 sj |
||
|
||
Virus Alert Please Read
|
|
|
Subject: Virus Alert Please Read From: bill\sables Date: 19 Jul 01 - 04:14 PM I don't quite know what is happening but I have just has a number of emails returned which I never sent in the first place. These are from my Netcsape address. Included are Alice in Montana, Allan C, and Bert. I think someone has got into my address list soimehow and is sending these and they might contain a virus. Please don't therefore open any emails which seem to come from me with a netscape address Cheers Bill |
|
Subject: RE: Virus Alert Please Read From: bill\sables Date: 19 Jul 01 - 04:22 PM So far they only seem to have gone to people with names starting with A, B, and C. I will delete the entire address book to try to stop any others going out. Sorry about this. Cheers Bill |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 19 Jul 01 - 04:27 PM Bill, send me an e-mail. I can check what virus/worm you have and help you get rid of it. Click to e-mail me. Yes, I know what I'm doing. Plain text can't infect anything, and that's what I use. I also don't normally open attachements. Plus, if I get a message from you, I'll suspect it right off. If you don't want to do this, I'd recommend updating your virus protection software and running it. |
|
Subject: RE: Virus Alert Please Read From: bill\sables Date: 19 Jul 01 - 05:16 PM I recieved an email earlier today from Dick Greenhaus with an attachment. The message was as follows " I send this file in order to have your advice" When I opened the attachment it was a file about Spotlights on boats which I presumed was for one of Dick's nautical magazine articals. I then reciecved an email from Mike Cahill another mudcat member. I have phoned Mike and he said he didn't send it. I can only presume that the message from Dick contained a virus of some sort and it has taken over my netsccape account. So far it seems that my AOL account has not been affected I hope. All I can advise is for you not to open any attachment with the above message which seems to be sent from me. Thanks. Cheers Bill |
|
Subject: RE: Virus Alert Please Read From: Murray MacLeod Date: 19 Jul 01 - 05:34 PM Bill, I would investigate Sam Pirt if I were you. After all his web page does describe him as "irrestibly infectious" ! **BG** Seriously, I hope you get it cleared up, must be a real pain .... Murray |
|
Subject: RE: Virus Alert Please Read From: dick greenhaus Date: 19 Jul 01 - 05:42 PM Yes- I seem to have been smitten with a virus, which collects past E-mails and ships them out to random names from my address book. Bill described the text portion; there's also an attachment which has two consecutive filetypes (XX.zip.bat or something like that.) PLEASE DELETE ANY SUCH E-MAILS!! and please accept my apologies. dick |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 19 Jul 01 - 05:50 PM Bill, Dick and anyone else that got the "I send this file in order to have your advice" e-mail. You have something called "Sircam." Click here for the F-Secure virus description and help getting rid of it. |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 19 Jul 01 - 05:58 PM Basically, you'll need to download the thingie at the page above and run it. After that, you'll need to run an up-to-date anti-virus program. (This is a relatively new 'worm' and older programs probably won't recognise it.) F-Secure also have some free 'trial' anti-virus programs here. |
|
Subject: RE: Virus Alert Please Read From: bill\sables Date: 19 Jul 01 - 06:57 PM Thanks Jeri. Bill |
|
Subject: RE: Virus Alert Please Read From: Brakn Date: 19 Jul 01 - 07:13 PM I also got it. I can't open my mail "Outlook"....file missing...... Sirc32.exe: Will try your link Jeri |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 19 Jul 01 - 07:34 PM Please note - IMPORTANT:Don't delete the worm file 'sirc32.exe' before you run the program at the first link I posted. You will screw up your system.
According to the F-Secure site, what appears to happen is: The downloadable file at F-Secure should restore settings on your computer so Windows quits looking for the worm. After that, you can delete it. |
|
Subject: RE: Virus Alert Please Read From: bill\sables Date: 19 Jul 01 - 07:38 PM I just got another one with the same message from Allan C It seems we might all get it. Bill |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 19 Jul 01 - 07:52 PM I think you may be getting echoes. It went to everybody in Dick's address book. Allan C might have been in there, as well as Mike Cahill. Now Allan, Mike, and anyone else Dick sent it to could be unintentionally sending it to everyone in their address books. It's the attachment that's infectious. If you delete it without opening it, you shouldn't get infected.
|
|
Subject: RE: Virus Alert Please Read From: catspaw49 Date: 19 Jul 01 - 08:04 PM Received it this afternoon from dick g. Norton nailed it before I opened it. Spaw |
|
Subject: RE: Virus Alert Please Read From: Brakn Date: 19 Jul 01 - 08:17 PM By the time I got to Jeri's link I think I had already deleted the file. I couldn't get the downloadable file up and after trying for half an hour I rebooted and all seems to well. |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 19 Jul 01 - 08:19 PM Brakn, does the downloaded file work now? |
|
Subject: RE: Virus Alert Please Read From: Sorcha Date: 19 Jul 01 - 08:20 PM I haven't gotten it, but I downloaded and ran Jeri's file anyway. Will continue to check. |
|
Subject: RE: Virus Alert Please Read From: blt Date: 19 Jul 01 - 08:22 PM I got an email (from bill/sables) with an attachment which I stupidly opened--just a message about giving me some advice, and a bunch of song lyrics. I don't know if I've contracted a virus or not, my McAfee debugger, which I just updated, didn't detect any but I don't trust it. Can I run the program on the site you listed even if I don't have the virus? How can I tell that I have it? blt |
|
Subject: RE: Virus Alert Please Read From: McGrath of Harlow Date: 19 Jul 01 - 08:26 PM So basically if you don't open any attachments you're safe is it? |
|
Subject: RE: Virus Alert Please Read From: dick greenhaus Date: 19 Jul 01 - 08:29 PM Jeri- The link you provided carries the following warning: Warning! The system might become unusable if the worm's file is deleted without modifying the EXE file startup key first. After that the system can be safely disinfected with FSAV. If for some reason the worm's file can't be deleted from Windows (locked file), then you have to exit to pure DOS and delete the worm's file manually or use a DOS-based scanner (F-Prot for DOS for example). What means "modifying the EXE file startup key"? |
|
Subject: RE: Virus Alert Please Read From: MMario Date: 19 Jul 01 - 08:33 PM it's a registry hack - it could be manually fixed with regedit...but finding the correct location is the bugger. |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 19 Jul 01 - 08:35 PM You can run the program. I believe it just restores settings. If yours haven't changed it shouldn't do anything. This worm is quite new, and McAfee may not be that current. The F-Secure site appears to have added info on this one only yesterday.
After you run the downloadable program, look for the virus here: c:\recycled\SirC32.exe and delete that file (src32.exe) Also make sure you delete infected e-mail in in-boxes and out-boxes. I'm not really an expert on this, and I'm just 'winging' it. If anyone who knows better wants to jump in... |
|
Subject: RE: Virus Alert Please Read From: Joe Offer Date: 19 Jul 01 - 08:46 PM If you aren't expecting an attachment, don't open it. If you have any reason at all to question an attachment, e-mail the sender and ask about the nature of the attachment. If at all possible, avoid sending e-mail attachments. You can paste the text and sometimes the formatting of most documents into the text of e-mail messages, and they work just fine without the risk of carrying a virus. If you're on the Internet or if you share computer disks with anyone, keep your virus checker up-to-date. Have it set on "auto-protect" (or whatever your constant virus monitor is called). Also, scan your hard drive for viruses once a week. Most often, you get virsuses from people you know, people who don't even know they have a virus. This is true in life, as well as in computing... -Joe Offer- |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 19 Jul 01 - 08:48 PM McGrath, yes, you're safe from THIS virus. Dick, I tried to explain the startup thingie in this post.
"Modifying the EXE file startup key"?
|
|
Subject: RE: Virus Alert Please Read From: McGrath of Harlow Date: 19 Jul 01 - 08:51 PM "You can paste the text and sometimes the formatting of most documents into the text of e-mail messages, and they work just fine without the risk of carrying a virus."
I don't understand this stuff - but I hope there is something that stops people being able to post the code for viruses as part of the text of email messages... |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 19 Jul 01 - 08:56 PM McGrath, it's called a text-only browser. All those HTML-reading, script-enabling programs look good, but there are too many dangers. |
|
Subject: RE: Virus Alert Please Read From: Justa Picker Date: 19 Jul 01 - 08:57 PM Since 99.9% of these viruses appear to be written for Outlook, why would anyone want to continue using this e-mail program? It baffles me. Eudora doesn't get hit with these viruses. I also use Norton Anti-Virus (and get Live Updates bi-weekly). I set my incoming attachment directory in Eudora so that any and all attachments come into C:\Norton AntiVirus\Quarantine\Incoming. ANYTHING attached or downloaded that comes into my computer goes to that directory. I also use Zone Alarm Pro, and it has a very handy feature that automatically renames the extensions of any executable file (plus other file extensions I can manually add) so that there is no way I can accidentally open an executable attachment, should I have a moment of laxness. |
|
Subject: RE: Virus Alert Please Read From: Amergin Date: 19 Jul 01 - 09:10 PM Popel use OE, because it is there...they are ignorant of other email programs...and plus some ISPs do not support anything else... |
|
Subject: RE: Virus Alert Please Read From: catspaw49 Date: 19 Jul 01 - 09:18 PM Awhile back I got hit and was hitting folks with the kak worm. I couldn't understand until I worked with the Symantec Help group. They analyzed my stuff and it turned out to be a defective Disc. I downloaded a new program from their site free of charge and and have been a happy camper since. Symantec/Norton is generally pretty quick with the calls and the fixes (or quarrantines) and they were great to work with. I agree about Outlook, but I also killed the features and ise it in text only. I download definitions once a week and also have the auto-scan set up for every Friday. With the amount of crappola out there, it seems prudent and really takes very little time. I suppose I should go to another ptogram like Eudora, but............ Since the Norton has been up properly, I've had no problems and it's nailed quite a few incoming problems including internet site problems where it will close down the offending site. Great company. Spaw |
|
Subject: RE: Virus Alert Please Read From: blt Date: 19 Jul 01 - 09:20 PM Well, I did open the email and attachment, but as far as I can tell, I didn't get the virus. I followed the directions on the website and then tried to find the sir32exe file, but couldn't find anything. I also deleted the email and sent warning messages to people on my address list. If I can't find the virus using the file finder, can I trust it's not there? Would it hide in some devious way? blt |
|
Subject: RE: Virus Alert Please Read From: katlaughing Date: 19 Jul 01 - 09:21 PM So how does InnoculateIT compare to the programs you've pointed us, too, Jeri? So far the only email I've received from BillSables is from his aol addy telling us not to open anything from the other. Thanks, kat |
|
Subject: RE: Virus Alert Please Read From: katlaughing Date: 19 Jul 01 - 09:39 PM I am running InoculatIT right now. It seems to be doing a thorough job EXCEPT there are several different files which it says it cannot open and thefore has not scanned. Any advice? Thanks, kat |
|
Subject: RE: Virus Alert Please Read From: Brakn Date: 19 Jul 01 - 10:00 PM Jeri Still can't get the downloadable file. |
|
Subject: RE: Virus Alert Please Read From: Alice Date: 19 Jul 01 - 10:18 PM Another reason I love my Mac... the attachment wouldn't open. The email virus from Bill's email address was called "John Carey", and later in the day, the same type of email with attachment came to me from Allison, called "Chocolate". Apparently the name changes, although the same attachment is being passed on through the address books of mudcatters. Alice |
|
Subject: RE: Virus Alert Please Read From: Justa Picker Date: 19 Jul 01 - 10:20 PM Thanks to the "clone" for mending my html. |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 19 Jul 01 - 10:22 PM I haven't used the anti-virus on the F-Secure site, but it's free. InnoculateIT isn't available for download anymore, although they say they'll keep doing updates. It can't open files you have open, and there are always some logs and things open. I usually just ignore that message. (I don't know if I'm right to do that.) Brakn, I'm at a loss. If it were my computer, there are some things I'd try, but I wouldn't adivise others to do them. I don't mind taking a risk on my own system, but... There may be more info at other sites about the worm "sircam," or some other folks here may be able to help. I'll try looking tomorrow if nobody's posted a fix. |
|
Subject: RE: Virus Alert Please Read From: alison Date: 19 Jul 01 - 10:37 PM yep... yesterday I got it from dick, (but it wasn't his usual style of writing so I was doubtful... and Norton picked it up anyway), today I got it via bill sables and allison(again not their usual style of writing).... they had "John Carey", "Chocolat" (dick's one had no name on the file........... all were picked up by Norton....... looks like if you receive anything from a mudcatter over the next few days you should be very wary....... slainte alison |
|
Subject: RE: Virus Alert Please Read From: katlaughing Date: 19 Jul 01 - 10:37 PM Thanks, Jeri, that's what I've been doing, too, ignoring those ones.:-) I've also noticed that when I open InoculateIT, it tells me to upgrade, so I do and it takes about two seconds and tells me my files are up-to-date. It doesn't seem as though it is really doing anything. SYMANTEC has some information on this virus, too. kat |
|
Subject: RE: Virus Alert Please Read From: Uncle Jaque Date: 19 Jul 01 - 10:41 PM Here is the link to SYMANTEC (NORTON) Anti-Virus site concering this Worm; http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html They put it up on 07/14.
|
|
Subject: RE: Virus Alert Please Read From: alison Date: 19 Jul 01 - 10:44 PM the thing that worries me is that the one from dick was titled "add tune" as if someone knew it would be something to send to me.... is someone we know targetting us? slainte alison |
|
Subject: RE: Virus Alert Please Read From: katlaughing Date: 19 Jul 01 - 11:37 PM Good question, Alison. It would be one way for someone to get to a lot of us, wouldn't it? |
|
Subject: RE: Virus Alert Please Read From: Sorcha Date: 19 Jul 01 - 11:41 PM That thought occured to me also. Sort of a gut feeling you're right....... |
|
Subject: RE: Virus Alert Please Read From: Bob Bolton Date: 20 Jul 01 - 12:51 AM G'day Alison, The one I got from Dick had "OLSEN" as its heading and the attachment came in as OLSEN.ZIP.bat ... but I suspect that was what was mentioned way above - my ZoneAlarm may have changed the ~~~.exe to ~~~.bat. I had advised Dick that anything with two stops in it is highly suspicious ... and corporate firewalls have been advised to delete or disarm any such files. In regard to the "Add Tune" heading, I think the bug selects keywords or titles from past e-mails of the victim, so they look authentic (rather than this being some disgruntled GUEST attacking Mudcat with a custom virus) ... I think ... Regards, Bob Bolton (heading off to run that de-bug file ... just in case.) |
|
Subject: RE: Virus Alert Please Read From: BlueJay Date: 20 Jul 01 - 02:44 AM I haven't received the virus, (yet), on either my home computer or the computer at work, both of which are in various Mudcat address books. Thanks, Bill Sables for the e-mail warning, which I'm sure many of you received. And Allan C., I stand in awe of your efforts to stop the spread of this virus, to wit: your phone call warning of this virus and the link to the Mudcat. Jeff, (to whom you spoke at PooTwa's house), relayed the message immediately. We are not affected so far, but thanks to all of your efforts I can be on the lookout. Allan, your phone calls are above and beyond the call of duty, and very greatly appreciated. My apologies to GUEST for having participated in a non-music thread,thanks, BlueJay. ") no that's not it %} that's better, %O, my Ralph Steadman imitation. :) |
|
Subject: RE: Virus Alert Please Read From: AllisonA(Animaterra) Date: 20 Jul 01 - 07:00 AM Yup, I got it, I opened it, and spent last night trying to debug it, not having read this yet! I just ran the F-secure de-bugger and will check Outlook soon to see if there's been any effect. What worries me is that the attachment from Dick was a kids song- I didn't quite know why he would run it by me but it seemed perfectly innocent at the time, since spend so much of my time singing with kids. Jeri, once again you-da-woman! Thanks for the link- now I'm off to see if it worked! |
|
Subject: RE: Virus Alert Please Read From: AllisonA(Animaterra) Date: 20 Jul 01 - 07:19 AM I seem to be clean; after I updated Norton it cleaned it up. And I thought it was ok to open attachments from people you know and trust! Now I know better, after reading all the dire warnings from posters above. Thanks- and I'm heading to Norton to set up Autoscan! |
|
Subject: RE: Virus Alert Please Read From: bill\sables Date: 20 Jul 01 - 07:27 AM It seems the best way , if we are sending emails to each other with attachments, is to send an email first and tell the recipient to expect it comming and state a codeword in the title. I have decided, if I get anymore attachments, to contact the sender to verify if it was realy sent. Bill |
|
Subject: RE: Virus Alert Please Read From: Jeri Date: 20 Jul 01 - 07:47 AM For folks who deleted the worm/virus before making any other changes, the site kat gave the link to has detailed instructions on how to fix your system, which involves all of the following:
Deleting any attachments from infected e-mail. Again, check the site before doing any of this. Consider editing the registry key as doing brain surgery on your computer. If you mess with the wrong thing, your computer's screwed. Note that running the file from F-Secure (I posted the URL above) is a whole lot easier for non-technogeeks. It does the complicated stuff for you, and all you have to do is delete the worm files.
It appears as though the worm grabs a file already on the sender's computer to hide in, and titles the message to be the same as the attachment. It's not surprising Dick would have music files. If it has two file extensions as Bob Bolton mentioned, it's likely to be the worm. ('file.ext.ext' instead of the normal 'file.ext')
|
|
Subject: RE: Virus Alert Please Read From: catspaw49 Date: 20 Jul 01 - 07:55 AM I received two and perhaps as you said Jeri, there are some ghosts or whatever. What I wanted to mention though is that one was infected and the other was not and reading through all the "F" and Sym/Nor info, there is a reference several times to the 1 in 33 chance of being infected. Spaw |
|
Subject: RE: Virus Alert Please Read From: Sorcha Date: 20 Jul 01 - 01:32 PM Sorcha is still worm free, feel free to use my e mail. |
| Share Thread: |