Virus

[The Mic]

I got 2 viruses from [email protected]

i clicked on this link http//members.lycos.co.uk/hmh2004/nissaninfiniti505.bat (i know i shouldnt have)good thing my NAV deleted them. anyone else get this in their mail??

[IvoryJ30t]

im checking. i wonder if this is related.

may be an opportunity to nail the *******.

a bat file is a batch of commands. did you see what the commands were? [probably deletes folder/files from %systemroot%]

[IveBeenBad]

yeh a .bat file basically tells DOS to run the commands listed in the file. Its actually pretty neat. I used it to whip up a small .exe to copy files to a server.

[IvoryJ30t]

i downloaded the file, and its not a batch file. [it has a .bat extension, but it is not correct]

its part binary, part ascii.

wierd. i figure at most, it would crash the computer.

what did you AV program identify it as?

i think the arabic lettering on the site is supect.

[The Mic]

C:\Documents and Settings\none-1\Application Data\Mozilla\Firefox\Profiles\default.aku\Cache\1B0C6B37d01

thats where my NAV picked it up. it identified it as a Bloodhound.W32.EP virus

[jdmfreak]

Damn! All this computer talk is giving me a headache.

[IveBeenBad]

Damn! All this computer talk is giving me a headache.

Well first you take the Motherboard and introduce her to the Fatherboard and then they make a Daughterboard...

[IvoryJ30t]

thats wierd. at most, that file would have crashed the computer.

NAV with definitions dated 8/20/04 did not detect anything unusual with the batch file.

NAV is working properly, as verified by the EICAR test string [ i keep the test string handy because im paranoid. hardware and software firewall...]

[jmattick]

While it's been a long time since I posted, I also recieved this...

It isn't the correct file extension, I think it is supposed to be .exe instead of .bat

It has something to do with networking, because in the beginning of the file, it is supposed to open ports to allow connections, somewhat like the blaster worm, that went around a few months ago. I ran a few online scans, and it didn't detect it as anything.

I have a feeling this is someones poor excuse at coding.

EDIT: I decided, to change the file extension from .bat to .exe. This time, I think I found out what the person who wrote the virus was trying to do. It changed the icon from that of an .exe to a image file icon associated with Photoshop.

I re-scanned it, found nothing. I'm half tempted to run the file, just to see what happens, but I won't, cause I don't have a test machine here.

[The Mic]

The compressed file BlackBox.class within C:\Documents and Settings\none-1\Local Settings\Temp\jar_cache4473.tmp is infected with the Trojan.ByteVerify virus.

The compressed file Dummy.class within C:\Documents and Settings\none-1\Local Settings\Temp\jar_cache49509.tmp is infected with the Trojan.ByteVerify virus.

The compressed file Dummy.class within C:\Documents and Settings\none-1\Local Settings\Temp\jar_cache4473.tmp is infected with the Trojan.ByteVerify virus.

The file C:\WINDOWS\SYSTEM32\svc.exe is infected with the Backdoor.Madfind virus.

The compressed file VerifierBug.class within C:\Documents and Settings\none-1\Local Settings\Temp\jar_cache4473.tmp is infected with the Trojan.ByteVerify virus.

All automatically deleted after a full system scan.

[IvoryJ30t]

i was thinking it might have been mis-extensioned, but i cant figure what might be correct.

way too much ascii text to be executable.

[jdmfreak]

Well first you take the Motherboard and introduce her to the Fatherboard and then they make a Daughterboard...

Oooooooooohhhhh......Now I get it.:thinker

[(jd)]

I hate viruses... waste of time:)

[PhaneSoul]

i also got this e-mail......

[The Mic]

LOL this is what teh email consisted of:

From : [email protected] <mailto:[email protected]>Sent : Saturday, August 21, 2004 5:32 AMTo : [email protected]Subject : hi all

it msn club new

General Chat

http//members.lycos.co.uk/hmh2004/nissaninfiniti505.bat

welcome

[jmattick]

I recieved the same thing.

Here's what I did. I submitted the file to Trend Micro.

Case Number: 0820048342

That should allow them to figure things out from here.

Edit: After checking out the Full Headers of the message. I have this info from the IP.

Anyone else who reads the headers will also notice that they spoofed the headers from teksolvers.com. Now, visit teksolvers.com; you'll notice it takes a bit of time to load, and then it loads a page. Now, wait 5 mins, then press enter on the address bar, reloading the webpage. You'll see a completely different webpage. It's is using a redirect script on the domain name's server.

But... You'll notice, from the hacked thread, that teksolvers take care of NICO's server, etc.

My guess is this is the same person, and they have gotten access to Tekserver's mail server & webserver.

[(jd)]

Damn I just deleted it

[AZhitman]

Good work guys!

I'm forwarding this info to them.

[silkk]

i got 2 emails and checked the forums to make sure before clicking it

oh and i deleted msn. and and! "it msn club new"

[Cold_Zero]

I feel left out, I didnt get it.bud

[ilovedrifting]

I got it, deleted just a second ago

[ilovedrifting]

it prolly came from those bastards who hacked us

[[Zero-S]]

I didn't get it, cox filtered it automatically

[w1ngzer0]

Well first you take the Motherboard and introduce her to the Fatherboard and then they make a Daughterboard...

so true dude so true.

[NICOmom]

I got the email late last night and forwarded it to teksolvers. Hopefully they are as savy as you guys and were able to put a stop to this stuff. You guys are so cool!

[[Zero-S]]

See that! Mom praised us!

[IvoryJ30t]

I feel left out, I didnt get it.bud

i didnt get it either.

[jdmfreak]

^Ditto