At 01:31 PM 05/20/2001 -0400, you wrote: > > I was fooled by this posting but after reading what has probably happened, I > don't blame Lynn. I get posts with attachments all the time which I delete > without reading but because this was piano related and not from the Pianotech > > List, I opened them. Whatever was in the attachments could not be read. The > > error message said that they were "corrupt files". They were sent to the > Download folder in my AOL file. > > The text in both messages was also what others have reported: long ago posts > > which prompted me to "see the attachment". Then, I read Kevin Ramsey's > warning. I quickly went to that folder and deleted those files. I also ran > a thorough scan of my hard drive for errors and found that I had none. After > > shutting down today, I will run the defragmenter. > > Does anyone have any other suggestions about how to look for any damage that > may have been done? So far, I have seen no adverse effects. The only > address in my address book that would concern List members is the "Pianotech" > > address itself. But I have other important names in that book too such as > University professors because I am an active voice student at the University > of Wisconsin. I sure wouldn't want them to get something from my account > that would mess up their computers. So far, my "Sent Mail" list only shows > mail I have deliberately and purposefully sent. > > Bill Bremmer RPT > Madison, Wisconsin Bill, You may be in trouble. EVERYBODY go to: http://vil.nai.com/vil/virusChar.asp?virus_k=99069 and read: This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread email messages. It also drops a remote access trojan (detected as Backdoor-NK.svr with the 4134 DATs; detected heuristically as New Backdoor prior to the 4134 DAT release). When run, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a keylogger DLL) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the trojan upon system startup. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce\kernel32=kern32.exe Note: Under WinNT/2K, an additional registry key value is entered instead of a WIN.INI entry: HKEY_USERS\Software\Microsoft\Windows NT\ CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE Once running, the trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords. The next time Windows is loaded, the worm attempts to email itself by replying to unread messages in Microsoft Outlook folders. The worm will be attached to these messages using one of the following filenames (note that some of these filenames are also associated with other threats, such as W95/MTX.gen@M): As you can see, the error messages you saw are part of the trojan installation. Check the Windows directory for INETD.EXE. A diskscan for errors and a defrag won't disinfect the system. You need a good antivirus system, and fast. Ron N
This PTG archive page provided courtesy of Moy Piano Service, LLC