AVS Forum banner
Status
Not open for further replies.
1 - 18 of 18 Posts

·
Registered
Joined
·
1,000 Posts
Discussion Starter · #1 ·
I just tried to download the full version of dilard 2.1 from dilard.com, During the download there was a pop-under window - I thought Milori had resorted to advertising to offset expenses of his site. It was an email of some sort. I downloaded it and BOY WAS I SORRY. It was the

[email protected] virus.


See this page for more info
http://www.symantec.com/avcenter/[email protected]



In summary, I quote "Users visiting compromised Web servers will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment.


Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges."



Please Milori, confirm or deny this. I hope I have f***ed up somewhere else and it is not your site. Do you run Norton Antivirus ??


 

·
Registered
Joined
·
4,525 Posts
Stefan,


I contacted the web host, and they did verify that a virus attacked their servers. Interestingly, BOTH of my hosts got nailed today (milori.com in Austin, TX and dilard.com in Durham, NC).


As far as I know, both sites were down just about the entire day today. How did you get through to get this download?
 

·
Registered
Joined
·
1,000 Posts
Discussion Starter · #4 ·
I managed to clean out my hard drive but now when i boot, i get the dialog 'cannot find load.exe"


I guess it's a remnant of the infection that tries to start the load.exe application. But what is it that tries to call it? I found a line in the win.ini file that is "load=" but i dont think that's it. Milori, any idea?
 

·
Registered
Joined
·
4,525 Posts
Hi Stefan,


I don't know much about this virus except that it has been circulating the Internet rapidly and nailed my web hosts today. None of my machines here have been affected by it (I don't host those sites from here).


Definitely perform a complete virus scan as soon as you can and quarantee that sucker! I have made the same recommendation (in not as nice a way) to the hosts themselves. I can't see how this sort of thing happens to professional web hosting companies, but it does.
 

·
Registered
Joined
·
4,525 Posts
Hi Chris,


I've never been to Austin. I was in Houston last year and enjoyed my trip, though. The Internet is an amazing place where you don't care where your suppliers are, as physical distance has little meaning.


For what it's worth, the Austin based web host sent this out to their clients a few minutes ago:

MCI WORLDCOM UUNET is under DOS (Denial of Service) attack. Any IP's beginning with 63 have been affected.


We have done a force to Time Warner Telecom, our backup backbone. You will experience intermittent disruptive connectivity. We are working with MCI UUnet and Time Warner Tech Support and will keep you posted.
 

·
Registered
Joined
·
387 Posts

·
Registered
Joined
·
2,027 Posts
This is a big one. Our entire office was shut down yesterday, and I don't know if we'll be able to get back up today. We had all the IIS patches in place, but it was able to get in through email.


I am running Windows XP Pro, and it's supposed to have had all the security patches applied, but it still got in because the virus on another infected machine "pushed" the files to me through an open file share.


Everybody knows, or should by now, not to open unknown attachments in email. This one is particularly bad, because you don't have to open the attachment, or even the email itself! In Outlook Express, simply clicking on the email message will launch the Windows Media Player, and then you're screwed.


I had to completely nuke my c: drive and reinstall XP. However Norton Anti-virus found another 70 infected files on my D: drive, that I had not formatted. Many of these were hidden copies of the system file riched20.dll.


I did not have virus checking on this machine before. I do now. The patches are coming in fast and furious. There was a new one released just this morning, sometime between 1:00am and 6:30am when I logged on again.


This is a big one, folks.
 

·
Registered
Joined
·
1,355 Posts
I have a simple solution to all these email viruses. I use Web based mail. and of course I don't open attachments from people I don't know. Is web based mail safer? I guess it is when I keep hearing how Outlook is affected. I have never even run the outlook program on my computer.
 

·
Registered
Joined
·
873 Posts
Yet another . . . . don't use Outlook.


I hate Notes, but it is infinitely more secure.


Kelly
 

·
Registered
Joined
·
387 Posts
There's really few excuses for an organization to get caught with their pants down on this... F-Secure is only one antivirus company that offers a centrally administered antivirus solution that pushes antivirus updates to all registered clients. And of course, patching IIS should be something everyone should have done by now.


We've had some attacks at my place of work too. In the cases where a user got infected attachments the antivirus software filtered it out; our antivirus updates are automatic and happen many times per day, so once a cure exists our clients have it within minutes.



------------------

/Kimmo
 

·
Registered
Joined
·
41 Posts
If I'm using Windows 9x/ME can I contract the virus with email attachments only when using Outlook? Or can it also be contracted with Netscape or AOL email software?


Tony
 

·
Registered
Joined
·
1,000 Posts
Discussion Starter · #15 ·
BizarroTerl

Thanks. I figured out that the Nimda virus patches the sys.ini file so that immediately after explorer is loaded, it runs 'load.exe' - deleted that and all is fine.


Another bothersome thing about this virus is that it generates THOUSANDS of email messages - copies of itself peppering your hard drive. Norton antivirus doesnt touch these because it thinks they are regular emails. You have to do a search for outlook express emal messages and delete them ALL.
 

·
Registered
Joined
·
1,836 Posts
Strange. In the systems I administer we use unix on the servers and don't use outlook for the email client. We just don't seem to ever be a target of these viruses. We definitely do use a virus scanner on the desktops though.


Karos - Try startup cop. It's an excellent utility to see and control what starts on your PC. You can disable and later remove unwanted startup programs. You can download it at Startup Cop
 

·
Registered
Joined
·
387 Posts
Hmm, my version of Norton Antivirus certainly searches for .EML files as well as the rest of the suspicious file types. Not sure why yours wouldn't?


------------------

/Kimmo
 

·
Registered
Joined
·
68 Posts
G'day guys. I am the NetAdmin for our company with obout 200 pc users. I went through heartache in the early days when I discovered all my users are totally irresponsible and clueless when it comes to email attachments. (when I say "All", I actually mean about 98%) I was forced to take matters into my own hands and so I did. Now every potentially dangerous filetype gets blocked, including all the viruses that were headed for my ignorant lot. At the end of the day, it is irrelevent what email client you use because ultimately, they prey on the naive(spell-check) users double-clicking on an attachment! My lot don't understand the difference between "Kournikova.jpg" and "Kournikova.jpg.pif". If you have "hide known file-types" ticked in your explorer options, you are basically asking to be infected. Also note that most of the free novelty progs around the internet like "Comet Cursors", "Audiogalaxy" etc are not viruses, they are worse! They are Spyware! And alot of you are infected! Do a search on spyware in your favourite search engine and read all about it.

cheers.


------------------

Tertiary adjunct to Unimatrix Zero-One
 
1 - 18 of 18 Posts
Status
Not open for further replies.
Top