Jump to content

CAUTION E-MAIL VIRUS


SASPEEDRACER24

Recommended Posts

Just wanted to give you all a heads up on a new virus that I mistakenly opened. If you recieve a message from me with: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. or "the message contains unicode characters and has been sent as a binary attachment,"

 

Do Not Open the Attachment! It will email itsself to all the adresses in your Adressbook and also plants a hidden program that will record your keystrokes according to McAffee... If you recieve anything that looks like this dont even open the email just delete it...

 

Marc

Link to comment
Share on other sites

Once again proving you should NEVER open an email from an address that you don't know!!! :D:D

Link to comment
Share on other sites

Hey Chuck:

 

I got that e-mailed "from me" "to me" so just avoiding attachments from people you don't know...won't stop this one.

 

The virus has also started to change subject lines so beware of that. Even the name of the attachment has started to change. All of mine have come across with a 'zip' extension so far.

 

In addition to the possibility of recording keystrokes, usernames, and passwords, it also leaves a back door open on your system so hackers can take over your computer remotely.

 

Here is more info for those who are interested: http://us.mcafee.com/virusInfo/default.asp...100983&cid=9539

 

And McAfee will scan your somputer to check for the virus here: http://us.mcafee.com/root/mfs/default.asp?cid=9540

Link to comment
Share on other sites

It may look like I am sending out this virus but I do not have this virus on any of my computers. Several emails have bounced back to my inbox because the return address has been spoofed. The reply address includes anyname@frostracing.com but a reply address is easily falsified by the MyDoom virus.

 

Sorry, It ain't me.

Link to comment
Share on other sites

The subject lines on an infected email are usually garbled so just be careful. The email I got I recognized the sender so I just thought it was a mistake.... Just have to watchout for the contents I.E. if the person doesnt usually send attachments that you know dont open the attachment and so on...

 

Marc

Link to comment
Share on other sites

Yeah I have received about 50 of these so far today. Sent to brian@texasspeedzone.com, jim@texasspeedzone.com, etc. What is funny is that these email addys dont exist so they all come to my mail because I have "Catch All" enabled when someone emails the TSZ server and the mail address doesnt work.

 

Jason

Link to comment
Share on other sites

Hey Chuck:

 

I got that e-mailed "from me" "to me" so just avoiding attachments from people you don't know...won't stop this one.

Thanks for the info, Daffynmark.. :D

Link to comment
Share on other sites

updated my virus scan today and ran te program showing no infected files.also did a little reading and it says that if you get thede mesages it does not mean you are infected

Link to comment
Share on other sites

Kris,

 

I think that is the file that gets targeted by the virus now that I look at it becasue it also does some stuff to the registry. It also added 2 files to my shared file folder....

one was Office_Crack another shimgapi and winamp5... All three files didnt show up on the inital scan that I run everynight it wasnt untill I recieved a new patch that thoses files were found and either cleaned or deleted...

 

In regards to the taskmon file I copied this direct from the McAfee virus information page for MyDoom...

 

When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as taskmon.exe

 

%SysDir%\taskmon.exe

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

 

 

It creates the following registry entry to hook Windows startup:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe

 

The virus uses a DLL that it creates in the Windows System directory:

 

%SysDir%\shimgapi.dll (4,096 bytes)

This DLL is injected into the EXPLORER.EXE upon reboot via this registry key:

 

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll

The virus will not replicate on the 12th February or later (although the DLL will still be installed).

 

After I ran the new patch for McAfee it cleaned the taskmon file along with the others listed above...

Link to comment
Share on other sites

Oh ok, it looks like the virus infects or overwrites the taskmon.exe file in addition to moving itself into the kazaa share area.

 

I hope it really stops on Feb 12th. That would be good news... I have been deleting from 140 to 240 virus emails each night this week.

 

Kris.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...