e-mail virus targeting Forimites?

Eric Stumpf · From: Newbury, NH 03255

I just received two e-mail messages that could have potentially contained a virus of some sort; wisely, I did not open these messages without looking into the matter and I'm glad I made the effort to do so. The messages contained no text but did have attachments and were titled "DEJEBU" and "FUMUDI". The person who sent these had an e-mail address that contained the name of one of our Forumites but the address itself did not check out as being the address I knew this familiar Forumite uses. After contacting this Forumite, I learned that he DID NOT send the message. So, please be careful when it comes time to open your e-mail. Someone out there might try and target other people who use this Forum so beware.

Eric Stumpf · From: Newbury, NH 03255

Yes, I do know how to spell "Forumites" and in the future will drink more coffee before posting a topic.

Jason Odd · From: Stawell, Victoria, Australia

Eric, I dowmloaded a virus a while back when i got an email from a friend, but it ended up someone was tapping into his email address, sometimes when you get a virus it will automatically send to everyone in the adress book, but in this case the 'supposed' sender's PC was clear and his biggest hassle was that he took the time to check it and that other people thought he had given them a virus (until he explained what happened)

Also the virus email I got had other email adresses listed, but when I checked it out, I was the only one who was in his actual address book.

Scary huh?

Jack Stoner · From: Kansas City, MO

I recently got this info from forumite Bob Cole who has a computer consulting business:

I have just had a couple of clients get infected by a nasty email Virus/Worm that is going around. This thing manifests itself by sending out a attachment to an email without a From name and with the subject from the previous. It uses 31 different attachment names. They are listed below in the writeup. This thing is brand new, first detected in Europe in late Sept.. Only the very latest Virus detectors will detect it. If you have a Virus Scanner be sure to have the LATEST ID or Dat files for it as this will get past anything older than Sept. 2000.

If any of you get a Email Attachment such as listed below DELETE IT, If you double click it to open it, it's too late. The removal is a fairly complicated procedure. On the system I just finished disinfecting there were 57 infected Windows Related Files.

At the end of this message are some tips on how to avoid getting infected by one of these Email Worms.
For what it's worth my Virus scanner with a 3 month old Dat file did not catch it. For me the .pif extension tipped me off.

Win32/MTX - virus

Win32/MTX is one of the most complex recent computer infiltrations. It combines a virus, worm, backdoor ftp server, a script for MIRC and PIRCH IRC clients. MATRix, an international virus group was identified as the author of this malicious infiltration. The worm installs itself into the system replacing wsock.dll - an important system file. To do this, the worm first creates an infected copy of the file with a different name: wsock32.mtx. Using the system registry, the activation of the new file triggered upon the new system start up. The worm than takes over the control over the sent mail. Any message sent is accompanied by another infected one. The infected message has the same Subject field, an empty body, and an infected attachment. The name of the attachment is selected out of the following 31 candidates:

README.TXT.pif

I_wanna_see_YOU.TXT.pif

MATRiX_Screen_Saver.SCR

LOVE_LETTER_FOR_YOU.TXT.pif

NEW_playboy_Screen_saver.SCR

BILL_GATES_PIECE.JPG.pif

TIAZINHA.JPG.pif

FEITICEIRA_NUA.JPG.pif

Geocities_Free_sites.TXT.pif

NEW_NAPSTER_site.TXT.pif

METALLICA_SONG.MP3.pif

ANTI_CIH.EXE

INTERNET_SECURITY_FORUM.DOC.pif

FREE_yahoo-email.DOC.pif

READER_DIGEST_LETTER.TXT.pif

WIN_$100_NOW.DOC.pif

IS_LINUX_GOOD_ENOUGH!.TXT.pif

QI_TEST.EXE

AVP_Updates.EXE

SEICHO-NO-IE.EXE

YOU_are_FAT!.TXT.pif

FREE_xxx_sites.TXT.pif

I_am_sorry.DOC.pif

I_nude.AVI.pif

Sorry_about_yesterday.DOC.pif

Protect_your_credit.HTML.pif

JIMI_HMNDRIX.MP3.pif

HANSON.SCR

****ING_WITH_DOGS.SCR

MATRiX_2_is_OUT.SCR

zipped_files.EXE

BLINK_182.MP3.pif

An interesting, but willful is the fact, that the infiltration increases its survival chances by prohibiting access to certain web-pages containing strings of characters that are, in fact, part of the names of some anti-virus developers! Another, somewhat "along the same line" active-defence feature of this infiltration is blocking of the possibilities to send e-mail to some anti-virus developers/sites from an infected machine. The body of the worm contains the following text:

Software provided by [MATRiX] VX team: Ultras, Mort, Nbk, Tgr, Del_Armg0, Anaktos Greetz: All VX guy on #virus channel and Vecna Visit us: www.coderz.net/matrix

The Backdoor component of this infiltration installs an ftp server (MTX_.EXE file), which supports "downloading" and installation of files and/or plug-ins from certain internet sites. The string, found inside the Backdoor, is very similar to the one presented above. Finally, the virus component of the infiltration applies the Entry Point Obscuring technology: in contrast to a "classical" virus, in this case, the execution address is not redirected to its own code, but (at a proper location) it places a jump command. This "trick" is aimed at making its detection by an anti-virus program more difficult. The virus component contains the following text:

SABIA ViRuS Software provided by [MATRiX] VX TeAm: Ultras, Mort, Nbk, Tgr, Del_Armg0, Anaktos Greetz: All VX guy in #virus and Vecna for help us Visit us at: http://www.coderz.net/matrix

The virus code itself is encrypted. After it is executed, it installs itself into the system and attacks the Portable Executable (PE) files with extensions EXE, DLL, SCR a OCX in the current directory, the temporary directory and the one where the Windows installation is located. The plug-in for IRC clients (MIRC and PIRCH) provides spreading environment when certain keywords (e.g. worm, virus, file, exe) are used. Four variants of this infiltration were identified so far and the spreading of the epidemics continues.

Virus Detection and Prevention Tips

Do not open any files attached to an email from an unknown, suspicious or untrustworthy source.

Do not open any files attached to an email unless you know what it is, even if it appears to come from a dear friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe than sorry and confirm that they really sent it.

Do not open any files attached to an email if the subject line is questionable or unexpected.

Delete chain emails and junk email. Do not forward or reply to any to them. These types of email are considered spam, which is unsolicited, intrusive mail that clogs up the network.

Do not download any files from strangers.

Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download the file at all or download the file to a floppy and test it with your own anti-virus software.

Update your anti-virus software regularly. Over 200 viruses are discovered each month, so you'll want to be protected.

Back up your files on a regular basis. If a virus destroys your files, at least you can replace them with your back-up copy.

When in doubt, always err on the side of caution and do not open, download, or execute any files or email attachments.

Read more about it at http://www.symantec.com/avcenter/venc/data/w95.mtx.html

Stoney Stonecipher · From: Knoxville, TN (deceased)

I just found out I had a virus in my computer. I have no idea where it come from. It deleted all of my jpg files. It come from an attachment that had vbs on it. If you get any files that have .vbs on it, don't open it, just delete it.

Jack Stoner · From: Kansas City, MO

The biggest majority of "worm" type viruses are "Active X" files attached to e-mail messages. If you don't have the "latest and greatest", update your e-mail program to the latest version/security patch. Fortunately I have Outlook 2000 with the latest security patches as I received e-mail from two friends and the e-mails from both of them had the active x attachments, that Outlook gave me a warning and then would not open/execute the active x attachment. Neither of the people that sent me the e-mails knew they had been infected.

I temporarily changed my Outlook e-mail security level so I could figure out what was happening. When I opened one of the infected messages there was no additional information displayed on the e-mail but it installed the KAK worm virus on my PC. It installed the file kak.hta in my windows\start menu\programs folder and everytime windows is restarted that program will run. The virus was detected by my McAfee virsscan program, which I ran right after opening the test active x attachement, and I removed it before any harm could be done.

Johan Jansen · From: Europe

I'm back, with a lot of help from my neighbour.It happened, something I never expected with all the wisles and bells from the modern scanners:
I received a virus that destroyed both harddisks in my PC, $$^%^&* !!!
This virus, I don't know the name, works it'sself up to the boothfiles and the register in your disks. When you get a warning by your scanner, it's to late!
When you reboot your computer, it get worse!
Your scanner will see your bootdata as a virus and attacks it, also the register. It cost me a lot of money, lost a lot of important adresses, files etc, that doesn't fit on a floppy. So now for shure I'm going to install a CD writer, and back up every week.
Be carefull! The virus scanner says you got the troyan-virus, but it is not the same one!!
Watch out, I really don't know how it came into my PC, cause I never open strange mails!
JJ

------------------

STEELDAYS 2000
my web-site
my band COD

Jon Light · From: Saugerties, NY

I got real spooked after Stoney's post because suddenly this morning I couldn't open any .jpgs. Even the forum icons were dead. But I delved into it a little and found that I could still open stuff with my graphics programs--the files were intact. The problem was with my browser (IE 5.5, also my default jpg and gif viewer). I reloaded IE 5.1 from the CD and all is ok.
Johan--that really blows! And not having a clue where it came from must really spook you everytime you touch anything on the computer!
I realize that the only reason I'm relatively ok is only just luck.
I'm going to start wearing condoms on my fingers whenever I'm at this keyboard from now on. Safe computing!

Forum Index > Computers		Next oldest topic :: Next newest topic

All times are GMT - 8 Hours	Jump to: