Return to index: [Subject] [Thread] [Date] [Author]

Re: Virus Alert - TROJ_PLAGE2000.A

[Subject Prev][Subject Next][Thread Prev][Thread Next]
Dear SEAINT members:

Please read Dennis Wish's message carefully. This is a known virus. To read more about it and to learn how to remove it, please visit this address:

It appears to be coming from someone who may be subscribed to this list server. The only way that person's computer can get your email is when you make a post to this list or send him/her an email directly. As of yet, I have not seen it appear in any of the list server messages. Yet, as I said, you can still get it directly from the infected machine.

Hope this helps.


At 07:45 PM 2/13/00 -0800, you wrote:
A few hours ago I reported a replicating virus that I received through my
email last night around 1:25AM while I slept. The file arrives in the inbox
and replicates itself at a rate of 1 reply every second. If you automate
your email you are vulnerable. As I said, I received it as an attachment to
one of the emails received from the Listservice (I will notify the sender
separately in case the returned email I received which started the problem
was not from this individual but originated elsewhere).

I may have launched the virus without knowing as I tried to open one of the
attachments from someone I knew this morning. I ran a virus check on the
attachment as I always do, but this is a new strain which was not part of
the virus definition software. I found out about the virus after upgrading
the virus definition program (which I should have done five days ago).

The virus comes attached to e-mail's with different names - a different name
with each returned mail message.
Here is the result of the Virus program. Following are instructions for how
to remove it:

Virus found:  TROJ_PLAGE2000.A
Requested action:  Remove virus.
Result: Failed.  Virus removal failed for unspecified reasons.

As you will note, the virus failed to remove automatically. Here is how to
get rid of it.

The file name is INETD.EXE and is located in your Windows directory
(C:\Windows, C:\Win9x or whatever you call the directory where Windows is
located - generally c:\Windows). You can do a file find to locate the file.

The file appears to be a self-expanding archive file or application (EXE)
file. It actually launches two actions:

A) It modifies the Win.ini file to run automatically each time Windows
Starts. Therefore, you need to open your Win.ini file by clicking on the
following steps:
Enter "Win.ini" without the quotes and hit enter.

When Win.ini launches, look at the first five or ten lines. There is a line
preceded by the word:
Run =

If this line contains "Run = INETD.EXE" delete everything after the "=" sign
and save the Win.ini file. This will prevent it from autoloading.

2) Because the program is running during your windows session it probably
won't allow  you to delete the file until it is unloaded. Therefore, you can
do this one of two ways:

A) Reboot your machine and when you get back into Windows, locate the file
INETD.EXE using the Start/Find/Find File or Folder function.
        a) when it locates the file INETD.EXE, delete it.

B) Exit Windows to MS-DOS. Change to the C:\Windows directory (or wherever
you have Windows stored) and type:
DEL INETD.EXE <ENTER>     note: <enter> means to hit the Enter key.

This will delete the file. Upon rebooting, if you get an error message that
it can not find the file INETD.EXE - don't worry. It means you either forgot
to remove the occurrence from the Win.ini file or forgot to save the file
after you removed the Run statement.

I apologize if this caused any inconvenience to any of you whom I may have
sent email with an attachment. I checked my outgoing mails and found only
one that was sent privately - I think.
The virus appears to be intended to flood the Internet with useless emails
and try to shutdown your services by overloading the system. The file
INETD.EXE duplicates messages arriving through your email service and
automatically replicates the Returned Mail files containing the attachments.
As you continue to send, the growth of the email to the server (after others
receive and fall for this virus) appears to be a logarithmic scale.

Again, I am sorry for any inconvenience caused.

Dennis S. Wish, PE
Structural Engineering Consultant
(208) 361-5447 E-Fax