<CT> Re: calmira_tips Digest V3 #138

  • From: GLENNRPH@xxxxxxx
  • To: calmira_tips@xxxxxxxxxxxxx
  • Date: Thu, 10 Oct 2002 13:03:32 EDT

In a message dated 02-10-10 02:59:03 EDT, you write:

<< Reid,
 
 > Er, uh Glenn, Gaby, what are the symptoms of this particular worm? 
 
 I can only tell you how you can detect it manually: It generates an 
 EXE file (about 50k in size) with a random 4 letter name and copies it 
 to the system directory. There'll also be a registry key in 
 HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current 
 Version/RunOnce which launches this exe file. As for the symptoms, 
 look here: http://vil.nai.com/vil/content/v_99728.htm
 
 > loss.  I doubt I'm infected.  I'm using XP Pro SP-1.
 
 Does it run Calmira? ;-)
 
 Anyway, there must be somebody in this list who *is* infected >>


Reid, Gaby...
Another great site for information on malware is www.symantec.com,
and www.f-prot.com.  Full information on W32.Bugbear@mm (the
latest in a line of mass-mailer email trojans) is on the Symantec
Antivirus Research Center pages.  In addition to the effects Gaby
has detailed, Bugbear also grabs random text from messages in
an infected machines Lookout email boxes, then uses one of the
stored email addresses in the address book to forge the "From"
headers.  The worm will re-write to the registry in the "run-once"
field almost each time, so that the worm will constantly attempt
to run when an infected machine is booted.  It has its own SMTP
server which it uses to send copies of itself to email addresses in
the infected machines address book (s).  As mentioned, with WinXP,
Me and other 9X machines with any sort of "System Restore" capability,
the user must disable the system restore before the trojan can be
removed successfully.
As for infecting and running Calmira...no chance!  Not even a Win3X
machine with "Win32s" installed will run the worm, can't even run
the removal tools, since the processes they call are not compatible
with Win32s on Win3X...Win3X does not have enough system resources
available for another thing.  So, as I recommended before, if anyone on
the list also uses Win9X, you need to scan your computer with an 
up-to-date antivirus scanner.  You may also need to boot the computer
into "Safe Mode" for this and for any removal needed.
See you later!
Glenn
GLENNRPH
http://members.aol.com/GLENNRPH/glennrph.htm
http://members.surfbest.net/wizard57m@xxxxxxxxxxxx/index.html
--
To unsubscribe, send a message to ecartis@xxxxxxxxxxxxx with
"unsubscribe calmira_tips" in the body.
OR visit http://freelists.org



Other related posts: