HP3000-L Archives

November 2001, Week 5

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Virus alert, possibly from me...
From:
Mark Bixby <[log in to unmask]>
Reply To:
Mark Bixby <[log in to unmask]>
Date:
Fri, 30 Nov 2001 06:21:18 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (66 lines) 
I got several infected messages from Ken Hirsch yesterday...

- Mark B.

Jim McCoy wrote:

> I also got a suspicious file from someone associated with this list just
> about an hour ago.
> I deleted it and now I forget the name of the person but it was not Matt.
> The subject said (Re: Re: Re: [HP3000-L]..) and included the subject from a
> thread I was involved in back in September.
> I was sure it was a virus of some sort.  There must be something going
> around on the list.
>
> jm
>
> ----- Original Message -----
> From: Matt Shade <[log in to unmask]>
> To: <[log in to unmask]>
> Sent: Thursday, November 29, 2001 11:52 PM
> Subject: [HP3000-L] Virus alert, possibly from me...
>
>
> Hi folks,
> I hate having to send this out, but it's possible I might have passed along
> a virus.....
>
> I received an email today at 6:35 PM EST with a single attachment
> IMAGE.DOC.pif.   Since I knew the sender, and the subject was actually
> something discussed recently (Re: Re: Re: [HP3000-L] OT:What's a slide
> rule...), I stupidly opened the attachment. Of course, nothing visible was
> there. However, about 2 minutes later I received "Mail Delivery Failed" for
> an email my computer was trying to send. I immediately recognized it as a
> virus and disconnected the phone line. I found 4 brand new files in my
> \winnt\system32 folder - KERNEL32.exe, kdll.dll, protocol.dll, and
> cp_25389.nls. I found the KERNEL.EXE running in Task Manager, killed the
> process, and was able to delete all 4 files. After rebooting, I checked the
> CERT site and found that this is the "W32/BadTrans worm" and applied the
> patch for it.
>
> If you've received anything form me today, please don't open any
> attachments. I'm clean now, but I do know that I was infected earlier this
> evening.
>
> http://www.cert.org/incident_notes/IN-2001-14.html
>
> matt shade
> www.threekay.com
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>
>
>


--
[log in to unmask]
Remainder of .sig suppressed to conserve scarce California electrons...

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2