along without knowing it. > >David > > has been infected with the virus since at > least April 30, the first time I got it. I thought she had probably got it > cleared up. I wrote to her directly last Saturday and didn't get the virus > back. > > Gene Phillips >

This thread:

[OKMCCURT] Virus!!!! by Wanda <>
- Re: [OKMCCURT] Virus!!!! by "David Reid" <>
- Re: [OKMCCURT] Virus!!!! by Gene Philips <>
  - Re: [OKMCCURT] Virus!!!! by "David Reid" <>
    - Re: [OKMCCURT] Virus!!!! by "Peggy" <>