[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Off-topic: Info on the virus being sent to this list.

From: Kutulu
Subject: Off-topic: Info on the virus being sent to this list.
Date: Thu, 4 Jan 2001 19:30:26 -0500

Several people seem to have been infected by the virus that has been sent to
this list every day for the past 3 weeks or so.  In case you may be one of
them, here is what this virus does (at least, this is part of it), and how
to tell if you've been infected.

The virus infects 32-bit Windows systems, so any other users can stop
reading here.

When run, the program and/or screen saver will create a file in your
Windows\System directory.  At the next reboot, this file is renamed
WSOCK32.DLL, the 32-bit TCP/IP stack library for Windows.  The original,
existing copy of WSOCK32.DLL is gone forever, you will have to extract a new
copy from an original OS CD, or find someone who's not infected and get
their copy.

The replacement WSOCK32.DLL contains code to send an email with an attached
file (I am unsure how it determines where to send the mail, but it probably
involved the address book, which the original virus 'installer' searches for
when reproducing itself).  It doesn't appear to take any steps to hide its
origins, so for example, "Received: from adsl-80-132-16.msy.bellsouth.net
([] helo=mikes-computer)" should be a valid SMTP header, and if
that's you, you are infected!

The correct file size/date for the latest, clean copy of WSOCK32.DLL is:

WSOCK32  DLL        40,960  07-08-99 11:36a WSOCK32.DLL

The replacement file created by this virus is:

WSOCK32.DLL         65,554  07-08-99 11:36a WSOCK32.DLL

The replacement file appears to be nearly identical to the original file,
with the virus code appended to it.

Monitoring file, registry, and TCP access while running the original
attachment seems to indicate that the program does nothing when initially
run, so if you have run one of these things and NOT rebooted yet, edit the
WININIT.INI file (Start -> Run -> WININIT) and take WSOCK32.DLL out of the
[Rename] Section, and delete whatever file was set up to replace
WSOCK32.DLL.  (On my system it was GLIHINGK, your mileage may vary...)

Trend Microsystem's online antivirus scanner (www.antivirus.com/housecall)
didn't detect any virus in the DLL, and it was able to run even with McAfee
Antivirus resident in memory.  I haven't been able to set up a completely
stand-alone system to watch the actual virus in action, so I don't know what
else it may do upon loading the DLL.

Hope this helps some of you find/fix this problem.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]