scroker wrote:
> I have heard of the spam mail virus that Shannon had mentioned. I heard the
> same thing , that it retrieves a couple of your files and then they sell
The chances of receiving that virus, or any virus for that matter, are pretty
slim. Most viruses are very harmless. Anything dangerous doesn't last long. I
use the cat/tiger analogy:
CATS: There are plenty of cats running around New York City, and they don't harm
much, don't do much, and don't really affect people. They just reproduce and
cause minor annoyances. No one really cares enough about them to get rid of
them.
TIGER: How long would people stand for a tiger running around Manhattan?
MORAL: Anything that is dangerous is contained quickly. It works the same with
viruses.
Besides, few people would forward this 60k virus-laden attachment to all of
their friends just for the heck of it. The majority of internet users connect
via modem, and to upload a file that size is a 2-3 minute proposition.
For those interested in viruses, read the description of this particular one
below. If you have questions or concerns, please email me personally, as we
need to move this discussion off of the FLML list...
*****
Name: PICTURE.EXE
Please note the current public name for this Trojan is Picture.EXE. McAfee
Labs has named the Trojan "URLSnoop" and this is how it is detected in
their products.
Symptoms and Pathology
This Trojan has been propagating through an email Spam. The user is
sent a message with an attachment, and the following process can take
place, if the EXE is run.
The program MANAGER.EXE - NOT Picture.EXE - is the initial dropper.
When run it drops NOTE.EXE (identical to PICTURE.EXE) into the Windows
sub-directory and adds NOTE.EXE to the RUN line in WIN.INI so that
NOTE.EXE is run at system startup.
When NOTE.EXE is run it checks for the existence of a file $2321.exe in
the windows folder. If it does not exist, the program then tries to create a
temporary file on C:\ called file0001.chk If this succeeds it builds a list of
.TXT and HTML files on the drive. The program repeats this for all drives
(C:, D:, E:, etc) until it reaches a drive on which it cannot create the temp
file (usually the CD-ROM drive). The list of files is then written to the file
called $2321.dat and encrypted by adding 5 to each ASCII character. The
program then exits.
The next time NOTE.EXE is run (next system startup) the program reads
the file list from $2321.dat and looks inside all the files listed. It then
appears to create a list of URLs, from the users "C:\Windows\Temporary
Internet Files" sub-directory and writes them to another file called
$4135.dat, also in the windows folder. This file is also encrypted (by
subtracting 5 from each ASCII character). The program then exits.
If the user has AOL client software installed on the system, the program
will also look inside the "C:\AOL\IDB\MAIN.IDX" file containing the user's
cached username and password, presumably to send to the programs
author.
The next time MANAGER.EXE is run, it attempts to send the files
$2321.dat and $4135.dat to an Email address in China.
Cure
Detection for the Trojan can be found in NAI products, McAfee Labs
recommends you delete the Trojan to remove it from your system.
From: http://www.mcafee.com/products/antivirus/picture_exe.asp
|
|
Back to the Home of the Forward Look Network