Need a book? Engineering books recommendations...

Return to index: [Subject] [Thread] [Date] [Author]

Fw: "NEW VIRUS INFORMATION."

[Subject Prev][Subject Next][Thread Prev][Thread Next]
I received this from our internet service provider and thought some of you
wouldn't mind getting this even though it is not structural engineering
related.  I will never understand why anyone would want to spend their time
making viruses - maybe it is the virus protection software manufacturers
that do it.
Ken
-----Original Message-----
From: Enter.Net Administrator <sysadm(--nospam--at)enter.net>
Date: Wednesday, December 01, 1999 10:06 AM
Subject: ATTENTION ENTER.NET USERS "NEW VIRUS INFORMATION."


>    [ The following text is in the "iso-8859-1" character set. ]
>    [ Your display is set for the "US-ASCII" character set.  ]
>    [ Some characters may be displayed incorrectly. ]
>
>Greetings,
>
>The following information is about a new virus that just came out
>called "Mini-Zip."  Please read the following information about the
>virus. There is also a link to download and remove the virus from
>your system if you are infected.
>
>If you get an e-mail with the following information in the body:
>
>"I received your email and I shall send you a reply ASAP.
>Till then, take a look at the attached zipped docs. "
>
>DO NOT OPEN THE ATTACHEMENT (zipped_files.exe) OR YOU WILL ACTIVATE
>THE VIRUS ON YOUR SYSTEM!
>
>The virus is a 32bit worm that travels by sending email messages to
>users.  It drops the file explore.exe and modifies either the WIN.INI
>(Win9x) or modifies the registry (WinNT).
>
>The worm is attached with the filename "zipped_files.exe" as the
attachment,
>with a file size of 120,495 bytes. The file has a Winzip icon which is
>designed to fool unsuspecting users to run it as a self-extracting file. If
>the attachment is run, the user will see a fake error message, as follows:
>
>"Cannot open file: it does not appear to be a valid archive. If this file
is
>part of a ZIP format backup set, insert the last disk of the backup set and
>try again. Please press F1 for help."
>
>Systems with full access shares on a network could experience the worm
>creating a copy of itself in two folder locations, and two file names. A
>file named "EXPLORE.EXE" will be copied to Windows\System folder and a file
>"_SETUP.EXE" is copied to the Windows folder. On these systems, if the OS
is
>Windows 9x, the WIN.INI is modified with:
>
>[windows]
>run=c:\windows\explore.exe  (or)  _setup.exe
>The value will switch between _setup.exe and explore.exe per reboot. On the
>startup of Windows, it will load this file thereby infecting the system.
>This worm will only try to such systems once, whereas systems which are
>mapped drives are constantly attempted to re-infect.
>
>On Windows NT systems, the registry is modified with the following key
>addition:
>
>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
>run = explore.exe  (or)  _setup.exe
>The value will switch between _setup.exe and explore.exe per reboot.
>
>This worm does not self-check and prevent itself from loading more than
once
>so it could have more than one task running. On Windows 9x and Windows NT,
it
>is listed as a task by the file name running, such as "Explore" or "_Setup"
>or "Zipped_Files".
>
>REMOVAL:
>
>Windows 95/98
>Run the System Configuration Editor
>Select the Start menu from your desktop and Run SYSEDIT.EXE
>Select the C:\WINDOWS\WIN.INI window.
>In the line run =, remove listings that match either of these
>run=C:\WINDOWS\SYSTEM\EXPLORE.EXE
>run=C:\WINDOWS\_SETUP.EXE
>Select File > Save, then Exit.
>Select the Start menu and Shutdown -
>Choose Restart the computer in MS-DOS mode and click YES (This action
purges
>EXPLORE.EXE from system memory.)
>Once your PC is in DOS, type EXIT to return to Windows. (This action
reloads
>Windows without EXPLORE.EXE in memory.)
>In Windows, remove the file, EXPLORE.EXE, from your system
>Click Start > Find > Files or Folders
>In the Find: All Files dialog box, type EXPLORE.EXE in the Name field
>Click Find Now
>Delete EXPLORE.EXE
>Repeat step 10 through 13 for both _SETUP.EXE and ZIPPED_FILES.EXE
>WinNT
>
>In Windows NT, this worm will run as a process by one of the following
>names - "explore", "zipped_f;", or "_setup;" in WinNT Task Manager. You can
>experience high CPU utilization when the process is running. End process
>names which match, noting that "explorer;" is the default Windows shell and
>is a valid task!
>
>Run the WinNT Registry Editor - Click Start > Run > Open REGEDIT (not
>REGEDT32).
>Locate the hive
>[HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows].
>Highlight the following key "run=C:\WINNT\System32\Explore.exe" and remove
>by pressing the Delete button.
>3. Edit WIN.INI and remove either of these lines if they exist
>run=c:\winnt\system32\explore.exe
>run=c:\winnt\_setup.exe
>Restart Windows NT - Click Start > Shutdown. Select Restart and click OK.
>(Your system will now reboot.)
>Remove the file, EXPLORE.EXE, from your system
>Click Start > Find > Files or Folders
>In the Find: All Files dialog box, type EXPLORE.EXE in the (Named) field
>Click Find Now - delete EXPLORE.EXE
>Repeat Step 6 through 9 for _SETUP.EXE and ZIPPED_FILES.EXE.
>
>You can also get a fix from the following link:
>
>http://www.nai.com/asp_set/anti_virus/avert/tools.asp
>
>Just download Killezip.exe and save it to your disk
>
>Overview:
>KILLEZIP.EXE is a utility to remove instances of the W32/ExploreZip.worm
and
>W32/ExploreZip.worm.pak virus. It's function is to terminate the process
>running, delete the associated files, repair the registry and fix the
>WIN.INI entries. A description of this worm is available from the Virus
Info
>Library page at http://vil.nai.com.
>
>
>
>Regards,
>
>Enter.Net, Inc.
>
>
>
>
>
>
>