RootsWeb: QUAKER-ROOTS-L Re: [Q-R] attachments

QUAKER-ROOTS-L Archives

Archiver > QUAKER-ROOTS > 2001-05 > 0988897572

From:
Subject: Re: [Q-R] attachments
Date: Thu, 3 May 2001 09:46:12 EDT

In a message dated 5/3/01 8:29:05 AM Eastern Daylight Time,=20 writes: << They've come with a reference to my original message on the September conference. We haven't opened them. >> Connie and All, I realize that Cheska wants the conversation cut off, but it IS a topic on=20 several other lists I am on because of the way it presents itself. IF you=20 post to Quaker-Roots and your message sits in a Quaker-Root subscribers inbo= x=20 unopened and they have the virus, it will send you a message that does say=20 RE, then the subject of your post to the list, and usually at least a part o= f=20 your original message. In other words, the attachment will come after the original message has gone= =20 through rootsweb's filters and on to the subscribers. Like the other virus'= =20 around similar it uses OUTLOOK EXPRESS. So if you have AOL like I do, your=20 inbox won't be used. This way of presentation is very different from Snow White HaHa and the=20 others. I am attaching some information that came on another list to help all of you= .=20 IF THERE ARE SUBSCRIBERS TO THIS LIST THAT HAVE THE VIRUS AND HAVE UNOPENED= =20 MAIL FROM Q-R, YOU WILL BE SENT THE ATTACHMENT IF YOU POST TO THE LIST. Best REgards and Good Luck cleaning it out (see below). =20 Janet (Baugh) Hunter -- More This is Symantec's website for it (plus there is more after this: http://www.sarc.com/avcenter/venc/data/pf/ type="text/javascript">DisplayMail('mm.html','w32.badtrans.13312'); Subj:=A0 =A0 Re: [NCBERTIE] Additional Virus-Attachment info Date:=A0 =A0 4/24/01 7:25:42 PM Eastern Daylight Time From:=A0 =A0 (Paul Smith) To:=A0 =A0 Hi Everyone=A0 -- Virginia suggested that I send the following info re. getting rid of the TROJ_BADTRANS.A virus to the list. **IMPORTANT**=A0 Note the next to the last paragraph below.=A0 I don't know if the path to the author has been closed but I have changed my login information for my financial sites - checkbook & investment. Do a 'Start' 'Search' 'For Files or Folders' for, and then delete, each of the following files: INETD.EXE KERN32.EXE HKSDLL.DLL Depending on your Operating System, locate the appropriate, following registry entry and delete it: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \ RunOnce\kernel32=3Dkern32.exe Note: Under WinNT/2K, an additional registry key value is entered instead of a WIN.INI entry: HKEY_USERS\Software\Microsoft\Windows NT\ CurrentVersion\Windows\RUN=3D%WinDir%\INETD.EXE That's it - you're clean. Following from http://vil.mcafee.com/dispVirus.asp?virus_k=3D99069&; Virus Characteristics This mass mailing worm attempts to send itself using Microsoft Outlook by replying to unread email messages. It also drops a remote access trojan (detected as Backdoor-NK.svr with the 4134 DATs; detected heuristically as New Backdoor prior to the 4134 DAT release). When run, the worm displays a message box entitled, "Install error" which reads, "File data corrupt: probably due to a bad data transmission or bad disk access." A copy is saved into the WINDOWS directory as INETD.EXE and an entry is entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a backdoor trojan), and HKSDLL.DLL (a valid keylogger DLL) are written to the WINDOWS SYSTEM directory, and a registry entry is created to load the trojan upon system startup. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce\kernel32=3Dkern32.exe Note: Under WinNT/2K, an additional registry key value is entered instead of a WIN.INI entry: HKEY_USERS\Software\Microsoft\Windows NT\ CurrentVersion\Windows\RUN=3D%WinDir%\INETD.EXE Once running, the trojan attempts to mail the victim's IP Address to the author. Once this information is obtained, the author can connect to the infected system via the Internet and steal personal information such as usernames, and passwords. In addition, the trojan also contains a keylogger program which is capable of capturing other vital information such as credit card and bank account numbers and passwords. The next time Windows is loaded, the worm attempts to email itself by replying to unread messages in Microsoft Outlook folders. The worm will be attached to these messages using one of the following filenames (note that some of these filenames are also associated with other threats, such as W95/MTX.gen@M):

This thread:

Re: [Q-R] Please Reply............... by
- Re: [Q-R] Please Reply............... by Cheska Wheatley <>
  - Re: [Q-R] attachments by "Keith/Connie Street" <>
    - Re: [Q-R] attachments by "Jim Crouch" <>
      - Re: [Q-R] attachments by "Keith/Connie Street" <>
        Re: [Q-R] attachments by "Jim Crouch" <>
        Re: [Q-R] attachments by "Carol Thorpe" <>
        Re: [Q-R] attachments by Cheska Wheatley <>
    - Re: [Q-R] attachments by Cheska Wheatley <>
    - Re: [Q-R] attachments by
      - [Q-R] Cheska by "Keith/Connie Street" <>
    - [Q-R] Attachments by "Julia Westerberg" <>
      - RE: [Q-R] Attachments by "Leslie Hope" <>
      - Re: [Q-R] Attachments by Cheska Wheatley <>
- [Q-R] Please Reply............... by