At 01:31 PM 05/20/2001 -0400, you wrote:
>
> I was fooled by this posting but after reading what has probably happened, I
> don't blame Lynn. I get posts with attachments all the time which I delete
> without reading but because this was piano related and not from the Pianotech
>
> List, I opened them. Whatever was in the attachments could not be read. The
>
> error message said that they were "corrupt files". They were sent to the
> Download folder in my AOL file.
>
> The text in both messages was also what others have reported: long ago posts
>
> which prompted me to "see the attachment". Then, I read Kevin Ramsey's
> warning. I quickly went to that folder and deleted those files. I also ran
> a thorough scan of my hard drive for errors and found that I had none. After
>
> shutting down today, I will run the defragmenter.
>
> Does anyone have any other suggestions about how to look for any damage that
> may have been done? So far, I have seen no adverse effects. The only
> address in my address book that would concern List members is the "Pianotech"
>
> address itself. But I have other important names in that book too such as
> University professors because I am an active voice student at the University
> of Wisconsin. I sure wouldn't want them to get something from my account
> that would mess up their computers. So far, my "Sent Mail" list only shows
> mail I have deliberately and purposefully sent.
>
> Bill Bremmer RPT
> Madison, Wisconsin
Bill,
You may be in trouble. EVERYBODY go to:
http://vil.nai.com/vil/virusChar.asp?virus_k=99069
and read:
This mass mailing worm attempts to send itself using Microsoft
Outlook by replying to unread email messages. It also
drops a
remote access trojan (detected as Backdoor-NK.svr with
the 4134
DATs; detected heuristically as New Backdoor prior to
the 4134 DAT
release).
When run, the worm displays a message box entitled,
"Install error"
which reads, "File data corrupt: probably due to a bad
data
transmission or bad disk access." A copy is saved into
the
WINDOWS directory as INETD.EXE and an entry is entered
into the
WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a
backdoor
trojan), and HKSDLL.DLL (a keylogger DLL) are written to
the
WINDOWS SYSTEM directory, and a registry entry is
created to load
the trojan upon system startup.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce\kernel32=kern32.exe
Note: Under WinNT/2K, an additional registry key value
is entered
instead of a WIN.INI entry:
HKEY_USERS\Software\Microsoft\Windows NT\
CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE
Once running, the trojan attempts to mail the victim's
IP Address to
the author. Once this information is obtained, the
author can connect
to the infected system via the Internet and steal
personal information
such as usernames, and passwords. In addition, the
trojan also
contains a keylogger program which is capable of
capturing other vital
information such as credit card and bank account numbers
and
passwords.
The next time Windows is loaded, the worm attempts to
email itself
by replying to unread messages in Microsoft Outlook
folders. The
worm will be attached to these messages using one of the
following
filenames (note that some of these filenames are also
associated
with other threats, such as W95/MTX.gen@M):
As you can see, the error messages you saw are part of the trojan installation.
Check the Windows directory for INETD.EXE. A diskscan for errors and a defrag
won't disinfect the system. You need a good antivirus system, and fast.
Ron N
This PTG archive page provided courtesy of Moy Piano Service, LLC