VIRUS WARNING

[TC]

I recieved an e-mail from one of the lads on the Board yesterday.......lol.....nothing unusual there.......BUT......my virus checker detected a virus in it. The mail had no text in it, but it did have an attachment of about 70k.

Turns out it was a vrius.....\"WORM_MATABUTU\".

May have been an isolated case, but just be careful about what you\'re opening.......you never know !!!

 

[sless]

thanks for the warning

 

[TC]

A bit more information for you........

NOTE: The attachment I recieved was in the .zip form........


6/28: Mota May Arrive As Attachment
June 28, 2004
W32/Mota.worm may arrive as an e-mail file attachment with the file attachment being either a .scr or .pif or .zip file. When the attachment is executed (manually), it runs silently, no gui message boxes are displayed.

It copies itself to the windows directory (normally C:\\WINNT) using variable filenames and also drops a .dll file.

E.g. on a Windows 2000 system:

c:\\WINNT\\btwain.dll (39.936)
c:\\WINNT\\btwain.exe (27.136)
c:\\WINNT\\rbtwain.dll (39.936)
c:\\WINNT\\rbtwain.exe ( 27.136)

Other filenames include:

moricons.dll
bmoricons.exe
iwinsock.dll
iwinsock.exe
qsnmpapi.dll
wsnmpapi.exe
xbmoricons.dll
xhidci.exe

To launch itself at system startup it creates a registry entry under:

HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
with variable values like for example \"winupd\"
with variable data calling a regular system .exe to call a malicious .dll file for example RUNDLL32.EXE c:\\winnt\\rbtwain.dll,_mainRD with the rbtwain.dll being the malicious file.

Text inside the worm included [mobutu.a] 05-2004.
Text inside the worm included [mobutu.a] 05-2004.

 

[willywetegg]

Cheer\'s mate.

Jim.

 

[boblydon]

thanks for the warning Tony......not that i understood any of it!!!

 

[mark]

remind what a virus is again??

 

[boblydon]

normally comes in the form of a nasty itch or scabs, depends on the virus of course lol lol

 

[willywetegg]

Well it has to be said that the Virus came from me.
Well, should have put it better than that, it came from my computer.
I am waiting for the final result from my son on where it came from origionally. I hope he can get this info for me as I am gutted that a mate got a crap e-mail like that. If I do find out who sent it watch out cos my mate will get you.

Jim.

 

[tala]

Jim, you full of bugs m8?
You had better get to the docs.
P.S dont send me an e-mail please buddy

 

[Davyred]

Jims unclean!!! Bring out yer dead!!!

 

[jonny_mc]

a while back tony i recieved an email from nesa@site . . . . . .
and there was an attachment which was identified as a virus.

 

[TC]

Nobody\'s safe !
Just gotta be on ya guard all the time, I guess.

 

[mark]

{engage smug mode}

Or buy a Mac

 

[bribones]

jim im sure it didnt come from anyone we know lol ,it looks pretty much similar to one that was doing the rounds a while back yaha or something it was called ,once you open it unintentionaly it latches on to your address book and sends itself without you knowing,i had the misfortune to get that one you can normaly go to symantics web site and download the remove tools ,forewarned is forearmed as they say

 

[willywetegg]

Well it gets stranger. The said e-mail might have had my name on it but it did NOT originate from my PC. After extensive searching there is no trace of it anywhere. Going to have to change a few things me thinks.

Jim.

 

[mark]

most virus\'/spam, might tell you where they came from, but seldom originate from that address.

Its called spoofing, the server that sends out spam, or the code in the virus changes the email headers to give mis-information as to the origin, makes em nigh on impossible to track down.

If you view the source code of the email in your mail applications you should see something like:

From [email protected] Fri Jan 14 19:50:46 2005
Return-Path: <[email protected]>
Received: from aamta01-winn.mailhost.ntl.com ([212.250.162.8])
by mta09-winn.mailhost.ntl.com with ESMTP
id <20050114194557.HLXN22154.mta09-winn.mailhost.ntl.com@aamta01-winn.mailhost.ntl.com>
for <[email protected]>; Fri, 14 Jan 2005 19:45:57 +0000
Received: from grupoimpresa.com ([217.172.70.98])
by aamta01-winn.mailhost.ntl.com with ESMTP
id <20050114194557.XUXB15415.aamta01-winn.mailhost.ntl.com@grupoimpresa.com>
for <[email protected]>; Fri, 14 Jan 2005 19:45:57 +0000
Received: from 217.172.70.182 (broadred70182.broadred.net [217.172.70.182])
by grupoimpresa.com (Postfix) with SMTP id 073DBA67CBF;
Fri, 14 Jan 2005 20:22:53 +0100 (CET)
Message-ID: <[email protected]>

the messge id at the bottom and the return path at the top are your clues, although the return path can be spoofed as well, so you need to look at the paths in the received bit as well.

have a look and let me know what you can see and I\'ll have bit hack er I mean investigate for you if you want.

 

[alan]

As a rule I never give my email address out and I certainly would\'nt leave it on a \"profile\" on a open forum,theres a perfectly reliable \"personal message\" service on here where you could pm someone your email address.This is probably nowt to do with TC/Jims virus,just a bit of advice.

 

[mark]

if you do want to post your email addy on a web page/forum, the way to do it falsify in some way so anyone with half a brain can use it, yet all the spam bots, who run around the net automatically hoovering up email addreses can\'t use it

[email protected]

just remove the obvious bit