Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Worm and Virus Wars- the August Edition
various FR links & posts | 08-23-03 | The Heavy Equipment Guy

Posted on 08/23/2003 4:55:11 PM PDT by backhoe

 
http://www.freerepublic.com/focus/f-news/969301/posts
Beware of Hacker and Cracker Attacks!
Vanity ^ | 8/23/2002 | Myself
 
Go HERE and let ShieldsUp do a scan of your ports. It will determine if you are "in stealth mode" or vulnerable.


TOPICS: Extended News; News/Current Events
KEYWORDS: techindex; worm
Navigation: use the links below to view more comments.
first previous 1-5051-84 last
To: All
http://www.freerepublic.com/focus/f-news/1067771/posts
Latest worm ( MyDoom ) has professional twist (Computer experts blame spammers)
AJC.com ^ | 1/28/04 | Bill Husted
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Chronic W32.Swen Virus Attack - Anyone Else Getting It?
The Vanity Virus Times | 10/22/03 | Michael
 
 
 
 
 
 
 
 

51 posted on 01/30/2004 2:09:40 AM PST by backhoe (Virus authors should be flogged in public...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
http://www.freerepublic.com/focus/f-news/1068428/posts
New Backdoor Worm Randex hitting
http://www.sarc.com/avcenter/venc/data/w32.randex.fc.html#removalinstructions ^ | 1-30-04 | self
52 posted on 01/30/2004 10:55:08 AM PST by backhoe
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

http://www.freerepublic.com/focus/f-news/1066136/posts
Latest e-mail worm spreading fast
Associated Press via Sun Media ^ | January 27, 2004 | Matthew Fordahl
53 posted on 01/31/2004 1:54:27 AM PST by backhoe (Just an old Keyboard Cowboy, ridin' the TrackBall into the Sunset...)
[ Post Reply | Private Reply | To 52 | View Replies]

To: All
http://www.freerepublic.com/focus/f-news/1090364/posts
Virus Writers Wage Worm War
PC World ^ | Wednesday, March 03, 2004 | Paul Roberts

http://www.freerepublic.com/focus/news/1090024/posts?page=7#7
Virus writers trade insults as e-mail users suffer Some 20 variants spreading ....
MSNBC ^ | Updated: 3:31 p.m. ET March 03, 2004 | Bob Sullivan - Technology correspondent

http://www.freerepublic.com/focus/f-news/1089894/posts
Virus Alert - E-mail account disabling warning
Symantec ^ | March 3, 2004 | Nick Danger

54 posted on 03/04/2004 12:00:22 AM PST by backhoe (Just an old Keyboard Cowboy, ridin' the TrackBall into the Sunset...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
To: Snowy; All
Has anyone else had problems with a mass emailing? My company yesterday had a bunch of emails (1000+ in 45 minutes, which is tons for us), bounce off our firewall. It was a level two virus, according to Symantec. Today, my husband's company had the same problem, but is a very short time, they had about 250,000 emails marked as spam hit their firewall. It can't be just us, can it?

This may not relate directly, but my normal spam/virus count is one or two a day- the last 2 days it has been dozens.

Some jackass keeps sending xxxjenniferthewildgirl.jpg.pif with virus attachments.

I will list below the most useful email I've gotten so far:


To recipients of emails with the subject line:  {Spam?} Re: {Spam?} RE: {Spam?} {Virus?} {Spam?} Check this out kid!!!

Okay, since all of you are sending ME stuff, I will send back to you some answers and cures.  So far I have received more than four dozen of your emails complaining about me and the others of you sending a virus.

Here is my analysis of what is happening and what you, each of you, can do about it.

First of all, do not send anything to cis-announce or cis-outgoing or any variation thereof.  Those might be their entire mailing list!  So let's not perpetuate this thing.  I am sending this email to all parties, including the firms named herein, and including an office in Homeland Security which is one of the senders to me!

It is possible that this particular virus is adding the word {Spam?} to its outgoing mail because I received from CIS their regular mailing with their regular subject line, but that word in brackets had been added at the beginning of the subject line.

Obviously, we are under attack from a virus, a Hungarian virus called Worm.Zafi.B.  Right now, this particular virus is the most "widespread email worm at the moment" and you can read the whole story which came out just about an hour ago: 
http://www.theage.com.au/articles/2004/06/15/1087244900422.html?oneclick=true. This is truly an international virus, as described here in the Virus Encyclopedia:  http://www.viruslist.com/eng/viruslist.html?id=1666973. Down toward the bottom you will find the text of the emails YOU got, along with the description of the attachment that was deleted (hopefully).  Note that I have received the original email with the attachment removed and replaced with text telling me what the virus is!  Here is that text:
This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "jennifer the wild girl xxx07.jpg.pif"
was believed to be infected by a virus and has been replaced by this warning
message.
If you wish to receive a copy of the *infected* attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.
At Sat Jun 12 17:19:29 2004 the virus scanner said:
   ClamAV: jennifer the wild girl xxx07.jpg.pif contains Worm.Zafi.B
   MailScanner: Shortcuts to MS-Dos programs are very dangerous in email (jennifer the wild girl xxx07.jpg.pif)
Note to Help Desk: Look on the MailScanner in /var/spool/MailScanner/quarantine/20040612 (message i5CLDxhq003158).
--
Postmaster
Mailscanner thanks transtec Computers for their support
Someone's computer is infected, and typically a virus will get into one person's computer, look around for email addresses, then send itself out to a whole bunch of the addresses it finds.

You cannot tell who really has the infected computer because the virus "spoofs" the sender's name, making it look like it is coming from someone else, NOT the person se computer is infected.  It will just pick at random one of those addresses that it found and use that as the "sender" and send itself to the other email addresses.  That is called "spoofing" which is quite commonly done by viruses.

An example:  Sharon's computer gets a virus which then sends itself to everyone in her address book but it looks like all those emails came from James!  Poor James doesn't even know this is happening until he starts getting those "bounced" emails saying that he is sending a virus.  He is innocent, does not have a virus, because all that is coming from Sharon's computer!  And Sharon has absolutely no clue that her computer is infected and doing all this.

Only by looking at the header of one of those spoofed emails very carefully can you get a hint of where it might be really coming from.  The following are two places where you can get a removal tool if you think you might be infected.

This is from http://vil.nai.com/vil/content/Print126242.htm
-- Update June 14th, 2004 03:01 PST --
The risk assessment of this threat has been raised to Medium due to increased prevalence.

If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.
And this from http://www.f-secure.com/v-descs/zafi_b.shtml
F-Secure provides the special disinfection utility to eliminate Zafi.B worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.zip
Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-zafi.txt
I myself started getting these emails from "James Moore" on Saturday.  I have received several by now.  The header from one of the earlier ones is pasted below.  (It is NOT infected as it is a copy and paste rather than any kind of forwarding, which could perpetuate the virus.)

I have bolded some interesting lines.   The "return path" appears to be CIS.ORG.

A couple of other possibilities are these:  Numbers USA and The Social Contract are both clients of whetstonelogic.com, which appears in the header.  Note that wslogic.com is another name for whetstonelogic which specializes in "political intelligence tools".  Take a look at the header below.

You will see byromlaw.com which belongs to a law firm in Florida.  Did the emails originate there?  Or did they just go through their servers?  We don't know.  But in any case I sending all the these organizations a copy of this email.  Any one or all of the them might be infected and unknowingly sending out the virus to everyone else.

All of these organizations should check for viruses.  And so should you, the individuals that have received those emails from the "alleged" James Moore.

Here is the plan of action.  I am the webmaster for Terry Anderson and last fall I designed a page when we had another virus outbreak.  I called it "Got Virus?" and put up there the results of my research of what you can do to protect yourself and some free virus scans you can go to find out if you are infected.  Just finding those scan sites took a great deal of time, so all the work is already done -- all you have to do is run them on your own computers.  Everyone that receives this particular email should go to the following webpage and do your scans right away, and then at least once a week thereafter.  Bookmark the page and come back every week.  And update your Norton every day!  Including the special page that is updated more often than the "Live Update":  http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html. I just ran all four scans and my computer is clean.

Also, make sure you have Norton Anti-virus and Zone Alarm (a free firewall).  The links are on the "Got Virus?" page.  There again, the link for Zone Alarm was hard to find on their website, so I saved you all that time by putting it there.

To summarize, it is imperative that all of these check for viruses and make sure that

        1.      CIS.org
        2.      Numbers USA
        3.      The Social Contract
        4.      Byrom, Miller & Coleman
        4.      Everyone else receiving this email

                        should immediately:

        A.      Get anti-virus if you don't have it.
        B.      Get Zone Alarm if you don't have it.
        C.      Set your "Scheduled Tasks" to update every day,
                        both Live Update and
                        http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html.
        D.      Run all the scans on http://www.theterryandersonshow.com/Viruses.html
        E.      Run #D at least once a week.

These things need to be done immediately because this virus is proliferating rapidly!  While I wrote I received two dozen more of the spoofed emails!

Good luck!  If you have questions, please don't hesitate to contact me.  We are all in this together, regarding immigration as well as these virii.

Carol
webmaster4terry@dslextreme.com

10 posted on 06/15/2004 4:04:38 PM EDT by backhoe

55 posted on 06/15/2004 5:20:56 PM PDT by backhoe (Sleep tight, Ronnie... you reminded me of my Dad so much...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
 More here:

 So, are you saying that the real fix is to install Linux and Mozilla? I would agree that this would be a much better solution to staying with microsoft windows.

That's where I'm headed... Firefox already on both home machines, and 3 MandrakeLinux CD's that I burned yesterday sit before me waiting to be installed.

I wasted days trying to get rid of a new hijacker and I'm tired of doing Microsoft's cleanups for them.

BTW, here's the best forum I found so far:

SWI Forums

56 posted on 06/30/2004 1:08:33 PM PDT by backhoe
[ Post Reply | Private Reply | To 55 | View Replies]

To: All
PestPatrol Shares Spyware Lessons ( Company will offer database of known... free.)
 Here's the best "concise collection of links" I have found so far:

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall

 ComputerWeekly: Security Statistics show Surprising Finds

 Microsoft Blames Hackers, Not Zero-Day Vulnerability, For Web Attack

 
 Removing Spyware
 
 Avoiding and preventing Virus infection
 
 Getting Rid of/Blocking Spyware - Share Your Tips ( 1 2 )

-Educate yourself here:
 MSN Spyware?
 
 
Opera is Spyware!? ^
 
 NewsMax installs Spyware ^
 
 Tenacious Spyware Problem (Vanity) ^
 
 computer questions: ethernet, spyware, viruses ^
 
 Programs: 'Spyware' Can Shatter Privacy, Trust  ^
 
 Dell Policy Forbids Spyware Removal Support ^
 
 Drudge Site Ripe with Computer Slowing Spyware ^
 
 Patriotism? No, just more pop-ups (Spyware alert!) ^
 
 'Spyware' would be tricky to outlaw, group says  ^
 
 Spyware cures may cause more harm than good ^
 
 Got to Drudge website: get hit with spyware ^
 
 Message To Spyware: Get Off Our Private Property ^
 
 
'Pop-up' firm seeks to block spyware act  ^
 
 Spyware slowing computer - ad aware fixed it (not a commercial) ^
 
 Heads Up! Someone is posting xupitor spyware link; Don't open it! ^
 
 Antispyware vendors come under fire (spyware alert from American Cnet News)  ^
 
 
Unlikely German Leads the War Against Spyware -- Spybot Seatch & Destroy Created by Anarchist ^
 
 
See you later, anti-Gators? (Gator forces sites NOT to call it spyware) ^
 
 
 Tech?:Did I get spyware from Google or somewhere else that affects my Google results? ^

57 posted on 07/02/2004 11:07:47 AM PDT by backhoe
[ Post Reply | Private Reply | To 56 | View Replies]

To: All

This found a file everything else had missed:


Visit http://www.ducky.atribune.org and download About:Buster. Save it to your desktop.

Has to restart in Safe Mode & use Explorer to get rid of the file, which had already cloned itself.


58 posted on 07/02/2004 1:18:05 PM PDT by backhoe
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
 Freepers how do I get rid of this spyware crap that is on my computer?

59 posted on 07/03/2004 11:11:35 AM PDT by backhoe
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe

bump


60 posted on 07/03/2004 11:20:04 AM PDT by VOA
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe

bump


61 posted on 07/03/2004 11:20:16 AM PDT by Captain Beyond (The Hammer of the gods! (Just a cool line from a Led Zep song))
[ Post Reply | Private Reply | To 1 | View Replies]

To: Captain Beyond; VOA

Thanks for the bumps- judging by all the traffic at the SWI forum, there's a really bad outbreak of this garbage.


62 posted on 07/03/2004 11:26:29 AM PDT by backhoe
[ Post Reply | Private Reply | To 61 | View Replies]

To: backhoe

My computer had a bad dose of spyware about 6 months ago...took a couple days
to clean it up.
Now I try to stay ahead of the curve about new threats.


63 posted on 07/03/2004 11:31:04 AM PDT by VOA
[ Post Reply | Private Reply | To 62 | View Replies]

To: VOA
Now I try to stay ahead of the curve about new threats.

What surprised me was that despite all the software installed, I also have a hardware firewall in the modem, and some crap got past that. Never had a problem since switching to DSL until the wife-unit started downloading a bunch of games for her !#$%^! pocket PC. This also started a minor tidal wave of spam... used to get one or two a week, now it's several a day. I could skin her, sometimes...

64 posted on 07/03/2004 11:37:46 AM PDT by backhoe
[ Post Reply | Private Reply | To 63 | View Replies]

To: backhoe
Anytime I can do something to make the ego-maniacal virus wussies to feel inadequate about themselves is an utmost priority. They can’t hack what they can’t see.
65 posted on 07/03/2004 11:48:42 AM PDT by Captain Beyond (The Hammer of the gods! (Just a cool line from a Led Zep song))
[ Post Reply | Private Reply | To 62 | View Replies]

To: backhoe
This also started a minor tidal wave of spam... used to get one or two a week, now it's several a day.

Speaking of which...
I listened to the KABC radio Computer/Technology Show today. One of the hosts
mainatains computers at a biz for his day job. He says that he has set "SpySweeeper" by
webroot.com to run during his lunch hours.
He says that most days it picks up at least 3-4 nasties that have been picked up in the
course of a normal workday.

"The price of freedom is eternal vigilance"...sounds rational, not extremist,
doesn't it!? Even when just talking computers.
66 posted on 07/03/2004 11:49:38 AM PDT by VOA
[ Post Reply | Private Reply | To 64 | View Replies]

To: VOA
"The price of freedom is eternal vigilance"...sounds rational, not extremist, doesn't it!? Even when just talking computers.

Indeed, and it brings to mind another saying about the need to water the roots of the Liberty Tree with a little blood from time to time... I think these clowns who write and propagate this trash should be publicly flogged in the town square... and then fined heavily for downtime.

67 posted on 07/03/2004 11:52:57 AM PDT by backhoe
[ Post Reply | Private Reply | To 66 | View Replies]

To: Captain Beyond
Anytime I can do something to make the ego-maniacal virus wussies to feel inadequate about themselves is an utmost priority. They can’t hack what they can’t see.

Good for you- this sort of stuff is so childish, quite aside from the actual damage it can cause.

68 posted on 07/03/2004 11:57:23 AM PDT by backhoe
[ Post Reply | Private Reply | To 65 | View Replies]

To: backhoe

I would add Spyware Blaster to the primary defense list. It blocks the installation of spyware. It even prevents your kids from seeing the come-ons.


69 posted on 07/03/2004 11:58:54 AM PDT by js1138 (In a minute there is time, for decisions and revisions which a minute will reverse. J Forbes Kerry)
[ Post Reply | Private Reply | To 1 | View Replies]

To: js1138
I would add Spyware Blaster to the primary defense list. It blocks the installation of spyware.

Absolutely- I have it on both home machines.

70 posted on 07/03/2004 12:01:16 PM PDT by backhoe (Just an old Keyboard Cowboy, ridin' the Trackball into the Sunset...)
[ Post Reply | Private Reply | To 69 | View Replies]

To: All
Download HijackThis and run the log past the guys at Spyware Info Forum. Some very sharp techies hang out there who know exactly how to purge your machine of the full array of sypware pests on the net.
109 posted on 07/03/2004 3:12:14 PM EDT by beckett

71 posted on 07/03/2004 12:19:47 PM PDT by backhoe (Just an old Keyboard Cowboy, ridin' the Trackball into the Sunset...)
[ Post Reply | Private Reply | To 70 | View Replies]

To: All
One other tip/trick:

Make a copy ( clone ) of your drive once it's clean- this is the fastest way to recover from disaster.

Get a spare drive ( new, used, eBay, wherever ) big enough to hold all your files, get installation software from the drivemaker's website, jumper the spare to slave, and copy the darn thing. Do it every so often, depending on how much your data changes, You'll be glad you did someday.

72 posted on 07/03/2004 5:14:26 PM PDT by backhoe (Just an old Keyboard Cowboy, ridin' the Trackball into the Sunset...)
[ Post Reply | Private Reply | To 71 | View Replies]

To: backhoe

Heavy equipment guy knows everything from backhoes to disk drives place marker


73 posted on 07/03/2004 5:16:23 PM PDT by cyborg
[ Post Reply | Private Reply | To 72 | View Replies]

To: cyborg

Hi, cyborg... just preparing to drop offline for the evening. I've always been a JOAT ( Jack of all trades ) and a few times even mastered some. But wife & dog are giving me reproachful looks, so I must vanish into the ether...


74 posted on 07/03/2004 5:28:16 PM PDT by backhoe (Just an old Keyboard Cowboy, ridin' the Trackball into the Sunset...)
[ Post Reply | Private Reply | To 73 | View Replies]

To: backhoe

LOL thank you for your awesome links


75 posted on 07/03/2004 5:29:06 PM PDT by cyborg
[ Post Reply | Private Reply | To 74 | View Replies]

To: cyborg; All
...and now I've "unvanished"-- !@%$! dog just got me up to go rat hunting... here's -more-

 
Microsoft Plugs IE; Warns All Browsers At Risk (Test Your Browser Here)

76 posted on 07/03/2004 11:01:24 PM PDT by backhoe (1990's? Decade of Frauds. 2000's? Decade of Lunatics...)
[ Post Reply | Private Reply | To 75 | View Replies]

To: All

There are new, nastier browser hijackers flooding the web- the best help is here, but be warned, you have to do most yourself and learn to use some new tools. The old anti-virus software does not work on this new series of bugs:
http://forums.spywareinfo.com/index.php?s=d3c1a671159df31c9420ae4d671f1cd2&showforum=18


77 posted on 07/05/2004 12:01:17 PM PDT by backhoe
[ Post Reply | Private Reply | To 1 | View Replies]

To: gitmo; backhoe
ShieldsUp said I failed the ping test.

Yea, me too. I'm running Zone Alarm Pro, and I know there are settings to be able to take care of this, but I've never looked into them.

I'll be back later to read. Thanks for the info!

78 posted on 07/05/2004 12:23:55 PM PDT by dbwz (CAN THE BAN!)
[ Post Reply | Private Reply | To 23 | View Replies]

To: dbwz

Thanks for looking- this new hijacker is a nasty customer. I wish they could catch the SOBs who write and propagate this garbage.


79 posted on 07/05/2004 12:32:19 PM PDT by backhoe
[ Post Reply | Private Reply | To 78 | View Replies]

To: All

Notepad infected? Look here:

You can download Notepad from here:
http://www.spywareinfo.com/~merijn/winfiles.html#notepad

Be aware that in Win2K NP has to be in 2 locations- root, and systme32- to function.

This site also has other useful downloads and much info.


80 posted on 07/06/2004 2:34:54 AM PDT by backhoe
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe

bump


81 posted on 07/06/2004 3:45:07 AM PDT by Chief_Joe (From where the sun now sits, I will fight on -FOREVER!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: backhoe

Bump !


82 posted on 07/09/2004 7:46:01 AM PDT by jokar (On line data base http://www.trackingthethreat.com/db/index.htm)
[ Post Reply | Private Reply | To 59 | View Replies]

To: backhoe

Bump !!


83 posted on 07/09/2004 7:50:09 AM PDT by jokar (On line data base http://www.trackingthethreat.com/db/index.htm)
[ Post Reply | Private Reply | To 77 | View Replies]

To: jokar
More-


 
 
 Hijacked! New Browser Exploits Plague Web
 


84 posted on 07/09/2004 8:16:13 AM PDT by backhoe (-30-)
[ Post Reply | Private Reply | To 83 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-5051-84 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson