The Steel Guitar Forum

Website · Post by **Brad Bechtel** » 26 Nov 2001 11:19 am

Windows users:
You've probably received an email from somebody in the last few days with the subject Re: (as if replying to a blank subject), with two or more attachments. One of those attachments will be something like New File.MP3.pif. When you open the email it asks if you want to open the attachment as well.
<h1>Never open an attachment from anyone unless you know what it is.</h1>
This particular attachment is a Program Information File (PIF) which is actually a type of virus/worm. When opened, it will automatically infect your computer and send copies of itself to other people in your address book.
Get some antivirus software and use it. Make sure you've run the Windows Update to download the latest security patches.
I'm posting this here because I've received too many such emails in the last few days from people on this forum.[This message was edited by Brad Bechtel on 26 November 2001 at 11:20 AM.]

b0b · Post by **b0b** » 26 Nov 2001 11:55 am

This one seems to be spreading like wildfire among Forum members. I've received about a dozen copies of it so far today.

The attachment has a variety of names, and the worm adds ".pif" or ".scr" to the end of it to trick the email client into running it. I have Outlook configured to not run attachments, so I haven't been infected.

The worm changes the reply address of the email by prepending a '_' to it. This thwarts attempts to reply to it. I've been sending replies to infected users to warn them by removing the '_'.

------------------
<img align=left src="http://b0b.com/coolb0b2.gif" border="0">
 -b0b- quasar@b0b.com 
-System Administrator

Jack Stoner · Post by **Jack Stoner** » 26 Nov 2001 2:23 pm

I've got two different "virus" messages, after b0b alerted me. Both to my hotmail account but fortunately I was alerted and hotmail uses McAfee to scan all attachements so it was caught.

I too have the security patches for Outlook 2000 and it won't let me open certain types of attachments plus I run Norton Antivirus on my PC so between the two anything like that should be caught.

Website · Post by **Brad Bechtel** » 26 Nov 2001 2:38 pm

Here's a link where you can find out more about this annoying worm and how to fix it.[This message was edited by Brad Bechtel on 26 November 2001 at 02:39 PM.]

Al Marcus · Post by **Al Marcus** » 26 Nov 2001 9:58 pm

I have a virus which is Emailing out of my address book with my Email address. I have McAffee virus scan but it didnt work this time. I better find out what is the best protection I can get. Any Suggestions??...al

Skip Cole · Post by **Skip Cole** » 26 Nov 2001 11:05 pm

Al, guess i'll be ditching my Mcafee Virus Stuff too. It didn't detect the viruses; one from you and one from another steeler. Same message-attachment. I will, most of the time, delete any attachments, this time i bit on them, duh

.

Thanks, Brad and the rest, for the links and info.
God bless you all-------

------------------
"Steel is the real deal"

CrowBear Schmitt · Post by **CrowBear Schmitt** » 26 Nov 2001 11:13 pm

i got hit by this virus or worm yesterday.
b@mm is it's name and it's got an mp3 attached.
Now i'm in trouble....
thanks b0b for the warning. it came too late.

David Wright · Post by **David Wright** » 27 Nov 2001 1:11 am

HI
I got it today, get rid of MaCaffee, My Norton picked it up for me, No harm done....

Get the Norton it reall works well..

------------------
[url=http://david_wright1.tripod.com/]My Web Page[/url]
Sierra S-12 9&7
Peavey-2000-PX-300

Ricky Davis · Post by **Ricky Davis** » 27 Nov 2001 3:06 am

Click here to have the software that will remove all viruses and worms!!
Ricky

Jeff Agnew · Post by **Jeff Agnew** » 27 Nov 2001 9:19 am

Brad said:

This particular attachment is a Program Information File (PIF) which is actually a type of virus/worm.

In the interest of accuracy, PIF files are not themselves viruses or worms but are Windows system files. Most recent viruses/worms hide as a system file. For example, the Badtrans worm disguises itself as either a .PIF or .SCR file.

Side note: Brad, I think we met years ago at a UCON. Are you still with MM?

Rick Aiello · Post by **Rick Aiello** » 27 Nov 2001 10:40 am

Apparently this worm can infect your system even if you DON'T open the attachment. http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS.B

Just tryin' to help

Bill Ferguson · Post by **Bill Ferguson** » 27 Nov 2001 10:57 am

I opened the attachment but when I went to open the download, it dissapeared.

This was a couple of days ago, and I have not noticed any problems.

Is it lurching somewhere on my machine waiting to strike?

Bill

Jack Stoner · Post by **Jack Stoner** » 27 Nov 2001 4:32 pm

Jeff Newman has it. I got the virus e-mail from him today. This one is striking pretty "good".

Rob van Duuren · Post by **Rob van Duuren** » 27 Nov 2001 6:14 pm

I too got a couple of *.*.pif att's. Of course i was foolish enough to try and open them. Now, I checked my 'address book', but i have no names stored in there. Does that mean
the virus is harmless in my system? Rob.

Bob Bowden · Post by **Bob Bowden** » 27 Nov 2001 11:06 pm

This might be purely coincidence or it might not be, no idea yet. I have been using Eudora for many years as my email client. Over the last couple days, I have received the "Re:" messages from a number of people but for some reason all the emails arrived without any attachment. Just a blank email and no virus.

Jeff Agnew · Post by **Jeff Agnew** » 28 Nov 2001 8:40 am

Rob said:

Does that mean the virus is harmless in my system?

No. You should remove this trojan from your system. It contains its own e-mail engine and has the potential to relay personal information and act as a back door to allow a cracker into your system.

If you've opened or previewed this e-mail it has done damage. The attachment was not blank. It has already made alterations to your system - you just didn't see them occur. In particular, it does two bad things:
<ol>[*]In some instances it makes the following change to your Windows registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceKernel32 = kernel32.exe</li>

[*]It deposits a keystroke recorder, kdll.dll, into your system and sends stolen info (such as your passwords, credit card info, etc.) to an e-mail address of the trojan writer's choosing.</li>[/list]

If you don't have an anti-virus or anti-trojan utility, search your system for the above items and manually delete them.

If you're unfamiliar with making changes to your Windoze registry, make a backup copy first before editing. You can seriously damage your computer's configuration by making mistakes in the registry.

Jim Smith · Post by **Jim Smith** » 28 Nov 2001 2:14 pm

One of the infected emails I got was from Sierra, now today I get a legitimate email from them advertising some Christmas specials.

I have never received an email from them before yesterday, could they be the source of the virus?!?

Michael Garnett · Post by **Michael Garnett** » 29 Nov 2001 3:03 am

Jim- I doubt it. Most times they've just got you on a random e-mail list. They pass addresses around between them. Unsolicited e-mail is another can of worms entirely. Once you get on a list, the only way to get off of it is to shut down that email address and open up another. I probably get 5 to 10 pieces of mail I don't read every day. You might want to read up on this, if you don't already know about it.
http://home.hyperlink.net.au/~chart/spam.htm

I've tried and tried to get off lists, contact the authorities at MSN, Hotmail, Yahoo, and everyone else, but they can't do anything about it either.

Chances are, the Sierra e-mail is just because they've got you on a mailing list somewhere. Perhaps they got the virus in their computer, and you got it as a result of being on that list. That's all I'd say happened.

Garnett

Rob van Duuren · Post by **Rob van Duuren** » 29 Nov 2001 4:42 pm

Jeff Agnew, thanks for your help. I removed
the *.dll, I couldn't locate runoncekernel32.
I did however find 'Kernel32.exe' in windows/system, and it was written to disk the moment i first tried to read my e-mail attachment. For now i renamed it. Is it save to remove it completely? Rob.

Jeff Agnew · Post by **Jeff Agnew** » 29 Nov 2001 7:08 pm

Rob said:

I couldn't locate runoncekernel32. I did however find "Kernel32.exe"... Is it save to remove it completely?

Yes, if you look at the registry key, the actual file name is to the right of the equal sign: "Kernel32.exe". You should go ahead and remove it.

There are several variants of this worm, however, and there may still be some remnants left behind. To be certain it is completely removed from your system, you should use a good anti-virus or anti-trojan program.

Also, don't forget to delete the registry entry if you haven't done so.

Joe Delaronde · Post by **Joe Delaronde** » 29 Nov 2001 11:45 pm

Jeff
Can the KDLL.DLL file be found using the "search" function in the "start/find" menu? Will it search the registry?
I tried this and it never found anything.
I opened an email attachment which was supposedly empty. I'm using Norton and haven't had any warnings yet.
Joe

Jeff Agnew · Post by **Jeff Agnew** » 30 Nov 2001 9:40 am

Joe said:

Can the KDLL.DLL file be found using the "search" function in the "start/find" menu? Will it search the registry?

Yes, you can find the DLL, if it exists, using the normal search function. But it won't search the registry. To do that, you'll need to launch RegEdit (Start/Run/regedit) and then use the "Edit/Find" menu item. However...

<hr>Standard Disclaimer Before you make any changes to the registry, make a backup copy and rename it "registry.old". That way, if you screw up the registry you can delete it, rename the backup copy, and reboot.<hr>

Even better, get a copy of RegHance or Registry Editor Plus, which make backups and offer safety features designed to keep you from totally destroying your system. They also offer quite a bit more functionality than MS's RegEdit.

Joe Delaronde · Post by **Joe Delaronde** » 30 Nov 2001 10:11 am

Jeff
It worked.
In the Registry window I exported the old registry file and named it "nov30". It was stored in the "My documents" folder. I then deleted the Kdll.dll file from the registry and re-booted.
Searched for the virus file and it was gone.
My computer is running good.
Now I should delete the old file???? and make a new backup of the new registry???
Joe

John Gretzinger · Post by **John Gretzinger** » 30 Nov 2001 12:25 pm

I've been running PC-cillin from Trend Micro for a bit now and am very pleased with the results. I have it setup to automatically check for new updates every time I start the system. Over the last four days I've gotten three updates to the virus defination file and one to the scan engine. This level of automated protection has caught three hits of BadTrends and two others on my girlfriends machine (we have three computers networked in the bedroom) in the past couple of days. This is now the standard antivirus software for my clients.

I am very pleased.

Panda is another program that offers automated updates, but I have not played with it yet.

jdg

------------------
MSA D-10 w/Nashville 400
'63 Gibson Hummingbird
16/15c Hammered Dulcimer

Jeff Agnew · Post by **Jeff Agnew** » 1 Dec 2001 12:45 pm

Joe said:

Now I should delete the old file???? and make a new backup of the new registry???

Good idea on both counts. And you really should have one of the advanced registry editing programs on hand just in case you ever need to make further changes.

Glad you got your system cleaned out.