[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Virus email

Subject: Re: [cobalt-users] Virus email
From: Jay Kraft <jkraft@xxxxxxxxxxxx>
Date: Thu Dec 14 08:27:01 2000
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I got infected with this worm on my windows machine. It creams a lot of
windows.exe files but running several passes with McAfee or Nortin will
clean all of them up except wsock32.dll which needs to be renamed, replaced
with a good copy and then the old copy has to be deleted.

I will tell you that the whole virus gave me a near-death experience.

Jay Kraft

At 09:13 AM 12/14/2000 -0500, you wrote:
>>
>>
>>Basically, it infects any Windows machine which executes it by copying
>>itself to a bunch of different system files, and patches WSOCK32.DLL to
>>allow itself to send itself via outgoing emails.
>>
>
>
>Who on this list uses windows? Since this is a virus and not a 
>spammer, is it possible to find out who is the originator so they can 
>be told that they have it?
>
>These are some more headers(ONLY FROM YESTERDAY!!!):
>
>lucia (200-191-142-253-as.acessonet.com.br [200.191.142.253])
>  0016756770 (slip-32-101-140-168.mo.us.prserv.net [32.101.140.168])
>b9802010 ([200.33.20.65])
>pavilion (defi-cas1-cs-26.dial.bright.net [216.201.30.28])
>redoct (morr-cas3-cs-57.dial.bright.net [209.143.36.211])
>b6g2y1 (ppp-3fa70952.pttv.losch.net [63.167.9.82])
>dennis (168.16.226.200.in-addr.arpa.ig.com.br [200.226.16.168] (may be
forged))
>pavilion (host-12-4-134-169.acsworld.net [12.4.134.169])
>billdaly (dialup117.c.watervalley.net [216.220.141.117])
>hppav (adsl-64-218-173-108.dsl.austtx.swbell.net [64.218.173.108])
>beto ([200.222.223.199])
>rolando-s (cablelink42-153.intercable.net [207.248.42.153])
>cr13859-a (cr13859-a.hnsn1.on.wave.home.com [24.112.154.122])
>o5d9p8 ([200.61.137.212])
>  Nosferatu (claudius-asy-116.nepean.uws.edu.au [137.154.196.158])
>katm (H1-252.viptx.net [12.18.120.252])
>oemcomputer (202-154-142-247-tollfree.connections.net.nz [202.154.142.247])
>oemcomputer ([216.79.71.16])
>
>
>Is the worm randomly generating this stuff or is there a way to trace it?
>
>
>Howard Sacks
>webmaster@xxxxxxxxxxxx
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>

References:
- Re: [cobalt-users] <Sun and Raq and the> Virus email
  - From: Graeme Fowler
- [cobalt-users] Sun and Raq and the Virus email
  - From: Alfredo
- Re: [cobalt-users] Virus email
  - From: webmaster@xxxxxxxxxxxx

Prev by Date: Re: [cobalt-users] Suspending servers
Next by Date: Re: [cobalt-users] Spam From Cobalt
Previous by thread: Re: [cobalt-users] Virus email
Next by thread: [cobalt-users] htaccess question.

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index