1  |   Order by index

Apr 23, 2002, 1:40am

I got a strange email from "cof" that contained the file rock.exe. Not sure
if its a virus but it says its from cof at activeworlds.com but I know it
isn't. I checked the source and it said something along the lines of
chris at legalassistance.co.uk or something....

Not sure but since it was from someone that knows about COF and directed it
to me, others in AW could be affected.

Any info on rock.exe? Thanks.
--
Mayor 'tax
www.swcity.net

Apr 23, 2002, 1:43am

Most likely it's a virus, don't run it. This is a very bad e-mail cover up,
there's better ways of doing it. I smell script kiddies again ;)

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 23, 2002, 3:47am

lol of course I'm not gonna run it. :-P
I checked the source and popped it.
--
Mayor 'tax
www.swcity.net

[View Quote]

Apr 23, 2002, 9:38am

It might be the new virus going around.. what's the subject say?

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 23, 2002, 2:43pm

give us complete headers please, so we can see who the freak was

KAH

[View Quote]

Apr 23, 2002, 7:13pm

Sure thing...just got another email from him today.


Return-Path: <chris at legalsupport.co.uk>
Received: from mx1b.mts.net ([205.200.16.58]) by msg1.mts.net
(Netscape Messaging Server 4.15) with ESMTP id GV192Y00.9M3 for
<sfris at mts.net>; Tue, 23 Apr 2002 13:08:58 -0500
Received: from mx.mailix.net (mx.mailix.net [216.148.221.135])
by mx1b.mts.net (8.11.4/8.11.3) with ESMTP id g3NI8vx23038
for <sfris at mts.net>; Tue, 23 Apr 2002 13:08:57 -0500 (CDT)
Received: from [212.69.192.6] (helo=smtp-relay1.noc.dsvr.net)
by mx.mailix.net with esmtp (Exim 3.33 #1)
id 1704ik-0008Vw-00
for syntax at swcity.net; Tue, 23 Apr 2002 11:08:54 -0700
Received: from [212.69.197.117] (helo=legalsupport.dsvr.co.uk)
by smtp-relay1.noc.dsvr.net with esmtp (Exim 3.34 #1)
id 1704ij-0002go-00
for syntax at swcity.net; Tue, 23 Apr 2002 19:08:53 +0100
Received: from Qmo (dsl-62-3-74-70.zen.co.uk [62.3.74.70])
by legalsupport.dsvr.co.uk (8.11.6/8.11.6) with SMTP id g3NI8lv14822
for <syntax at swcity.net>; Tue, 23 Apr 2002 19:08:47 +0100
Date: Tue, 23 Apr 2002 19:08:47 +0100
Message-Id: <200204231808.g3NI8lv14822 at legalsupport.dsvr.co.uk>
From: mistersdk <mistersdk at hotmail.com>
To: syntax at swcity.net
Subject: A special humour game
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Y242jmGMBnnM8u9KN605NC27gr837R

--Y242jmGMBnnM8u9KN605NC27gr837R
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>

<FONT>This is a special humour game<br>
This game is my first work.<br>
You're the first player.<br>
I hope you would like it.</FONT></BODY></HTML>

--Y242jmGMBnnM8u9KN605NC27gr837R
Content-Type: application/octet-stream;
name=kitty.exe
Content-Transfer-Encoding: base64
Content-ID: <IS7f7QZr>

(big mass of jumbled letters and numbers..you know..)

--Y242jmGMBnnM8u9KN605NC27gr837R
Content-Type: application/octet-stream;
name=nature[1].htm
Content-Transfer-Encoding: base64
Content-ID: <IS7f7QZr>

(jumble)



[View Quote]

Apr 23, 2002, 7:15pm

LOL that just makes it seem more like a virus.

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 23, 2002, 7:42pm

Hello Gang,

Here's the info you seek about rock.exe. Its a nasty one.
http://home.earthlink.net/~doniteli/index15-51.htm

Cheers,
Kit

[View Quote] > I got a strange email from "cof" that contained the file rock.exe. Not sure
> if its a virus but it says its from cof at activeworlds.com but I know it
> isn't. I checked the source and it said something along the lines of
> chris at legalassistance.co.uk or something....
>
> Not sure but since it was from someone that knows about COF and directed it
> to me, others in AW could be affected.
>
> Any info on rock.exe? Thanks.
> --
> Mayor 'tax
> www.swcity.net

Apr 23, 2002, 7:56pm

It uses an exploit (a security hole) that allows the attachment to be
executed when viewing the message with Microsoft Outlook Express or Outlook
(without Service Packs installed). This method is similar to the one used by
Nimda or Kak worms.

If he's read it.. he's already been infected (that is if he doesn't have the
service packs).

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 23, 2002, 8:06pm

Just reread that whole crapload.. it told your computer to execute the
attachment kitty.exe

Without the service packs installed (as said earlier) your computer is
probably infected as we speak.. run your normal antivirus after you update
it's virus list and head on over to antivirus.com and use the free net scan
(to ensure the most up to date virus list is being used). It's always good
to scan with more then one antivirus program :). Below is what's telling it
to execute the file:

"Content-Type: application/octet-stream;
name=kitty.exe"

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 23, 2002, 8:09pm

Since the patch is only avaliable for 5.x and i have 6 then im all set for
that sort of thing. An e-mail scanning capable virus-scanner is also a good
thing becuase it will catch the virus before you even open it and get rid of
it. I also have mine scan outgoing so that if somethign tries to automaticly
send a virus to everyone on my adress book for example it will detect it and
block those.

If you have 5.x of internetexplorer/outlookexpress then apply that patch.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
A message from Zeo Toxion
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[View Quote]

Apr 23, 2002, 8:19pm

Well, most good viruses don't use outlook, they connect to a known SMTP
server, such as AOL's and use it to propagate E-mail to addresses it grabbed
from your address book. But it's always good just in case :). That's the
part where firewalls come in handy! Just a side note, BlackIce isn't a good
firewall for that either ;).. it only protects incoming transmissions, not
outgoing.

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 24, 2002, 2:33pm

the good mail-scanning AV acts as a proxy... the way Norton AV works is that
if it detects on RETR command on a POP3 connection (I guess it uses the
remote port to identify it) it launches it's mailscanner. same thing for
outgoing, if it detects a DATA command it scans the content before it relays
it to the server (doesn't work well if you're connected to the server as
localhost lol), so it's completely independent of the clients.

KAH

[View Quote]

Apr 24, 2002, 2:57pm

[View Quote] No, all that "tells" your computer is what kind of data is coming next. If
your email reader automatically executes it, that's not the fault of the
content-type setting.

-Agent1

Apr 24, 2002, 5:00pm

Well with OE it usually does execute it.. sorry I wasn't at all awake that
day ;) Though you were not going to post anymore?

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 24, 2002, 5:01pm

Did I say SMTP? What the hell was I smoking? LoL again I'll say I wasn't
at all awake that much yesterday.

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 24, 2002, 7:20pm

Don't worry my sons, I have my preview windows off and all critical updates
installed.
--
Mayor 'tax
www.swcity.net

[View Quote]

Apr 24, 2002, 7:24pm

Kick butt, good job ;). Symantec has something on their website that checks
for that just in case, might want to give it a run through.

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 24, 2002, 7:25pm

Yep, that's the one. Thanks for the info. ;-)
--
Mayor 'tax
www.swcity.net

[View Quote]

Apr 24, 2002, 7:33pm

Hmm....I looked through my registry and everything and there is no trace of
a virus anywhere. (looking on that site that Kit gave us)

BUT...SW Comit and OniLink...two AW friends of mine, got e-mails from me
with subjects saying "sos!" which is part of the virus. Is it possible that
it can send itself automatically? O_o
--
Mayor 'tax
www.swcity.net


[View Quote]

Apr 24, 2002, 7:35pm

Yup, that's one of the things that viruses try to do. They always try to
send themselves to other people in a hope that it can spread. I really
don't understand why people make viruses.. they do no good and make no
sense.

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 24, 2002, 7:38pm

I meant is it possible that a virus can send itself without being executed?
Seems weird but I have no trace of the virus on my computer...nothing in
registry or anything..no WINK#####.exe files or anything. But it did get
sent to SW Comit and OniLink from me.
--
Mayor 'tax
www.swcity.net

[View Quote]

Apr 24, 2002, 7:42pm

Hmm it's possible.. I'm not sure, maybe it was modified since it's release
and that version of the page is not up to date with what it can actually do?

--Bowen--

Have $3... want a website?
http://www.smartpenguin.com/affiliate.php?id=12

[View Quote]

Apr 25, 2002, 12:04am

It could be from someone else. Just becuase they may happen to of been in
your adress book (by which viruses get email adresses to send themselves to)
doesn't nesecarily mean it was you.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
A message from Zeo Toxion
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[View Quote]

Apr 25, 2002, 1:31am

This is the same virus that Quiz Bot (OW Support) sent information about to
the teamies in OuterWorlds. Here's the message with more information about
it:

From: "Quiz Bot (NTL)"
Subject: Virus Info, Please Read : IMPORTANT !!!!!!
Date: Tue, 23 Apr 2002 23:48:49 +0100

Hello all,
Sorry for the necessity of sending this out, but due to recent events,
Likeness has asked me to send it you all.

There is very nasty email worm doing the rounds known as KLEZ
There are several variants out there each with distinct behaviours, subject
lines etc
and some also drop nasty viruses eg ELKERN as part of their payload

More info can be found here
http://www.europe.f-secure.com/v-descs/klez.shtml

That link also contains at the foot of the page a link to a removal tool,
which includes a readme file.

Please read it in full and familiarise your self with the possible subject
lines, and attached filenames.
If you see any of these subject lines in your email, even from somebody you
know, treat it as highly contagious and radioactive !!!!!! and delete at
once.

Better still update your AV tools to the latest dat files and keep them
uptodate, and for those that havent got an AV product try
http://www.grisoft.com its free.

Please be aware that no matter how good your AV protection there is always a
window of opportunity between a total brand spanking new virus being
released upon the internet and the AV companies coming up with detection and
or fixes/removals. So there is no substitution for practising good old
fashioned safe sex for pc's.

That means not using preview windows, not opening suspicious enticing emails
even those apparantly from people you know until you've done some
investigation, such as viewing details or source to examine for tell tale
clues you can use in an AV vendors database search, and querying the
apparant sender to test the veracity of the email before opening it.

Regards and Hope this helps slow the spreading through OW
Quiz Bot

Support Team Member

---
Obviously not something you want to be opening ;-)

Shorah
115213

[View Quote]

1  |   Order by index