[TRLog] Last update - virus issue
Pete Smith
n4zr@contesting.com
At 12:39 PM 12/3/00 -0000, you wrote:
>
>
>I sent out 6.56 about 36 hours ago - and some people have reported
>it had a v i r u s. I am now in Asia and can't check on this - but
>be warned.
I don't believe it was attached to your update -- it came to me 3 separate
times betwen 11/30 and 12/2, all ostensibly from hahaha@sexyfun.net. The
worm apparently sends itself to the same addressee as other e-mail that the
host is sending, but separately, so it may have come from your machine at
home. I know N0SS was one host, and I wass another, at least for a time.
You can tell if you have it, because you will either have a wininit.ini
file in your Windows\System directory that renames a random 8-letter
filename as wsock32.dll, replacing the original wsock32.dll, or else a
registry key that loads such a file instead of wsock32.dll. In my case it
was the former, but there are known variants that do it both ways. Either
way, you need to reinstall wsock32.dll, delete the wininit.ini entry if
found or delete the registry key, and delete the random filename to be
double-safe.
It is NOT caught by McAfee VirusScan, even with the latest .dat file
(perhaps my engine is now obsolete), but PC-Cillin and F-Prot both will
catch it.
for the moment, it seems not to be too dangerous, but it reportedly has an
ugly ability to go out on the Internet and retrieve plug-ins, which can be
as malicious as human ingenuity can devise. Some people have reported, for
example, a variant that seeks out .zip files and replaces every .exe in
them with a new one that contains the worm.
There, now you know more than you ever wanted to!
73, Pete N4ZR
Contesting is ... Extreme Radio
The World Contest Station Database
is back up and running at
http://www.qsl.net/n4zr
--
FAQ on WWW: http://www.contesting.com/FAQ/trlog
Submissions: trlog@contesting.com
Administrative requests: trlog-REQUEST@contesting.com
Problems: owner-trlog@contesting.com
Feature Wishlist: http://web.jzap.com/n6tr/trwish.html