• Introducing Dark Mode! Switch by clicking on the lightbulb icon next to Search or by clicking on Default style at the bottom left of the page!

virus alert

CHo

VIP Member
It's Sunday morning.

I read Christina's email regarding improving performance on AS/400. Naturally, I replied back to her and jdelist. Someone email me an attachment. Being early Sunday morning, I was not fully awake yet. If I had been, then I would have noticed the name of the attachment (it had the word naked in it.). I clicked on the attachment. BANG! Virus scan software went to work. I don't know if the PC is okay eventhough I ran virus scan on all files on my local hard drives. The virus scan came up with nothing.

We are on Novell Groupwise email software. It should not prograte to my address book. (hopefully not)



C Ho
Intermediate Programmer/Analyst
Xe SP 15.1 AS/400 V4R3 coexistant
CO on SQL 7.0
 

CHo

VIP Member
The email address of the person is umesh@jbcpl.com. He sent another virus email to me, but this time I deleted it.

C Ho
Intermediate Programmer/Analyst
Xe SP 15.1 AS/400 V4R3 coexistant
CO on SQL 7.0
 

Zoltan_Gyimesi

Legendary Poster
Hi Chaterine,

Thanks for the alert!
Unfortunately it was a bit late and I have also openned the attachment and our AntiVirus software started to work and quarantined.
I switched-off my computer in the moment when I detected the message of our AntiVirus software. I hope, I haven't got the infection.

Description of the infected mails:
==================================
1.) All was a reply on my posts sent to the List(s), addressed me privately (not to the JDEList address).
2.) They begin with:
'Zoltan_Gyimesi' wrote:
====
followed with some lines (approx. 9-10) of my original post
and end with:
> Take a look to the attachment.
3.) All contained an attachment with a DIFFERENT name but the size of all is 17 KB.
4.) The names of the attachment that I have received were:
news_doc.scr
hamster.ZIP.scr
New_Napster_Site.DOC.scr
hamster.ZIP.scr
4.) The sender was always:
Umesh Pujari [umesh@jbcpl.com]
5.) I have received all of them on Sunday at 7:02 AM in our local time (FYI: we are in the GMT+1 time zone)

TAKE CARE OF IT & BE CAREFUL

Zoltán


B7332 SP11, ESU 4116422, Intel NT4, SQL 7 SP1
(working with B7321, B7331, XE too)
 

CHo

VIP Member
The attachment that I received today was readme.txt.pif. I've received a different attachment yesterday.

All of the attachments that Zoltan and I have received are W32/Badtrans@MM which is a MEDIUM RISK mass mailing worm that drops a remote access Trojan. For more information on the virus and how to clean it go to www.mcafee.com.

I seem to be okay because I deleted one of the files, INETD.EXE, when the virus alert came on which the trojan needs.

Zoltan, hopefully you don't have any credit card and bank account information stored on the PC. :)

Hi Chaterine,

Thanks for the alert!
Unfortunately it was a bit late and I have also openned the attachment and our AntiVirus software started to work and quarantined.
I switched-off my computer in the moment when I detected the message of our AntiVirus software. I hope, I haven't got the infection.

Description of the infected mails:
==================================
1.) All was a reply on my posts sent to the List(s), addressed me privately (not to the JDEList address).
2.) They begin with:
'Zoltan_Gyimesi' wrote:
====
followed with some lines (approx. 9-10) of my original post
and end with:
> Take a look to the attachment.
3.) All contained an attachment with a DIFFERENT name but the size of all is 17 KB.
4.) The names of the attachment that I have received were:
news_doc.scr
hamster.ZIP.scr
New_Napster_Site.DOC.scr
hamster.ZIP.scr
4.) The sender was always:
Umesh Pujari [umesh@jbcpl.com]
5.) I have received all of them on Sunday at 7:02 AM in our local time (FYI: we are in the GMT+1 time zone)

TAKE CARE OF IT & BE CAREFUL

Zoltßn


B7332 SP11, ESU 4116422, Intel NT4, SQL 7 SP1
(working with B7321, B7331, XE too)
--------------------------
Visit the forum to view this thread at:
http://198.144.193.139/cgi-bin/wwwthreads/showflat.pl?Cat=&Board=OW&Number=13505


C Ho
Intermediate Programmer/Analyst
Xe SP 15.1 AS/400 V4R3 coexistant
CO on SQL 7.0
 

scottw

Well Known Member
there are other files as well, kern32.exe, hksdll.dll. These files need to
be deleted from the command prompt, if Win2000 go to safe mode, command
prompt cd\C:\WINNT\System32\ dir on kern* and hk*, and delete the two files.

Scott B. Whipple
LDSI
Technical Consultant
5300 DTC Parkway Blvd. Suite 430
Englewood, CO. 8011
303-740-5500 Work
303-884-1405 Cell
 

CHo

VIP Member
Re: RE: virus alert

The virus also creates entries in the registry that is not mentioned on McAfee's web site. Search on the file names.

I was hit by this as well. We also had to correct the WIN.INI file on my
PC. The second line should have read RUN= , but it was followed by
something involving the INETD file. We changed the line back to RUN= ,
as well as removing all of the files mentioned.

Teri Greene


there are other files as well, kern32.exe, hksdll.dll. These files
need to
be deleted from the command prompt, if Win2000 go to safe mode,
command
prompt cd\C:\WINNT\System32\ dir on kern* and hk*, and delete the two
files.

Scott B. Whipple
LDSI
Technical Consultant
5300 DTC Parkway Blvd. Suite 430
Englewood, CO. 8011
303-740-5500 Work
303-884-1405 Cell




--------------------------


C Ho
Intermediate Programmer/Analyst
Xe SP 15.1 AS/400 V4R3 coexistant
CO on SQL 7.0
 
Top