|
25 Nov 00 - 03:04 PM (#346661) Subject: A Virus named Bruce From: Abby Sale Ah... 12 years on the 'net and my very first "Tell everyone you know." I got virused to day by a feller named Bruce. I am not knowledgeable on this but I'll just give you the best I got. It came as 5 e-mails from Bruce ???crief?? and addressed to me and several others - each item differently. The subject line in each was the same as different executable e-mails I've received recently (FL_Ballot.exe, etc) Remarkably each had some 546 lines in the message. Since this looked odd but had friendly Subjects, I saved to disk instead of launching direct from my Reader. I ran MacAfee Viruscan with definitions file 4.0.4099 (Nov 12, 2000) (and full heuristics) which showed then clean. I manually launched one (FW_.exe, etc) & got zapped. I use Win95-B and it put a command somewhere in my registry that almost any Windows program call _must_ be proceeded by using winsvrc.exe, which it can't find. A Windows-looking dialog asks its location. Of course it doesn't exist. I tried to fool it by creating an empty file _called_ winsvrc.exe in the root directory but then the virus simply claims that _none_ of my programs are Windows 95 programs and cannot be run. The desktop opened more or less normally & Windows Explorer (which had been open) worked ok but I could not run any significant or system program. I'm a good backer-upper and wished to restore User.dat, (user.da0 is also corrupted by this wiseguy), and System.dat and System.ini and Win.ini (just to be sure - I don't know I need them all) But back-up is a windows-based program and won't work. Finally, since I (cheerfully patting myself on the back with both hands and both feet) use Backup Version 6 from Win 3.95 (because it will _include_ selected files, not just _exclude_ them) I was able to drop to DOS and restore the 4 files. I suffered no loss at all except about two hours of confusion. Strongly recommend: Look out for e-mail of 546 or so lines Back up the 4 system files in such a way they can be restored in DOS eg Win 3.x Back-up or perhaps create a Safe folder (directory) & just copy them from \Windows to this. You'll need some DOS program that will deal with deleting, and copying files that are marked Read-only, System, and Hidden. (Norton Commander or FA.exe to change the characturists, eg.) Windows Explorer may work if you can get _it_ to work. Have a nice day. |
|
25 Nov 00 - 05:11 PM (#346705) Subject: RE: A Virus named Bruce From: Jon Freeman Abbey, I'm pleased to hear that you managed to get it sorted. I'm not trying to be a smart arse here as I could get caught myself... but it does underline the point that has been made about not opening attachments unless you know why you have recieved them rather than relying soley on the AV sotftware however good and up to date that software may be. Incedentally, its action sounds similar to Navidad that was reported here a few weeks ago. Here are a few details from Computer Associates (the makers of free AV softwareI use): ...The worm also attempts to install itself onto the system, and this is where the bug lies. The worm makes a copy of itself, as "Winsvrc.vxd", in the Windows System directory. It then creates two registry keys which point to a different filename, "Winsvrc.exe": HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Win32BaseServiceMOD = "C:\WINDOWS\SYSTEM\Winsvrc.exe" HKEY_CLASSES_ROOT\exefile\shell\open\command\(Default) = "C:\WINDOWS\SYSTEM\Winsvrc.exe "%1" %" Jon |
|
25 Nov 00 - 05:35 PM (#346715) Subject: RE: A Virus named Bruce From: Jon Freeman I should have added that the second registry entry is the one that makes it search for the non-existant Winsvrc.exe to run programs. Jon |
|
26 Nov 00 - 11:36 AM (#346884) Subject: RE: A Virus named Bruce From: Jeri Abby, it may have been that e-mail, or it may have been some other one and it just showed up when you tried to run the .exe file. That may be why the attachment looked OK to the anti-virus program. There's a possibility you may have the virus on your system someplace and should scan the whole thing. Of course, I'm paranoid when it comes to viruses, and I don't necessarily know what I'm talking about. Sounds like the virus installs itself and tries to run whenever you try to open an exe file. Since it screwed up the name of it's own winsvrc.exe file (it's installed as winsvrc.vbs) it can't the file. There is information on Navidad, and how to get rid of it here at F-Secure. |
|
26 Nov 00 - 03:30 PM (#346927) Subject: RE: A Virus named Bruce From: wildlone There are so many viruses/viri around you just have to get into the habit of updating regularly for anyone without virus protection here is the website of the anti virus I use, It is a free download "Anti Virus Grisoft" . |
|
27 Nov 00 - 04:51 AM (#346986) Subject: RE: A Virus named Bruce From: Quincy Yes Wildlone.......AVG is an excellent free anti-virus product. I've bought well-known anti-virus programmes in the past and they haven't even been able to detect their own test virus!! best wishes, Yvonne |
|
27 Nov 00 - 11:39 AM (#347023) Subject: RE: A Virus named Bruce From: Grab Best advice is not to ever run an executable from anyone you don't know. Whilst a virus is (relatively) harmless, an executable that made your modem dial up a phone in Afghanistan would be a bit disastrous money-wise! Grab. |
|
27 Nov 00 - 05:07 PM (#347262) Subject: RE: A Virus named Bruce From: Abby Sale Thank you All. Yes, Jon - your info is good & helped me scour out a couple of bits I might have missed. The McAfee people confirm it was W32/Navidad@M. They also chide me that while the October dat file missed it, I should have upgraded in November - every month, that is. November would have dealt with it. |
|
27 Nov 00 - 05:28 PM (#347278) Subject: RE: A Virus named Bruce From: Bernard YOU HAVE JUST BEEN SENT A MANUAL VIRUS How it works:
The manual virus works on an honour system. Thank you. Okay, I know it's very old, but there are people around who haven't seen it! BTW - there are many 'Virus Hoaxes' around - which cause servers to get clogged up because hundreds of copies of the emails suddenly start doing the rounds. Never hit 'forward' until you've checked it out for accuracy, and maybe the hoaxes will die the death they richly deserve! Eeeeh! I love a good soap box!! Especially when I'm up here on my high horse!! |