PDA

View Full Version : Virus Alert



06-04-2002, 09:20 AM
Everyone please beware of the following:

I received an e-mail from randy@poolschool.com last night. It was titled 'Sos' and it had no text but it did have an attachment. I know that Randy G's address has a 'g' after 'Randy' so I sent him and e-mail and questioned it before opening.

He responded and said NO he did not send it.

It could be a virus.

So be careful if you get any e-mails from that address. It's not from Randy G.

Fran

Ken
06-04-2002, 09:41 AM
Fran, I have been getting these for two weeks and started a thread about them on May 24. They seem to send the body of the message out to people in your address book. Although it is not displayed as text it does execute instructions. I don't seem to be having any other problems. I deleted my address book and moved all sent and received messages to prevent the infection from going elsewhere. I've gotten them from about 4 CCBers and a few other addresses some of which I recognize and others I don't. I'm not sure it is a virus since I kept two of them and then got scanned and nothing came up infected. It may be a java code that is just sending out e-mails and doing no real harm.
KenCT

Jay M
06-04-2002, 10:14 AM
If you'll forward me a copy of one of these emails, I'll take a look and see what it does. Please change the subject line to "possible virus attached" and send it to compforce@hotmail.com

Jay M

06-04-2002, 10:40 AM
Yes, I had seen that thread. I found this one strange because it's missing one letter in Randy's address. Either it was done intentionally or someone just could have mis-written his address in their address book.

Fran

Jay M
06-04-2002, 10:58 AM
Fran,

The email you sent me is infected with the w32.klez.h@mm virus. If you have opened the email (which it looks like you did) I would go have a look at this link:

http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H

For Randy, he should ABSOLUTELY go through the cleaning procedures to ensure that he gets rid of it as his system is DEFINITELY infected.

Jay M

SPetty
06-04-2002, 11:29 AM
<blockquote><font class="small">Quote: Jay M:</font><hr> For Randy, he should ABSOLUTELY go through the cleaning procedures to ensure that he gets rid of it as his system is DEFINITELY infected.

Jay M <hr></blockquote>Hi Jay,

Thanks, great info. Based on the info in the link you provided, it seems possible that Randy isn't even infected. The info said that the virus mailing can mask its sender, so that it looks like it was sent by someone else. It looks at the "from" field of received email and uses one of those names in the "from" field of the email that it generates and sends. That's dastardly!

06-04-2002, 12:14 PM
Thanks for the confirmation, Jay. Just did a Norton update and a complete scan. I'm clean. I guess you have to download the attachment for this virus to kick-in.

Anyone who has Randy's address in their address book should check this out because they could be infected and not realize it.

Fran

Jay M
06-04-2002, 02:33 PM
You're welcome Fran.

<blockquote><font class="small">Quote:</font><hr>It looks at the "from" field of received email and uses one of those names in the "from" field of the email that it generates and sends. That's dastardly! <hr></blockquote>

You are absolutely correct, I wasn't paying attention to that part. Note that the person who is infected can be found from the headers of the email. I already deleted the copy I had, so can't tell now.

To the other person that forwarded me an email, which I also deleted, that email had the reg.c virus which is basically harmless, but is a pain to get rid of. I suggest just going to http://housecall.antivirus.com and letting their free scanner clean it, just check the box that says autoclean and throw a floppy into the A drive to scan. it'll find and clean the virus for you.

Jay M

06-04-2002, 04:46 PM
I undeleted the e-mail and found this address in the header: hintzman@attbi.com

Anyone know who this is?

Fran

Ken
06-04-2002, 04:57 PM
Fran, I don't recall seeing that in any of the headers I have looked at. Mine are now coming from anitamon@earthlink.net. I have deleted them all but I did scans from housecall at least 4 times with and without the emails on my harddrive and came up clean each time. I'm sure there are some more waiting for me the next time I check for email so I will see if hintzman is there.

Someone also sent for a new password for my CCB account. BD told me to ignore that if it wasn't me. Maybe you are right about not registering. I might go anonymous; they seem to have more fun.
KenCT