[ic] VIRUS WARNING !!!!

Greg Gaskill g.gaskill@aboron.com
Fri, 20 Apr 2001 18:59:15 -0400 

> -----Original Message-----
> From: interchange-users-admin@lists.akopia.com
> [mailto:interchange-users-admin@lists.akopia.com]On Behalf Of
> jojo@blackpoint.de
> Sent: Friday, April 20, 2001 2:53 PM
> To: interchange-users@lists.akopia.com
> Subject: Re: [ic] VIRUS WARNING !!!!
>
>
> I can confirm that. I've gotten an email from Suzanne Thompson
> directly to me with a pif file too.
>


I got the .pif file too, but it's either corrupt or Win2000
can't read it.  Since I'm the curious type, I tried to look
at what program it wanted to run, but ended up dumping a core
trying to read it with a pif-editor.



> Joachim
>
> On 20 Apr, joachim.richter wrote:
> > Hi List,
> >
> > I have just received two emails from the following person,
> answering a question I put on the list this morning
> >
> > Return-Path: <3dranger@mpinet.net>
> > Received: from localhost (root@localhost [127.0.0.1])	by
> brainstorm1.usvid (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP
> id SAA31473	for <joachim.richter@localhost>; Fri, 20 Apr 2001
> 18:29:56 +0200
> > Received: from 212.43.90.100	by localhost with POP3
> (fetchmail-5.3.0)	for joachim.richter@localhost
> (single-drop); Fri, 20 Apr 2001 18:29:56 +0200 (MEST)
> > Received: from fl-mta02.durocom.com (fl-mta02.durocom.com
> [216.53.195.243])	by thundertaste.bpaserver.net (8.9.3/8.9.3)
> with ESMTP id RAA40208	for
> <joachim.richter@usvideocenter.de>; Fri, 20 Apr 2001 17:13:47 +0200 (CEST)
> > Received: from computer ([216.53.218.107]) by
> fl-mta02.durocom.com with SMTP id
> <20010420144137.PERJ1198.fl-mta02@computer> for
> <joachim.richter@usvideocenter.de>; Fri, 20 Apr 2001 10:41:37 -0400
> > Message-ID: <00c801c0c9a9$0ffa6ce0$6bda35d8@computer>
> >
> > From: "Suzanne Thompson" <3dranger@mpinet.net>
> >
> > To: <joachim.richter@usvideocenter.de>
> > Subject: Re: Fwd: Re: [ic] URL DISPLAY
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_00C5_01C0C987.85818600"
> > X-Mailer: Microsoft Outlook Express 5.50.4522.1200
> > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
> > Date: Fri, 20 Apr 2001 10:41:44 -0400
> > X-UIDL: 2cd42d92cc596ff6a9524ff64bccf340
> >
> >
> > The attachment was the new Virus I-Worm.Badtrans
> >
> >
> > This worm can be detected using AVX Professional
> ftp://ftp.avx.com/avxdesktop/setupavxpro.exe
> >
> > Manually removing an infection from your computer can put your
> data at risk for damage that may or may not be recoverable.
> Central Command strongly recommends that you backup all of your
> data prior to attempting to remove an infection or repair any
> damage causes by an infection.
> >
> >
> > Details:
> > ----------
> >
> > Name: I-Worm.Badtrans
> > Alias: W32.Badtrans.13312@mm
> > Detection added : April 12, 2001
> > Spread Method : Via E-Mail (A copy of the worm will be sent as
> a reply message to all unread emails in the users Inbox folder)
> >
> >
> > Description:
> > ------------
> >
> > Worm part:
> > -------------
> >
> > When the attachment is executed the worm drops the trojan
> "hkk32.exe" into the Windows folder and executes itself. A copy
> of worm is created under the file name inetd.exe in Windows
> folder. The following line is added to "win.ini" in [windows]
> section: run=c:\windows\inetd.exe.
> >
> > Trojan part:
> > --------------
> >
> > The hkk32.exe is a trojan called: Trojan.PSW.Hooker. This
> trojan drops a file called hksdll.dll used later as hook
> component to intercept pressed keys. A copy of the worm called
> kern32.exe is created in Windows folder and the original file
> hkk32.exe is deleted.
> >
> > It also add the following key to registry in order to be
> executed every time windows loads:
> >
> > HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
> > kernel32 = c:\windows\system\kern32.exe
> >
> > It sends information from infected computers to the email
> address: ld8dl1@mailandnews.com
> >
> >
> >
> > regards Joe
> >  .
> > .
> >  .
> > .
> >
> > US Video Center Medien GmbH
> > Heimsheimer Str 22
> > 70499 Stuttgart
> >
> > Tel 0711 880252 0
> > Fax 0711 880252 22
> > Email joachim.richter@usvideocenter.de
> >
> >
> > _______________________________________________
> > Interchange-users mailing list
> > Interchange-users@lists.akopia.com
> > http://lists.akopia.com/mailman/listinfo/interchange-users
>
> --
> -------------<FreeBsd>--------------------------------------------------
> Hans-Joachim Leidinger          black point arts Internet Solutions GmbH
> email: jojo@blackpoint.de       FAX  : +49 0209-398265
> http://www.bpaserver.net
>
>
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@lists.akopia.com
> http://lists.akopia.com/mailman/listinfo/interchange-users
>