I got this from the anti virus site Ron N mentions below. Good tip. ! ! "A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. " So what I did was looK at WIN.INI and found a command right at the beginning that said "Load INETD.EXE" I changed the name to INETD.OXE This may have caused the virus not to lode. To get rid of it from my HD I have to boot up in DOS. I will try that tomorrow. I know I am affected with this virus and if posts to this list from me contain an attachment, DO NOT OPEN or DO NOT CLICK ON THE ATTACHMENT. ---ric ----- Original Message ----- From: Ron Nossaman <RNossaman@KSCABLE.com> To: <pianotech@ptg.org> Sent: Sunday, May 20, 2001 6:01 PM Subject: Re: Lynn Rosenberg Virus Mailing | You may be in trouble. EVERYBODY go to: | http://vil.nai.com/vil/virusChar.asp?virus_k=99069 | and read: | | This mass mailing worm attempts to send itself using Microsoft | Outlook by replying to unread email messages. It also | drops a | remote access trojan (detected as Backdoor-NK.svr with | the 4134 | DATs; detected heuristically as New Backdoor prior to | the 4134 DAT | release). | | When run, the worm displays a message box entitled, | "Install error" | which reads, "File data corrupt: probably due to a bad | data | transmission or bad disk access." A copy is saved into | the | WINDOWS directory as INETD.EXE and an entry is entered | into the | WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a | backdoor | trojan), and HKSDLL.DLL (a keylogger DLL) are written to | the | WINDOWS SYSTEM directory, and a registry entry is | created to load | the trojan upon system startup. | | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ | RunOnce\kernel32=kern32.exe | | Note: Under WinNT/2K, an additional registry key value | is entered | instead of a WIN.INI entry: | | HKEY_USERS\Software\Microsoft\Windows NT\ | CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE | | Once running, the trojan attempts to mail the victim's | IP Address to | the author. Once this information is obtained, the | author can connect | to the infected system via the Internet and steal | personal information | such as usernames, and passwords. In addition, the | trojan also | contains a keylogger program which is capable of | capturing other vital | information such as credit card and bank account numbers | and | passwords. | | The next time Windows is loaded, the worm attempts to | email itself | by replying to unread messages in Microsoft Outlook | folders. The | worm will be attached to these messages using one of the | following | filenames (note that some of these filenames are also | associated | with other threats, such as W95/MTX.gen@M): | | | As you can see, the error messages you saw are part of the trojan installation. | Check the Windows directory for INETD.EXE. A diskscan for errors and a defrag | won't disinfect the system. You need a good antivirus system, and fast. | | Ron N |
This PTG archive page provided courtesy of Moy Piano Service, LLC