From: Bruce Markowitz (scosgt_at_worldnet.att.net)
Date: Fri Dec 20 2002 - 14:25:33 EST
THIS IS A KNOWN VIRUS
There is nothing to suppose....
I don't remember exactly which one, you can find out on the Norton web site.
----- Original Message -----
From: "Nathan Sokal" <NathanSokal_at_compuserve.com>
To: "Dr. Jeffrey Race" <jrace_at_attglobal.net>
Cc: "Thinkpad Users Group" <thinkpad_at_stderr.org>; "Edgar Gunther"
<egunther98_at_hotmail.com>; "Bruce Markowitz" <scosgt_at_worldnet.att.net>
Sent: Friday, December 20, 2002 2:12 PM
Subject: Re: [Thinkpad] OT: Mercy mission
Further thoughts from Nat Sokal:
Message text written by Dr. Jeffrey Race, describing message he received
from network he had just put his Win98 friend onto. Presumably (?) his
friend
had received the same message:
>> - text file: This is a special excite game
> This game is my first work.
> You're the first player.
> I expect you would enjoy
> - html file consisting apparently of a message he received from
> someone in his IE browser mail client
> - INSTALL.EXE which I assume is the worm payload.
Previously, I had said don't open the INSTALL.EXE.
But also, don't open the html file in a Windows computer; the file could
contain malicious VBS (Visual Basic Script) that a Windows computer using
Microsoft Outlook Express would execute. Jeff should know whether an
OS/2 computer can execute VBS. If it cannot, it should be OK to open the
html file to see what's in it.. You might see the source code of the virus
or
worm, and some evidence of who wrote it. For example, one malicious
item a friend of mine received had a comment line at the beginning of the
VBS source code that said
"I HATE SCHOOL!!!"
Probably a teen-age high-school kid. It took my friend two work-days to
clean-up the mess that virus had made. (We looked at the file with an
ASCII text editor that couldn't execute VBS, but could display the ASCII
text.)
DONT delete those files yet. Examine the Internet Header to find the
source,
contact the ISP that serves that user, and have that user's account
terminated
for intentionally sending a virus or worm. The files you retain are the
evidence to use against the perpetrator.
For a safety measure against accidentally executing the html file or the
EXE file,
change their extensions from htm and EXE to TXT. Then (I think) they won't
be
executed if someone should accidentally open them, and you can see what's
there, reading their ASCII contents.
Good luck! Let me know what happens.
Nat
Nathan O. Sokal
Design Automation, Inc.
4 Tyler Road
Lexington, MA 02420-2404, U.S.A.
Tel. +1 (781) 862-8998
Fax +1 (781) 862-3769
NathanSokal_at_compuserve.com
This archive was generated by hypermail 2.1.3 : Thu Jan 23 2003 - 09:59:45 EST