[TRLog] Last update
Tom Hammond NØSS
n0ss@earthlink.net
Sun, 03 Dec 2000 12:14:18 -0600
Folks:
Tree wrote:
> >I sent out 6.56 about 36 hours ago - and some people have reported
> >it had a v i r u s.
> >Tree
Then W6CT asked:
>Was this a separate file that got attached to the message
>in addition to the zip file, or is it actually embedded
>in the zip file?
IN the ZIP file... see below.
Since I may have been to source of the virus (actually a TROJAN virus,
TROJ_HYBRIS.B), I'll tell you what I've found so far...
I've found NUMEROUS instances of this virus on my machine...! See below.
To see IF you are CURRENTLY infected, do a whole-drive search for ANY files
with a .EX$ file extension. If you DO find any instances of this file
extension. LOOK IN THE SAME FOLDER to see if you find a similarly-named
file, BUT with a .EXE file extension. If you do, the file with the .EXE
file extension IS the trojan!!! DO NOT EXECUTE IT!!!!!
DELETE the .EXE file and RENAME the .EX$ file to the same filename but with
a .EXE extension. This will fix THAT problem, but ONLY in THAT folder.
There may be more...!
ADDITIONALLY... if you find our than one instance of a file with a .EX$
extension, this probably indicates that your PC has been INFECTED, rather
than just merely having received a single infected file.
Note that the trojan file will normally be 23,040 bytes in length, although
I found one instance where it was clearly present and NOT of this length.
In the case of the TRLOG v6.56 file, it contained a file named TR.EX$ _and_
a file (23,040 bytes in length) named TR.EXE.
If you attempt to RUN the TR.EXE (trojan) file, you will have 'installed'
the virus onto your PC.
Once run, the trojan sends itself to others, using the addresses you use
when you send out your e-mails. It does NOT accesses your address book,
rather it looks at the addresses actually in the messages being sent and
uses them. The address of the 'sending' party will usually show as having
come from "Hahaha" <Hahaha@sexyfun.net> and will contain an attachment
named midgets.SCR or midgets.EXE, either of which, ONCE THEY ARE RUN, will
infect the recipient's PC.
Once infected, not only will the trojan effect your normal .EXE files, but
it will also infect .EXE files WITHIN ZIP FILES as well. Usually only one
.EXE file in each ZIP file, but EACH and EVERY ZIP file will have to be
checked to confirm the presence of a file with the .EX$ extension. Fixing
these files is not all that difficult, but it time-consuming.
Another possible way you may detect presence of this virus is to monitor
significant MODEM activity during times when you are connected, but not
expecting to have any... for instance, while you're reading your mail, all
of a sudden there's a flurry of modem activity and your not supposed to be
SENDIND _or_ RECEIVING data. THis may be a clue that somethine else is
going on that you're not aware of. Although this is NOT necessarily an
indication of infection, it may be worth checking out anyway.
Finally, IF you have been infected, you WILL have to REMOVE and REPLACE
your (infected) WSOCK32.DLL with a new one. ALL of the WSOCK32.DLL files
I've found around here were about 40kB to 45kB in size, and my infected
WSOCK32.DLL file was about 65kB in size, however at least one correspondent
tells me that HIS WSOCK32.DLL file seems to NOT be infected, but IS around
65kB in size. Although I'm still a bit skeptical of this report, you should
be aware of the possibility of the possible difference in sizes
of UNinfected files.
For more info about this virus, I direct your attention to:
http://www.datafellows.fi/v-descs/hybris.htm
and for other viruses, try: htp://www.datafellows.fi/v-descs/
There are other very good sources as well, I just happen to like the info
this group provides.
73 - Tom Hammond N0SS
--
FAQ on WWW: http://www.contesting.com/FAQ/trlog
Submissions: trlog@contesting.com
Administrative requests: trlog-REQUEST@contesting.com
Problems: owner-trlog@contesting.com
Feature Wishlist: http://web.jzap.com/n6tr/trwish.html