[meteorite-list] Clues about the latest virus

From: Dave Andrews <dandre10_at_meteoritecentral.com>
Date: Thu Apr 22 09:47:14 2004
Message-ID: <3C02E979.18E99B4C_at_cybertrails.com>

John Gwilliam wrote:

> Hello List Members,
> I know there is a policy on the list about NOT talking about viruses,
> but the latest one is a sneaky little devil that doesn't have to be an
> attached file to infect your computer.
> Maybe we can get some better information from our friendly computer
> wizard in Holbrook, Dave Andrews. Dave?

Hi John,
I don't know about that "wizard" portion of your message, but here's a
quick shot at it.
According to McAfee's:


There is no mention of imbedded attachments or code with this. So for
curiosity's sake, I went and opened up Nick Trikilis' note that I
received. It just showed up blank. I checked the source code, and yes,
there is an attachment embedded in it. Perhaps the reason I can't see
it because I'm using Netscape Messenger instead of Outlook Express?

Also, someone last night mentioned not to delete "kernel32.exe". The
file is NOT part of the windows operating system. It uses
"kernel32.dll". So if you do a search for the files KERNEL32.EXE or
KERN32.EXE of INETD.EXE, you ARE probably infected. Looks like you can
just delete those files and delete the line in the registry to clean
yourself up though.

I'm using McAfee and it says if you have the DAT files 4168 or higher
you are protected. Mine updates everytime I boot up and I have 4172, so
I'm protected, but still I received no warning. I believe Netscape
won't let the attachment execute itself. (My theory).

> It is coming from two sources:
> Email from Nick Trikilis - nickt_at_ohio.net There is no message in
> the subject line. And, there is no attachment...because the virus is
> embedded.

I believe you are correct on this, John. They are one and the same
person(s). I don't see any code embedded in Rick Nowaks messages
though...just Nick's. Notice "nickt" is in the URL he sent for his
webpage and as you mentioned, the Ohio connection. I visited that site
last night and thought it was some kind of joke. Looks like a little
more investigation is in order.

I noticed that nickt's "reply to" email address has the underscore _ in
front of it, so I don't think you can reply to him without removing that
underscore ( _ ).

I've scanned and searched my system and I'm clean. This is one sneaky
little worm.

Get protected and good luck,
Received on Mon 26 Nov 2001 08:16:41 PM PST

Help support this free mailing list:

Yahoo MyWeb