ronwil Posted February 1, 2004 Report Posted February 1, 2004 By the way, I have removed my website details from my profile as it contains my e-mail address. This last week I have been assailed by the current virus and on more than one occasion it has come through alongside apparent visitors to this forum in the USA. One such was from South Carolina, with a reliable looking website, purporting to contain a screensaver. I had to delete it because Norton located the virus in the other mail. Better safe than sorry. Since then, last Wednesday, there have been others which have been blocked. I have removed my e-mail address book from Outlook Express for the time being.There is some useful information on MSN UK Homepage-Microsoft Internet Explorer. Ron [uK] Quote
Michel Posted February 1, 2004 Report Posted February 1, 2004 And me also, I receive, in a day (and all the days since one month), 30 emails with "spam" !I'm going to delete my current email adress and burn a new adress. Quote
d67 Posted February 1, 2004 Report Posted February 1, 2004 Same for me. About 30 spam e-mail a day since a week !PatrickStrasbourgFrance Quote
Igor Posted February 1, 2004 Report Posted February 1, 2004 Our public address support@wnsoft.com received 1500 emails with virus Sobig every day during past August Michel,These are emails from users who ever wrote you and now infected by MyDoom/Navarg virus. If you start new email box, you will give your new address to all again and in a next epidemic you receive viruses again.Probably it better to have patience during this period. Changing of email address inevitably when email box receives many spams (but we can't replace support@wnsoft.com which receive 100-200 spam emails every day). Quote
Ken Cox Posted February 1, 2004 Report Posted February 1, 2004 the following is a quote from Trend Micro weekly newsletterken2. Gloom and Doom - WORM_MYDOOM.A (Medium Risk) WORM_MYDOOM.A is a mass-mailing worm that is currently circulating in-the-wild, and affects computers running Windows 95, 98, ME, NT, 2000, and XP. This worm selects from a pre-determined list of email subjects, message bodies, and attachment file names that it uses for the email messages it sends. It spoofs the sender name of its messages, so that the messages appear to have been sent by different users instead of the actual users of infected machines. WORM_MYDOOM.A also propagates through the Kazaa peer-to-peer file-sharing network. WORM_MYDOOM.A performs a denial of service (DoS) attack against the Web site www.sco.com. It attacks the site if the infected computer system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004. It also runs a backdoor component, which it drops as the file SHIMGAPI.DLL. This backdoor component allows remote users to access and manipulate infected systems. Note that it allows remote access even after February 12, 2004. Upon execution, this worm drops two files:SHIMGAPI.DLL - a backdoor DLL component of this worm TASKMON.EXE - a copy of this worm (Note: A legitimate Windows utility with the same file name can be found in the Windows folder on some systems) It also adds a registry entry that allows it to automatically execute at every Windows startup. If the registry entry already exists, the worm overwrites the entry. It also adds a registry entry that allows its backdoor DLL file component to automatically execute at startup. This registry entry injects SHIMGAPI.DLL into EXPLORER.EXE during startup.This worm uses Simple Mail Transfer Protocol (SMTP) to send email and to propagate. It gathers recipient email addresses using the following three methods:the Windows Address Book by searching for email addresses and domain names from files with specific file extensions, located in the Temporary Internet Files folder (please read the Technical Details section of the virus description for more detailed information on the specific file extensions) by constructing additional email addresses by prepending specific strings from obtained domain names (please read the Technical Details section of the virus description for more detailed information on the specific strings) It sends email with the following details: From: (any of the following) Spoofed email address taken from list of harvested and generated addresses Random characters Blank Subject: (any of the following) <blank> <random characters> Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi test Message Body: (any of the following) <blank> <garbage data> The message contains Unicode characters and has been sent as a binary attachment. The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Mail transaction failed. Partial message is available. test Attachment: (The attachment may arrive as a .ZIP file. If it does not, then the attachment name is taken from any of several specific combinations of filenames and extension names. Please read the Technical Details section of the virus description for more detailed information on the specific filenames and extensions: ) This worm also has the capability to spread via Kazaa, a peer-to-peer file sharing application, by dropping a copy of itself in the Kazaa shared folder.In addition, the worm performs a Denial of Service (DoS) attack on the Web site www.sco.com. The DoS attack is triggered if the system date is greater than, or equal to, February 1, 2004. During the DoS attack, the worm creates 63 threads that continuously request the main page of www.sco.com. The DoS attack continues until February 12, 2004. On this date, the worm stops most of its routines, except for its backdoor functionalities. This backdoor component, which is dropped as the file SHIMGAPI.DLL, allows remote users to manipulate infected machines into downloading and executing arbitrary files.If you would like to scan your computer for WORM_MYDOOM.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.comWORM_MYDOOM.A is detected and cleaned by Trend Micro pattern file #745 and above. Quote
Guest guru Posted February 1, 2004 Report Posted February 1, 2004 Hi all!I wish to add that there is a free and fast McAfee stand-alone utility which is able to detect and remove Mydoom and all its known variants. You can download it ("Stinger.exe", 723,463 bytes) from http://vil.nai.com/vil/stinger/Another interesting tool: if you have your e-mail address on a website, you can hide it from spam robots, spiders and hunters by a simple Java encryption software (Hixus.com, $9.95, €8,57). Quote
ronwil Posted February 4, 2004 Author Report Posted February 4, 2004 The latest thing I am getting on this is advice that certain of my e-mails have been blocked because they contained the virus. The point however is that I did not send the e-mails and I do not know the addressees. I have discarded the advice messages like a hot potato, just in case they too are not genuine.Ron [uK] Quote
Ken Cox Posted February 4, 2004 Report Posted February 4, 2004 seehttp://www.microsoft.com/security/antiviru...m.asp#howtotellHow to Tell If a Computer Is Infected with Mydoom.A or Mydoom.Bken Quote
ronwil Posted February 4, 2004 Author Report Posted February 4, 2004 KenI have been using these checks since Microsoft added their advice on MSN last week and I have received a clean bill of health. Ron [uK] Quote
LumenLux Posted February 4, 2004 Report Posted February 4, 2004 I have noticed that during the last 2 or 3 days, the messages in this forum take longer to load and appear. Does anyone know if this is result of web traffice due to virus or could it be the new server Igor switched to, is being troubled? I have not observed such a slow down on other sites. Quote
Guest guru Posted February 4, 2004 Report Posted February 4, 2004 Dear Ron, I'm sure all of us believe you are perfectly "clean".But I wish to repeat (to all) the advice I gave some days ago, because I think it can be very useful for most PTE forum members, about the little Hixus Javascript:if you have your e-mail address on a website, you can hide it from spam robots, spiders and hunters by a simple Java encryption software (Hixus.com, $9.95, €8,57) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.