[ic] VIRUS WARNING !!!!
Joe Myers - Ott Dental Supply Company
jmyers@ott-dental-supplies.com
Fri, 20 Apr 2001 22:57:38 -0400
I traced the IP that the mail was sent from and it was sent through a German
ISP. Here is the info if you are interested:
212.43.90.100
% Rights restricted by copyright. See
http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 212.43.64.0 - 212.43.95.255
netname: DE-TAT-980729
descr: PROVIDER
descr: TAT GmbH
country: DE
admin-c: WT176
tech-c: CD185-RIPE
tech-c: AH1698-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
changed: hostmaster@ripe.net 19980729
changed: hostmaster@ripe.net 19981005
source: RIPE
route: 212.43.64.0/19
descr: Tat Gmbh
origin: AS8899
mnt-by: AS8899-MNT
changed: horvath@tat.de 19990806
source: RIPE
person: Wolfgang Thoma
address: TATNeT GmbH
address: Industriestrasse 15
address: D-64807 Dieburg
address: Germany
phone: +49 6071 2020
fax-no: +49 6071 202402
nic-hdl: WT176
mnt-by: DENIC-P
changed: dittmann@tat.de 19990826
source: RIPE
person: Christa Dittmann
address: TATNeT GmbH
address: Industriestrasse 15
address: 64807 Dieburg
address: GERMANY
phone: +49 6071 202400
fax-no: +49 6071 202402
e-mail: dittmann@tat.de
nic-hdl: CD185-RIPE
notify: dittmann@tat.de
mnt-by: DENIC-P
changed: dittmann@tat.de 19990826
changed: auto-direct@denic.de 20001113
source: RIPE
person: Arpad Horvath
address: TAT GmbH
address: Industriestrasse 15
address: D-64807 Dieburg
phone: +49 6071 202400
fax-no: +49 6071 202402
e-mail: horvath@tat.de
nic-hdl: AH1698-RIPE
notify: horvath@tat.de
changed: horvath@tat.de 19980717
source: RIPE
-----Original Message-----
From: interchange-users-admin@lists.akopia.com
[mailto:interchange-users-admin@lists.akopia.com]On Behalf Of Audio
Wizard
Sent: Friday, April 20, 2001 7:02 PM
To: interchange-users@lists.akopia.com
Subject: Re: [ic] VIRUS WARNING !!!!
Recently our system was infected with the mtx95 virus which sent many emails
out to customers with out our knowledge. Finally a customer informed us we
had sent a infected file attachment to them. These attachments were
"attractively" named, "check this out" "free xxx pics" "help urgent reply"
and so on.
The mtx virus even kept our norton from automatically updating virus
definitions furthering the problem which is why we didn't catch it.
Just my experience, Im glad no one "blamed" us in our situation.
----- Original Message -----
From: "Greg Gaskill" <g.gaskill@aboron.com>
To: <interchange-users@lists.akopia.com>
Sent: Friday, April 20, 2001 3:59 PM
Subject: RE: [ic] VIRUS WARNING !!!!
>
>
> > -----Original Message-----
> > From: interchange-users-admin@lists.akopia.com
> > [mailto:interchange-users-admin@lists.akopia.com]On Behalf Of
> > jojo@blackpoint.de
> > Sent: Friday, April 20, 2001 2:53 PM
> > To: interchange-users@lists.akopia.com
> > Subject: Re: [ic] VIRUS WARNING !!!!
> >
> >
> > I can confirm that. I've gotten an email from Suzanne Thompson
> > directly to me with a pif file too.
> >
>
>
> I got the .pif file too, but it's either corrupt or Win2000
> can't read it. Since I'm the curious type, I tried to look
> at what program it wanted to run, but ended up dumping a core
> trying to read it with a pif-editor.
>
>
>
> > Joachim
> >
> > On 20 Apr, joachim.richter wrote:
> > > Hi List,
> > >
> > > I have just received two emails from the following person,
> > answering a question I put on the list this morning
> > >
> > > Return-Path: <3dranger@mpinet.net>
> > > Received: from localhost (root@localhost [127.0.0.1]) by
> > brainstorm1.usvid (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP
> > id SAA31473 for <joachim.richter@localhost>; Fri, 20 Apr 2001
> > 18:29:56 +0200
> > > Received: from 212.43.90.100 by localhost with POP3
> > (fetchmail-5.3.0) for joachim.richter@localhost
> > (single-drop); Fri, 20 Apr 2001 18:29:56 +0200 (MEST)
> > > Received: from fl-mta02.durocom.com (fl-mta02.durocom.com
> > [216.53.195.243]) by thundertaste.bpaserver.net (8.9.3/8.9.3)
> > with ESMTP id RAA40208 for
> > <joachim.richter@usvideocenter.de>; Fri, 20 Apr 2001 17:13:47 +0200
(CEST)
> > > Received: from computer ([216.53.218.107]) by
> > fl-mta02.durocom.com with SMTP id
> > <20010420144137.PERJ1198.fl-mta02@computer> for
> > <joachim.richter@usvideocenter.de>; Fri, 20 Apr 2001 10:41:37 -0400
> > > Message-ID: <00c801c0c9a9$0ffa6ce0$6bda35d8@computer>
> > >
> > > From: "Suzanne Thompson" <3dranger@mpinet.net>
> > >
> > > To: <joachim.richter@usvideocenter.de>
> > > Subject: Re: Fwd: Re: [ic] URL DISPLAY
> > > MIME-Version: 1.0
> > > Content-Type: multipart/mixed;
> > boundary="----=_NextPart_000_00C5_01C0C987.85818600"
> > > X-Mailer: Microsoft Outlook Express 5.50.4522.1200
> > > X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
> > > Date: Fri, 20 Apr 2001 10:41:44 -0400
> > > X-UIDL: 2cd42d92cc596ff6a9524ff64bccf340
> > >
> > >
> > > The attachment was the new Virus I-Worm.Badtrans
> > >
> > >
> > > This worm can be detected using AVX Professional
> > ftp://ftp.avx.com/avxdesktop/setupavxpro.exe
> > >
> > > Manually removing an infection from your computer can put your
> > data at risk for damage that may or may not be recoverable.
> > Central Command strongly recommends that you backup all of your
> > data prior to attempting to remove an infection or repair any
> > damage causes by an infection.
> > >
> > >
> > > Details:
> > > ----------
> > >
> > > Name: I-Worm.Badtrans
> > > Alias: W32.Badtrans.13312@mm
> > > Detection added : April 12, 2001
> > > Spread Method : Via E-Mail (A copy of the worm will be sent as
> > a reply message to all unread emails in the users Inbox folder)
> > >
> > >
> > > Description:
> > > ------------
> > >
> > > Worm part:
> > > -------------
> > >
> > > When the attachment is executed the worm drops the trojan
> > "hkk32.exe" into the Windows folder and executes itself. A copy
> > of worm is created under the file name inetd.exe in Windows
> > folder. The following line is added to "win.ini" in [windows]
> > section: run=c:\windows\inetd.exe.
> > >
> > > Trojan part:
> > > --------------
> > >
> > > The hkk32.exe is a trojan called: Trojan.PSW.Hooker. This
> > trojan drops a file called hksdll.dll used later as hook
> > component to intercept pressed keys. A copy of the worm called
> > kern32.exe is created in Windows folder and the original file
> > hkk32.exe is deleted.
> > >
> > > It also add the following key to registry in order to be
> > executed every time windows loads:
> > >
> > > HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
> > > kernel32 = c:\windows\system\kern32.exe
> > >
> > > It sends information from infected computers to the email
> > address: ld8dl1@mailandnews.com
> > >
> > >
> > >
> > > regards Joe
> > > .
> > > .
> > > .
> > > .
> > >
> > > US Video Center Medien GmbH
> > > Heimsheimer Str 22
> > > 70499 Stuttgart
> > >
> > > Tel 0711 880252 0
> > > Fax 0711 880252 22
> > > Email joachim.richter@usvideocenter.de
> > >
> > >
> > > _______________________________________________
> > > Interchange-users mailing list
> > > Interchange-users@lists.akopia.com
> > > http://lists.akopia.com/mailman/listinfo/interchange-users
> >
> > --
> > -------------<FreeBsd>--------------------------------------------------
> > Hans-Joachim Leidinger black point arts Internet Solutions GmbH
> > email: jojo@blackpoint.de FAX : +49 0209-398265
> > http://www.bpaserver.net
> >
> >
> > _______________________________________________
> > Interchange-users mailing list
> > Interchange-users@lists.akopia.com
> > http://lists.akopia.com/mailman/listinfo/interchange-users
> >
>
>
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@lists.akopia.com
> http://lists.akopia.com/mailman/listinfo/interchange-users
_______________________________________________
Interchange-users mailing list
Interchange-users@lists.akopia.com
http://lists.akopia.com/mailman/listinfo/interchange-users