|
Author
|
Topic: Re:
|
Brad Bechtel
Moderator From: San Francisco, CA
|
posted 26 November 2001 11:19 AM
profile
Windows users:
You've probably received an email from somebody in the last few days with the subject Re: (as if replying to a blank subject), with two or more attachments. One of those attachments will be something like New File.MP3.pif. When you open the email it asks if you want to open the attachment as well.
Never open an attachment from anyone unless you know what it is.
This particular attachment is a Program Information File (PIF) which is actually a type of virus/worm. When opened, it will automatically infect your computer and send copies of itself to other people in your address book.
Get some antivirus software and use it. Make sure you've run the Windows Update to download the latest security patches.
I'm posting this here because I've received too many such emails in the last few days from people on this forum.[This message was edited by Brad Bechtel on 26 November 2001 at 11:20 AM.] |
b0b
Sysop From: Cloverdale, California, USA
|
posted 26 November 2001 11:55 AM
profile
This one seems to be spreading like wildfire among Forum members. I've received about a dozen copies of it so far today.The attachment has a variety of names, and the worm adds ".pif" or ".scr" to the end of it to trick the email client into running it. I have Outlook configured to not run attachments, so I haven't been infected.
The worm changes the reply address of the email by prepending a '_' to it. This thwarts attempts to reply to it. I've been sending replies to infected users to warn them by removing the '_'. ------------------
-b0b- quasar@b0b.com
-System Administrator |
Jack Stoner
Sysop From: Inverness, Florida
|
posted 26 November 2001 02:23 PM
profile
I've got two different "virus" messages, after b0b alerted me. Both to my hotmail account but fortunately I was alerted and hotmail uses McAfee to scan all attachements so it was caught.I too have the security patches for Outlook 2000 and it won't let me open certain types of attachments plus I run Norton Antivirus on my PC so between the two anything like that should be caught. |
Brad Bechtel
Moderator From: San Francisco, CA
|
posted 26 November 2001 02:38 PM
profile
Here's a link where you can find out more about this annoying worm and how to fix it.[This message was edited by Brad Bechtel on 26 November 2001 at 02:39 PM.] |
Al Marcus
Member From: Cedar Springs,MI USA
|
posted 26 November 2001 09:58 PM
profile
I have a virus which is Emailing out of my address book with my Email address. I have McAffee virus scan but it didnt work this time. I better find out what is the best protection I can get. Any Suggestions??...al |
Skip Cole
Member From: North Mississippi
|
posted 26 November 2001 11:05 PM
profile
Al, guess i'll be ditching my Mcafee Virus Stuff too. It didn't detect the viruses; one from you and one from another steeler. Same message-attachment. I will, most of the time, delete any attachments, this time i bit on them, duh  . Thanks, Brad and the rest, for the links and info.
God bless you all------- ------------------
"Steel is the real deal"
|
CrowBear Schmitt
Member From: Ariege, - PairO'knees, - France
|
posted 26 November 2001 11:13 PM
profile
i got hit by this virus or worm yesterday.
b@mm is it's name and it's got an mp3 attached.
Now i'm in trouble....
thanks b0b for the warning. it came too late.
|
David Wright
Member From: Modesto .Ca USA.
|
posted 27 November 2001 01:11 AM
profile
HI
I got it today, get rid of MaCaffee, My Norton picked it up for me, No harm done.... Get the Norton it reall works well.. ------------------
My Web Page
Sierra S-12 9&7
Peavey-2000-PX-300 |
Ricky Davis
Moderator From: Spring, Texas USA
|
posted 27 November 2001 03:06 AM
profile
Click here to have the software that will remove all viruses and worms!!
Ricky |
Jeff Agnew
Member From: Dallas, TX
|
posted 27 November 2001 09:19 AM
profile
Brad said:
quote:
This particular attachment is a Program Information File (PIF) which is actually a type of virus/worm.
In the interest of accuracy, PIF files are not themselves viruses or worms but are Windows system files. Most recent viruses/worms hide as a system file. For example, the Badtrans worm disguises itself as either a .PIF or .SCR file. Side note: Brad, I think we met years ago at a UCON. Are you still with MM? |
Rick Aiello
Member From: Berryville, VA USA
|
posted 27 November 2001 10:40 AM
profile
Apparently this worm can infect your system even if you DON'T open the attachment. http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS.B Just tryin' to help |
Bill Ferguson
Member From: Norcross, GA USA
|
posted 27 November 2001 10:57 AM
profile
I opened the attachment but when I went to open the download, it dissapeared.This was a couple of days ago, and I have not noticed any problems. Is it lurching somewhere on my machine waiting to strike? Bill |
Jack Stoner
Sysop From: Inverness, Florida
|
posted 27 November 2001 04:32 PM
profile
Jeff Newman has it. I got the virus e-mail from him today. This one is striking pretty "good". |
Rob van Duuren
Member From: The Netherlands
|
posted 27 November 2001 06:14 PM
profile
I too got a couple of *.*.pif att's. Of course i was foolish enough to try and open them. Now, I checked my 'address book', but i have no names stored in there. Does that mean
the virus is harmless in my system? Rob. |
Bob Bowden
Member From: Vancouver, BC, Canada
|
posted 27 November 2001 11:06 PM
profile
This might be purely coincidence or it might not be, no idea yet. I have been using Eudora for many years as my email client. Over the last couple days, I have received the "Re:" messages from a number of people but for some reason all the emails arrived without any attachment. Just a blank email and no virus. |
Jeff Agnew
Member From: Dallas, TX
|
posted 28 November 2001 08:40 AM
profile
Rob said:
quote:
Does that mean the virus is harmless in my system?
No. You should remove this trojan from your system. It contains its own e-mail engine and has the potential to relay personal information and act as a back door to allow a cracker into your system. If you've opened or previewed this e-mail it has done damage. The attachment was not blank. It has already made alterations to your system - you just didn't see them occur. In particular, it does two bad things:
- In some instances it makes the following change to your Windows registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceKernel32 = kernel32.exe
- It deposits a keystroke recorder, kdll.dll, into your system and sends stolen info (such as your passwords, credit card info, etc.) to an e-mail address of the trojan writer's choosing.
If you don't have an anti-virus or anti-trojan utility, search your system for the above items and manually delete them. If you're unfamiliar with making changes to your Windoze registry, make a backup copy first before editing. You can seriously damage your computer's configuration by making mistakes in the registry. |
Jim Smith
Member From: Plano, TX, USA
|
posted 28 November 2001 02:14 PM
profile
One of the infected emails I got was from Sierra, now today I get a legitimate email from them advertising some Christmas specials.I have never received an email from them before yesterday, could they be the source of the virus?!? |
Michael Garnett
Member From: Fort Worth, TX
|
posted 29 November 2001 03:03 AM
profile
Jim- I doubt it. Most times they've just got you on a random e-mail list. They pass addresses around between them. Unsolicited e-mail is another can of worms entirely. Once you get on a list, the only way to get off of it is to shut down that email address and open up another. I probably get 5 to 10 pieces of mail I don't read every day. You might want to read up on this, if you don't already know about it.
http://home.hyperlink.net.au/~chart/spam.htm I've tried and tried to get off lists, contact the authorities at MSN, Hotmail, Yahoo, and everyone else, but they can't do anything about it either. Chances are, the Sierra e-mail is just because they've got you on a mailing list somewhere. Perhaps they got the virus in their computer, and you got it as a result of being on that list. That's all I'd say happened. Garnett |
Rob van Duuren
Member From: The Netherlands
|
posted 29 November 2001 04:42 PM
profile
Jeff Agnew, thanks for your help. I removed
the *.dll, I couldn't locate runoncekernel32.
I did however find 'Kernel32.exe' in windows/system, and it was written to disk the moment i first tried to read my e-mail attachment. For now i renamed it. Is it save to remove it completely? Rob. |
Jeff Agnew
Member From: Dallas, TX
|
posted 29 November 2001 07:08 PM
profile
Rob said:
quote:
I couldn't locate runoncekernel32. I did however find "Kernel32.exe"... Is it save to remove it completely?
Yes, if you look at the registry key, the actual file name is to the right of the equal sign: "Kernel32.exe". You should go ahead and remove it. There are several variants of this worm, however, and there may still be some remnants left behind. To be certain it is completely removed from your system, you should use a good anti-virus or anti-trojan program. Also, don't forget to delete the registry entry if you haven't done so. |
Joe Delaronde
Member From: Selkirk, Manitoba, Canada
|
posted 29 November 2001 11:45 PM
profile
Jeff
Can the KDLL.DLL file be found using the "search" function in the "start/find" menu? Will it search the registry?
I tried this and it never found anything.
I opened an email attachment which was supposedly empty. I'm using Norton and haven't had any warnings yet.
Joe |
Jeff Agnew
Member From: Dallas, TX
|
posted 30 November 2001 09:40 AM
profile
Joe said:
quote:
Can the KDLL.DLL file be found using the "search" function in the "start/find" menu? Will it search the registry?
Yes, you can find the DLL, if it exists, using the normal search function. But it won't search the registry. To do that, you'll need to launch RegEdit (Start/Run/regedit) and then use the "Edit/Find" menu item. However...
Standard Disclaimer Before you make any changes to the registry, make a backup copy and rename it "registry.old". That way, if you screw up the registry you can delete it, rename the backup copy, and reboot.
Even better, get a copy of RegHance or Registry Editor Plus, which make backups and offer safety features designed to keep you from totally destroying your system. They also offer quite a bit more functionality than MS's RegEdit. |
Joe Delaronde
Member From: Selkirk, Manitoba, Canada
|
posted 30 November 2001 10:11 AM
profile
Jeff
It worked.
In the Registry window I exported the old registry file and named it "nov30". It was stored in the "My documents" folder. I then deleted the Kdll.dll file from the registry and re-booted.
Searched for the virus file and it was gone.
My computer is running good.
Now I should delete the old file???? and make a new backup of the new registry???
Joe |
John Gretzinger
Member From: Northridge, CA
|
posted 30 November 2001 12:25 PM
profile
I've been running PC-cillin from Trend Micro for a bit now and am very pleased with the results. I have it setup to automatically check for new updates every time I start the system. Over the last four days I've gotten three updates to the virus defination file and one to the scan engine. This level of automated protection has caught three hits of BadTrends and two others on my girlfriends machine (we have three computers networked in the bedroom) in the past couple of days. This is now the standard antivirus software for my clients.I am very pleased. Panda is another program that offers automated updates, but I have not played with it yet. jdg ------------------
MSA D-10 w/Nashville 400
'63 Gibson Hummingbird
16/15c Hammered Dulcimer |
Jeff Agnew
Member From: Dallas, TX
|
posted 01 December 2001 12:45 PM
profile
Joe said:
quote:
Now I should delete the old file???? and make a new backup of the new registry???
Good idea on both counts. And you really should have one of the advanced registry editing programs on hand just in case you ever need to make further changes. Glad you got your system cleaned out. |
The Steel Guitar Forum
