PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: ADMIN: Subscriber with a virus
From:
List Moderator <[log in to unmask]>
Reply To:
PCBUILD - Personal Computer Hardware discussion List <[log in to unmask]>
Date:
Thu, 30 Mar 2000 01:13:31 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (125 lines) 
<  Also if i am infected with this worm how would i know? Are there
<  set signs that i should be looking for? Thank you for any advice you can
give
<  me and i will be looking for you response


Mr. Laurence McKenna became infected with the W32.Plage.Worm virus which
started sending itself out to some of our subscribers. I am sure Mr.
McKenna feels pretty bad about this.  This file hides itself in a  in a
file called joke.exe and in this case was in an attachment called
NAE22.MME. It is our understanding that the virus only effects those people
who use Outlook or Outlook Express but there are many variations and I am
not 100 percent sure of this. Once executed the file infects  and starts
sending out replies to all the old posts it can find in your mail boxes.
This particular strain of the  virus will send out a reply with this at the end

<<<1st.net account auto-reply: ' I'll try to reply as soon as possible.
Take a look to the attachment and <<<send me your opinion

Bradley it looks like you are using AOL mail program so you should be OK as
far as sending out posts but you may still be infected in your registry.
Search your hard drive and make sure you have deleted the NAE22.MME file.
And hold down the shift key when you delete it so it doesn't go to the
recycle bin.
I have appended this with a brief version of what Symantec has to say about
this particular virus....but I suggest you go to this link for a more
detailed explanation....complete with pictures  showing exactly what the
virus will do.
http://www.symantec.com/region/uk/avcenter/venc/w32_plage_worm.html

If you execute the attachment a you are in trouble. If you receive a reply
ending like this do not execute the attachment. Delete it, empty your
recycle bin and delete the post. It wouldn't hurt to update your Anti Virus
programs virus definitions and do a full system virus scan. For those
subscribers without a anti virus program you can download a  30 day trial
version of Norton Anti Virus 6.0 which will clean up and protect your
system. This program will also protect your email and would have caught and
dealt with this virus before it caused any damage. Get it
at
http://www.symantecstore.com/Pages/TBYB/index.html#Norton_Antivirus_2000_6.0

 From Symantec Virus Research Center.....

W32.Plage.Worm
Detected as: W32.Plage.Worm
Aliases: I-Worm.W95.Plage.Worm, P2000, Plage2000
Infection Length: 102,400 bytes
Likelihood: Rare
Detected on: Jan 13, 2000
Characteristics: Worm

Description

W32.Plage.Worm is a memory resident worm discovered on Jan 13, 2000. The
worm replies on MAPI32 and propagates by replying to unread email with the
following message body.

I'll try to reply as soon as possible.
Take a look to the attachment and send
me your opinion!
 > Get your FREE P2000 now! <

The attachment has a file size of 102,400 bytes and will have one of the
following filenames: pics.exe, images.exe, joke.exe, PsPGame.exe,
news_doc.exe, hamster.exe, tamagotxi.exe, searchURL.exe, SETUP.EXE,
Card.EXE, billgt.exe, midsong.exe, s3msong.exe, docs.exe, humor.exe, or
fun.exe

When the attachment is executed it will display the following dialog box:
<PICTURE>

Next, it will display the following fake error message to fool the user in
to believing the file is corrupted:

<PICTURE>

The worm will copy itself into the Windows directory under the file name
INETD.EXE. Also, the worm will modify the WIN.INI file's run line to load
itself into memory as INETD.EXE under Windows 95/98 and will modify the
registry to load itself under Windows NT. Under Windows 95/98, the worm
task is not visible on the task bar since it runs as a service.

When the day of the week is Wednesday and the time is between 12:00AM and
2:00AM, the worm will prepare a dialog box with an animated bitmap and
text, and tries to display it.

Bitmap:
<PICTURE>
  Virus Signiture
Fight against the plage of inhumanity.
This is Plage 2000 coded by Bumblebee/29a._Plage 2000


Mark Rode
List Moderator <[log in to unmask]>

===============================================

Text:

Fight against the plage of inhumanity.
This is Plage 2000 coded by Bumblebee/29a._Plage 2000



:
>Dear subscriber,
>
>     Earier today i recieved and downloaded a file titled "card" from Mr.
>Lawrence. I scaned it will Mcafee's virus scanner before i opened it and when
>i tried to open it, it just said that it was "unable to open it the file
>might have been damaged". I deleted it after i recieved this notice from you.
>Is there anything else that i must do or am i now safe? I did a virus scan
>with the one that i have it is about 4 months old though and it did not find
>anything. Also if i am infected with this worm how would i know? Are there
>set signs that i should be looking for? Thank you for any advice you can give
>me and i will be looking for you response.
>
>Bradley Marden
>[log in to unmask]

            Do you want to signoff PCBUILD or just change to
                    Digest mode - visit our web site:
                    http://nospin.com/pc/pcbuild.html

ATOM RSS1 RSS2