| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 25326 | 2002-10-01 09:26:00 | Help! Mysterious emails | Shortstop (632) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 85009 | 2002-10-01 09:26:00 | I have had 2 mysterious emails, about 3 hours apart. The first, from a sender unknown to me, had no address; a message about stories for someone called Barbara and a large attachment. The second was from a person known to me; addressed to "undisclosed recipients" and contained part of a FW message that was Fwed to me in July. It also had a large attachment. I should have looked at the attachments more closely but I think the files were .wls. I've deleted both emails - have I got a problem? |
Shortstop (632) | ||
| 85010 | 2002-10-01 09:50:00 | Hi, I don't know what .wls extension belongs to but there is a nasty virus going around at the moment. Nortons and AVG have released new updates so download them and run your antiviral software to make sure nothing is on the loose. With OE, it is best not to have the preview pane open, as some viruses can open and run by just viewing the email with the preview pane. |
Jen C (20) | ||
| 85011 | 2002-10-01 10:00:00 | Hi Shortstop I was just about to post a similar query (see new post about to appear above) as i have received two strange emails out of the blue today too. Only one of my two had an attachment vbut ZoneAlarm quarantined it as suspicious because it was a filename.doc.xxx which suggests a virus. Right click the message in your inbox and click options, then see if they come from the same Ihug server as mine. I also have nothing in the "To" field. Cheers Billy 8-{) Quite mysterious |
Billy T (70) | ||
| 85012 | 2002-10-01 10:10:00 | Could be the new Bugbear virus. Here is the alert from MyE-Trust ************************ Virus Alert Notification Win32.Bugbear Alias: WORM_NATOSTA.A, Worm/Tanatos Category: Win32 Type: Worm CHARACTERISTICS Win32.Bugbear is an e-mail worm written in MSVC. The worm arrives attached to an e-mail. It appears to get the attachment name from files on the infected system. Therefore, the attachment name is unpredictable. The telltale sign is the double extension. The second extension can be pif, exe or scr. The file size is 50,688 bytes (UPX packed). The message appears to be an existing message taken from the infected system, then replied to or re-sent with the worm attached. To ensure the executable component of the worm will be run when Windows restarts, the worm drops a copy of itself to the current user's startup folder with a random filename starting with the letter C, for example "CGK.EXE". A second copy is dropped to the system directory, with a filename starting with letter F, for example "FCMY.EXE". The following registry key is then created and points to this copy: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce" The name of the key value starts with letter T followed by two randomly generated letters, for example "TSE". Three files are dropped into the system directory by the worm with random names which will each have a .DLL extension. Two of them are data files, the other is a key logging trojan. In addition, two other data files with random names and .DAT extensions are dropped to the Windows directory. The worm regularly searches and terminates the following Antivirus/Firewall processes if they are found in memory: ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE LOCKDOWN2000.EXE JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE It also enumerates network shares and listens on TCP port 36794. Analysis by Hamish O'Dea |
Davesdad (923) | ||
| 85013 | 2002-10-01 10:13:00 | I had a strange one too. It came into my Hotmail accc. It was from Support USA & had an attachment with a double ext & it was addressed to Ken Love & it contained what looked like passwords. I did not open the attachment. Some queer stuff is going on or maybe I have just been lucky up till now, who knows. Pauline. |
Pauline (641) | ||
| 85014 | 2002-10-01 10:24:00 | Yes, me too. Was Bugbear, but I updated my definitions this morning. | godfather (25) | ||
| 85015 | 2002-10-01 10:25:00 | Hmmm My second odd email did not have any attachment, and the first was quarantined by ZA and remains unopened. That maybe differentiates my problem from the new virus, and I've done a manual check and there are no new exe's on my C: drive (that is, assuming that the virus installs the exe with a reasonably current date, like after 2000. Curiouser and curiouser ?:| Cheers Billy 8-{) |
Billy T (70) | ||
| 85016 | 2002-10-01 10:30:00 | Further to my first post, I then launched NAV which fluttered feebly; said Auto Protect wasn't enabled; wouldn't enable it; wouldn't run a Virus scan and kept disappearing. So back to trusty System Restore; NAV back in control; updated Definitions and hopefully Bugbear's been swatted. Cheers |
Shortstop (632) | ||
| 1 | |||||