PC Pals Forum
Technical Help & Discussion => Broadband, Networking, PC Security, Internet & ISPs => Topic started by: DJ on March 01, 2004, 12:11
-
:hi:
I had 15 (yes 15) emails this morning from someone I don't know with the following heading..
Re: My Details
They also had the attachment my_details.pif but the firewall renamed this to my_details.pif.safe
I take it that its a virus? Just wondering which one.
My AVG is bang up to date this morning - so I'll do a full virus scan to be sure I'm safe.
DJ
-
Hi DJ, it looks like its the So Big virus at it again :(
See here :
http://www.austincc.edu/andreac/SobigFvirus
-
Thanks.
I deleted them straight away - so hopefully it didn't have time to do any damage.
I did a full scan and it found a I-Worm/Netsky.D virus in the D:\RECYCLED\DD1~1.SAF
It was unable to move or delete this file.
But looking in the D:\Recylced theres nothing there? Is there fix to get rid of this virus?
DJ
-
It could also be W32/Netsky-D which came out today. That could explain why your virus checker failed to pick it up DJ.
W32/Netsky-D
Aliases
W32/Netsky.c@MM
Type
Win32 worm
Sophos has received many reports of this worm from the wild.
Description
W32/Netsky-D is a worm that spreads via email.
W32/Netsky-D may arrive in an email with the following characteristics:
Subject line: chosen from -
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
Message text: chosen from -
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attached file: chosen from -
all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_picture.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif
When first run W32/Netsky-D creates the following registry entry, so that winlogon.exe is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQNet
= <WINDOWS>\winlogon.exe -stealth
Recovery
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ICQNet = <WINDOWS>\winlogon.exe -stealth
and delete it if it exists.
Close the registry editor.
-
Thanks Clive,
That key did exist in the registry so I deleted it. Did another full AVG scan and now theirs no more viruses (or should that be viri?? :-\ )
Thanks again - I'm virus free - for now ;)
DJ
-
My Norton updated as soon as I logged on this afternoon, so I assume that must have been for Netsky-D. More info, removal instructions (using Norton AV), and Registry Key info from here (http://tinyurl.com/29adw).
-
For the last 2 days AVG has updated 2wice a day, must be some rum goings on out there in virus land :o
-
You were very unlucky to get a dose of that before the antidote became available DJ. But I suppose some people have to catch these viruses first so that the antivirus companies can work out a solution to protect the rest of us. :thanks:
-
But I suppose some people have to catch these viruses first so that the antivirus companies can work out a solution to protect the rest of us. :thanks:
At least I was useful for once! ;)
DJ
-
Hi peeps
For the 1st time ever my Norton has kicked in saying I,ve been viried (is that a word, maybe it should be if it isn't) with Netsky, don't know whether I've been lucky over the last few years but now know AV is worth the cash. By the way this is one of the best sites I visit (even though I don't contribute much, could be cos i don't know a lot ;D)but I will be watching and waiting for the day someone asks a question for which I know the answer ::)
-
There's plenty of other areas you could contribute to on the site, DB. Many of us are by no means computer experts, but we still find something to say! ;) ;D
-
Yesterday was a bad day for NetSky. At work we received at least 100 of the little buggers. Luckily our anti-virus caught them all.
All from people who can't be bothered to update their patches and A/V program I bet ::)
-
I got it last night too but with Nortons doing two auto-updates per day at the moment it was picked up for me to delete... 8)
And i just ran the fix tool from symantec just in case. :thumb:
-
Okay I'm confused now ............ ::)
I've been updating and checkin like mad cos I'm being sent loads of viruses! But I was sure I'd not opened a thing.
Now AVG said it found one but it didn't remove it, its still on my drive ? Why didn't it remove it?
I saw something about how to remove something recently thought it was this thread .. but anyway I didn't understand it all. (sob)
Or would it be cos I had unread emails and its there? oh no cos it wouldn't be on my drive then would it. (thicko_)
Oh and I still have ME I noticed something was different on the removal that someone gave.
I really must upgrade!!!
Please what do I do Guys ? ???
-
I think this might be what your are looking for Michelle. :D
http://enterprisesecurity.symantec.com/article.cfm?articleid=2420
-
Here you go, Shell! ;D ;D
Netsky-D Removal Tool (http://tinyurl.com/28ceo).
-
And onother from the AVG Stable >> http://www.grisoft.com/us/us_remtext.php?id=mydoom
-
;D Thanks Guy's I've downloaded those.
I'll run them now eeek !!! :-*
-
It worked thanks you lot :-*
It was the netsky one. grrrrrrr
-
I got another one but avg deleted it this time?
How does it get through everything? I thought you had to open a dodgy attachment?
And also what does it actually do to your computer, as I didn't notice anything, it was only avg picking it up on a check?
???
-
Must be ME Shell! :P ;D ;D
-
Thanks for your technical input simon!! :P ;D
And of course it wasn't YOU !!! ;)
-
Netsky spread so fast that many people caught it before the antivirus updates came out Michelle. Like DJ, you may have been one of the unlucky ones. The payload merely involved causing your computer to make a series of beeps for a couple of hours on March 2nd. But of course it also harvested all the addresses on your computer and sent copies of itself to everyone. :'(
-
oh !! Well I understand that with the first one, but not the second one?
Ah well, thanks for the info Clive.
-
AVG found another one on my puter today - ahhh
I-worm/klez.h ???
whats it all about alfie?
-
Do you have AVG set up to scan your email Michelle? That's assuming that you use Outlook or Outlook Express which are the only email clients that AVG supports.
Another possibility is that these files are in a temporary folder and AVG has been setup not to scan this folder in it's on-access rather than scheduled checking.
Whatever it is, I would boot in safe mode and run a full scan just in case :o
-
Oh klez.h is a real nasty bit of work and I used to get up to a dozen a day when it was at it's height back just over a year ago. It only goes to show that it's still going around after all this time. The big problem that you have is that your children use your computer which means that you are not in total control over what gets downloaded. They could even bring an infected floppy disk home from school and unknowingly contaminate your machine. The only thing you can do is to make sure that you keep ahead of the game with regular updates and patches.
-
The big problem that you have is that your children use your computer which means that you are not in total control over what gets downloaded. They could even bring an infected floppy disk home from school and unknowingly contaminate your machine. The only thing you can do is to banish the kids from ever touching the computer again, under threat of forcing them to eat cold sprouts for breakfast for a week, and to sleep in the cupboard under the stairs. Again.
You're all heart, Clive. ;D ;D ;D
-
Firstly :lol: to simon!!! And to clive hmmm there's a thought!!
My email comes through incredimail now I think zonealarm checks that? Does it check for viruses? Now I'm not sure. But still I thought you had to open the attachments.
I was gonna put mailwasher on again, but I've lost it lol where is that again simon please? will that do it?
I did do a scan with restore off but not on safe mode, how do I start in that again? Its been years since I needed to do that.
Thanks guys for all your help and info :-*
-
Press F8 repeatedly Michelle, as the PC is rebooting, just after the post beep :)
-
oh yeah thats it lol thanks sandra :) I'll set it going now and it can run while I'm back at work. ;D
I did it and it found I-worm/netsky B this time!
:o :o
-
The last three were found in C:Windows/Application Data - is that important?
-
Depends which Application the Data is about, Michelle. :-\ Can you quarrantine them for now, until one of the techies shows up?
I think the problem might be that AVG doesn't support Incredimail, Michelle, therefore your incoming mail is not being checked for viruses. The only solution is to use OE or Outlook, or get another anti-virus program which supports Incredimail. Norton definitely does. ;)
I also thought that you had to open the attachments to launch the virus. Perhaps AVG is detecting that they are present on your system, but haven't actually been activated? Dunno, just guessing. :-\
I now use Pop Tray, which I find better than Mailwasher, as it's free and you can have as many accounts as you like. I've put links to both below for you. ;)
Pop Tray (http://www.poptray.org)
Mailwasher (http://www.mailwasher.net)
-
hmmmm it does say it has deleted them now, I will do another check just to be sure.
And thanks for the links I'll try Pop tray then :) ;D
-
I also thought that you had to open the attachments to launch the virus. Perhaps AVG is detecting that they are present on your system, but haven't actually been activated?
If your IE security patches aren't up-to-date, you can get infected by an attachment simply by viewing the message.
I think you are right Simon, but it is worrying that the viruses have been found in C:\Windows\Application Data :o
Did you mean C:\Windows\Application Data\temp Michelle?
-
oh it could be data/temp adept, I couldn't actually see the end of the file name on the record sheet.::)
okay right, well I'll check everywhere for updates then anyway.
Ta :)
-
that was a mistake........ not been able to connect since I wrote that message !!
lol windows updates confused me and I delete com3 which connects me to internet lol - anyway its all sorted now, but it is acting funny and something odd comes up on first start up screen now........ I'll keep you posted on another thread if I have probs - I know you can't wait lol
:P ;D ;D :D
-
oh its me again, chatting on this thread all alone :lol:
Would I need poptray if I was to get Norton then?
::) ;)
-
Pop Tray allows you to preview your mail before you download it, Michelle (like Mailwasher), and will alert you of any attachments, which you can delete from the server, if suspicious. It also has configurable spam detection. It's not a virus scanner though, so Pop Tray and Norton both do different jobs. :)
-
oh its all so confusing ...... I am blonde you know :lol:
-
Got another one today ! I don't like having worms :lol:
Right downloading popthing now.
This one was in C/recycled/nprotect/0000 .........
is that the recycle bin? wonder how it got there?
Oh and the other ones were in
C/windows/application Date/IM/Identities/blahblah
Which I assume is where attachments go, funny thing is there were some attachments in there that I've never seen? ......... I deleted everything in there now lol god knows what they were, but still ......
-
C/windows/application Date/IM/Identities/blahblah is Incredimail Michelle, and is probably your default profile.
C/recycled/nprotect/0000... does sound like Norton Recycle Bin, and it probably got in there when you deleted a file which was infected. Norton Recycle Bin hangs onto files you have deleted from your Recycle Bin, in case you want to recover them. You can empty NRB by right clicking it, and select Empty Norton Protected Files. I think it deletes them automatically after a few days or weeks, whichever it is set to.
-
Okay thanks Simon, hmmmm wonder if I deleted something I needed there then lol
-
Well, if you've buggered up Incredimail, it will simply be a matter of re-installing it. Dunno about the other thing though. ;D
-
Well it all seems to be working fine, don't think i have have this pop thing set up right though, when I click on it it opens up incredimail? I set it to check emails and it doesn't seem to do anything.
:lol:
fingers crossed though no virus today so far anyway! ;D
-
Oh looks like I need a Plug in ::)
oooh but which ones? pop and hotmail?
-
You need a plug in for it to check your Hotmail account. When you say it launched IM (Incredimail), that's what it's supposed to do, if that is your default e-mail client. You probably need to go through the Options menus, and make sure it's ticked to check for new mail on start up, and to check every so many minutes. It should only launch IM when you tell it to by pressing the Run e-mail client button.
Hope that helps. ;)
-
hmmmm yes it does that Simon, but it doesn't get any of my mail in that little box. Is that where I am supposed to check it? Yes I had it checking email but it didn't lol I had email in there but it didn't tell me I did. ....... My ntl account doesn't like just pop3 I think its popsomething lol oh I dunno do I - am I brunette ........ well offically yes! >:( ;D :-\
-
Sorry Michelle, but you've lost me completely! :o
hmmmm yes it does that Simon, but it doesn't get any of my mail in that little box.
To which 'little box' are we referring? You need to set up the accounts like you would any other e-mail client, with POP server details, user name, password, etc. I can't understand why it wouldn't work if these are set up correctly. Is your NTL account not POP3? I think you said you used to use Mailwasher - how did you set it up with that?
-
Sorry Simon, :lol:
Its not set up correctly - I will have another look at it today.
I never did install mailwasher. 8)