Lynn Rosenberg Virus Mailing

[Richard Moody]

I got this from the anti virus site Ron N mentions below.  Good tip.
! !

"A copy is saved into the WINDOWS directory as INETD.EXE and an entry
is entered into the WIN.INI file to run INETD.EXE at startup. "

So what I did was looK at WIN.INI and found a command right at the
beginning that said "Load INETD.EXE"    I changed the name to
INETD.OXE     This may have caused the virus not to lode.   To get rid
of it from my HD I have to boot up in DOS.   I will try that tomorrow.
I know I am affected with this virus and if posts to this list from me
contain an attachment,     DO NOT OPEN  or DO NOT CLICK ON THE
ATTACHMENT.    ---ric

----- Original Message -----
From: Ron Nossaman <RNossaman@KSCABLE.com>
To: <pianotech@ptg.org>
Sent: Sunday, May 20, 2001 6:01 PM
Subject: Re: Lynn Rosenberg Virus Mailing


| You may be in trouble. EVERYBODY go to:
| http://vil.nai.com/vil/virusChar.asp?virus_k=99069
| and read:
|
| This mass mailing worm attempts to send itself using Microsoft
|                        Outlook by replying to unread email messages.
It also
| drops a
|                        remote access trojan (detected as
Backdoor-NK.svr with
| the 4134
|                        DATs; detected heuristically as New Backdoor
prior to
| the 4134 DAT
|                        release).
|
|                        When run, the worm displays a message box
entitled,
| "Install error"
|                        which reads, "File data corrupt: probably due
to a bad
| data
|                        transmission or bad disk access." A copy is
saved into
| the
|                        WINDOWS directory as INETD.EXE and an entry
is entered
| into the
|                        WIN.INI file to run INETD.EXE at startup.
KERN32.EXE (a
| backdoor
|                        trojan), and HKSDLL.DLL (a keylogger DLL) are
written to
| the
|                        WINDOWS SYSTEM directory, and a registry
entry is
| created to load
|                        the trojan upon system startup.
|
|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
|                        RunOnce\kernel32=kern32.exe
|
|                        Note: Under WinNT/2K, an additional registry
key value
| is entered
|                        instead of a WIN.INI entry:
|
|                        HKEY_USERS\Software\Microsoft\Windows NT\
|                        CurrentVersion\Windows\RUN=%WinDir%\INETD.EXE
|
|                        Once running, the trojan attempts to mail the
victim's
| IP Address to
|                        the author. Once this information is
obtained, the
| author can connect
|                        to the infected system via the Internet and
steal
| personal information
|                        such as usernames, and passwords. In
addition, the
| trojan also
|                        contains a keylogger program which is capable
of
| capturing other vital
|                        information such as credit card and bank
account numbers
| and
|                        passwords.
|
|                        The next time Windows is loaded, the worm
attempts to
| email itself
|                        by replying to unread messages in Microsoft
Outlook
| folders. The
|                        worm will be attached to these messages using
one of the
| following
|                        filenames (note that some of these filenames
are also
| associated
|                        with other threats, such as W95/MTX.gen@M):
|
|
| As you can see, the error messages you saw are part of the trojan
installation.
| Check the Windows directory for INETD.EXE. A diskscan for errors and
a defrag
| won't disinfect the system. You need a good antivirus system, and
fast.
|
| Ron N
|