Menu
News
All News
Dungeons & Dragons
Level Up: Advanced 5th Edition
Pathfinder
Starfinder
Warhammer
2d20 System
Year Zero Engine
Industry News
Reviews
Dragon Reflections
White Dwarf Reflections
Columns
Weekly Digests
Weekly News Digest
Freebies, Sales & Bundles
RPG Print News
RPG Crowdfunding News
Game Content
ENterplanetary DimENsions
Mythological Figures
Opinion
Worlds of Design
Peregrine's Nest
RPG Evolution
Other Columns
From the Freelancing Frontline
Monster ENcyclopedia
WotC/TSR Alumni Look Back
4 Hours w/RSD (Ryan Dancey)
The Road to 3E (Jonathan Tweet)
Greenwood's Realms (Ed Greenwood)
Drawmij's TSR (Jim Ward)
Community
Forums & Topics
Forum List
Latest Posts
Forum list
*Dungeons & Dragons
Level Up: Advanced 5th Edition
D&D Older Editions, OSR, & D&D Variants
*TTRPGs General
*Pathfinder & Starfinder
EN Publishing
*Geek Talk & Media
Search forums
Chat/Discord
Resources
Wiki
Pages
Latest activity
Media
New media
New comments
Search media
Downloads
Latest reviews
Search resources
EN Publishing
Store
EN5ider
Adventures in ZEITGEIST
Awfully Cheerful Engine
What's OLD is NEW
Judge Dredd & The Worlds Of 2000AD
War of the Burning Sky
Level Up: Advanced 5E
Events & Releases
Upcoming Events
Private Events
Featured Events
Socials!
EN Publishing
Twitter
BlueSky
Facebook
Instagram
EN World
BlueSky
YouTube
Facebook
Twitter
Twitch
Podcast
Features
Top 5 RPGs Compiled Charts 2004-Present
Adventure Game Industry Market Research Summary (RPGs) V1.0
Ryan Dancey: Acquiring TSR
Q&A With Gary Gygax
D&D Rules FAQs
TSR, WotC, & Paizo: A Comparative History
D&D Pronunciation Guide
Million Dollar TTRPG Kickstarters
Tabletop RPG Podcast Hall of Fame
Eric Noah's Unofficial D&D 3rd Edition News
D&D in the Mainstream
D&D & RPG History
About Morrus
Log in
Register
What's new
Search
Search
Search titles only
By:
Forums & Topics
Forum List
Latest Posts
Forum list
*Dungeons & Dragons
Level Up: Advanced 5th Edition
D&D Older Editions, OSR, & D&D Variants
*TTRPGs General
*Pathfinder & Starfinder
EN Publishing
*Geek Talk & Media
Search forums
Chat/Discord
Menu
Log in
Register
Install the app
Install
Upgrade your account to a Community Supporter account and remove most of the site ads.
Rocket your D&D 5E and Level Up: Advanced 5E games into space! Alpha Star Magazine Is Launching... Right Now!
Community
General Tabletop Discussion
*Geek Talk & Media
Virus festival?
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Steverooo" data-source="post: 1082203" data-attributes="member: 9410"><p><strong>No Outlook = No Virus?</strong></p><p></p><p></p><p></p><p>I deleted Outlook Express from my Windows machine a long time ago. Viruses can't hurt you, unless you download and execute them. Outlook is default set up to execute downloaded attachments! Yes, you can "turn it off", but it's DEFAULT!</p><p></p><p>So Microsoft is targetted. Always will be, until they decide to make security a consideration. The default settings ofr IE are very insecure, too.</p><p></p><p>By the Bayou... There is the W32Blaster, AND the SoBig.F Virus running around, right now. Blaster should be about done, but SoBig will be with us through September...</p><p></p><p>===============================</p><p></p><p>This detection is for a new variant of W32/Sobig. Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary.</p><p></p><p>Installation </p><p></p><p>The worm copies itself onto the victim machine as WINPPR32.EXE into %Windir%, for example:</p><p></p><p>C:\WINNT\WINPPR32.EXE </p><p>A configuration file is also dropped to %Windir%:</p><p></p><p>C:\WINNT\WINSTT32.DAT </p><p>The following Registry keys are added to hook system startup:</p><p></p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</p><p>"TrayX" = %Windir%\WINPPR32.EXE /sinc </p><p></p><p>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</p><p>"TrayX" = %Windir%\WINPPR32.EXE /sinc </p><p>Mail Propagation </p><p></p><p>The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with the following extensions:</p><p></p><p>DBX </p><p>HLP </p><p>MHT </p><p>WAB </p><p>EML </p><p>TXT </p><p>HTM </p><p>HTML </p><p></p><p>Outgoing messages are constructed as follows:</p><p></p><p>From: (may be <a href="mailto:admin@internet.com">admin@internet.com</a> but could be virtually any address)</p><p></p><p>Subjects: </p><p></p><p>Your details </p><p>Thank you! </p><p>Re: Thank you! </p><p>Re: Details </p><p>Re: Re: My details </p><p>Re: Approved </p><p>Re: Your application </p><p>Re: Wicked screensaver </p><p>Re: That movie </p><p></p><p>Attachment: </p><p></p><p>your_document.pif </p><p>document_all.pif </p><p>thank_you.pif </p><p>your_details.pif </p><p>details.pif </p><p>document_9446.pif </p><p>application.pif </p><p>wicked_scr.scr </p><p>movie0045.pif </p><p></p><p>Body: </p><p></p><p>See the attached file for details </p><p>Please see the attached file for details </p><p></p><p>The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.</p><p></p><p><strong>The attachment must be run manually to infect the local system.</strong> Additionally, messages sent by the virus contain the following fields</p><p></p><p>X-MailScanner: Found to be clean </p><p>X-Mailer: Microsoft Outlook Express 6.00.2600.0000 </p><p></p><p>The virus sends itself via its own SMTP engine, which requires an ESMTP server to send itself successfully. The virus does an MX lookup on the target domain (ie. when sending itself to <a href="mailto:user@domain.com">user@domain.com</a>, it sends though the servers specified in the MX record for domain.com).</p><p></p><p>Contacting Remote NTP Servers </p><p></p><p>The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123).</p><p></p><p>Self-Termination </p><p></p><p>In common with previous W32/Sobig variants, this variant contains a date triggered self-termination routine. If the date is September 10th 2003 or later, the worm will no longer propagate.</p><p></p><p>Symptoms </p><p>Existence of the WINPPR32.EXE file in %WinDir% </p><p>Existence of the Registry hooks detailed above </p><p>Unexpected NTP traffic to remote servers </p><p></p><p>Method Of Infection </p><p></p><p>This worm propagates via email (contains its own SMTP engine) and attempts to spread via accessible network shares. </p><p>Top of Page </p><p></p><p>Manual Removal Instructions </p><p></p><p>To remove this virus "by hand", follow these steps:</p><p></p><p>- Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.</p><p>- WinNT/2K/XP - Terminate the process WINPPR32.EXE </p><p></p><p>Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt) </p><p>WINPPR32.EXE </p><p>WINSTT32.DAT </p><p></p><p>Edit the registry </p><p>Delete the "TrayX" value from </p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\</p><p>Windows\CurrentVersion\Run </p><p>HKEY_CURRENT_USERS\SOFTWARE\Microsoft\</p><p>Windows\CurrentVersion\Run </p><p></p><p>Aliases </p><p>Name </p><p>W32.Sobig.F@mm (NAV) </p><p>WORM_SOBIG.F (Trend) </p><p></p><p>© Copyright 2002 Network Associates Technology, Inc. All Rights Reserved</p></blockquote><p></p>
[QUOTE="Steverooo, post: 1082203, member: 9410"] [b]No Outlook = No Virus?[/b] I deleted Outlook Express from my Windows machine a long time ago. Viruses can't hurt you, unless you download and execute them. Outlook is default set up to execute downloaded attachments! Yes, you can "turn it off", but it's DEFAULT! So Microsoft is targetted. Always will be, until they decide to make security a consideration. The default settings ofr IE are very insecure, too. By the Bayou... There is the W32Blaster, AND the SoBig.F Virus running around, right now. Blaster should be about done, but SoBig will be with us through September... =============================== This detection is for a new variant of W32/Sobig. Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary. Installation The worm copies itself onto the victim machine as WINPPR32.EXE into %Windir%, for example: C:\WINNT\WINPPR32.EXE A configuration file is also dropped to %Windir%: C:\WINNT\WINSTT32.DAT The following Registry keys are added to hook system startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "TrayX" = %Windir%\WINPPR32.EXE /sinc HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "TrayX" = %Windir%\WINPPR32.EXE /sinc Mail Propagation The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with the following extensions: DBX HLP MHT WAB EML TXT HTM HTML Outgoing messages are constructed as follows: From: (may be [email]admin@internet.com[/email] but could be virtually any address) Subjects: Your details Thank you! Re: Thank you! Re: Details Re: Re: My details Re: Approved Re: Your application Re: Wicked screensaver Re: That movie Attachment: your_document.pif document_all.pif thank_you.pif your_details.pif details.pif document_9446.pif application.pif wicked_scr.scr movie0045.pif Body: See the attached file for details Please see the attached file for details The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user. [B]The attachment must be run manually to infect the local system.[/B] Additionally, messages sent by the virus contain the following fields X-MailScanner: Found to be clean X-Mailer: Microsoft Outlook Express 6.00.2600.0000 The virus sends itself via its own SMTP engine, which requires an ESMTP server to send itself successfully. The virus does an MX lookup on the target domain (ie. when sending itself to [email]user@domain.com[/email], it sends though the servers specified in the MX record for domain.com). Contacting Remote NTP Servers The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123). Self-Termination In common with previous W32/Sobig variants, this variant contains a date triggered self-termination routine. If the date is September 10th 2003 or later, the worm will no longer propagate. Symptoms Existence of the WINPPR32.EXE file in %WinDir% Existence of the Registry hooks detailed above Unexpected NTP traffic to remote servers Method Of Infection This worm propagates via email (contains its own SMTP engine) and attempts to spread via accessible network shares. Top of Page Manual Removal Instructions To remove this virus "by hand", follow these steps: - Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode. - WinNT/2K/XP - Terminate the process WINPPR32.EXE Delete the following files from your WINDOWS directory (typically c:\windows or c:\winnt) WINPPR32.EXE WINSTT32.DAT Edit the registry Delete the "TrayX" value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run HKEY_CURRENT_USERS\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run Aliases Name W32.Sobig.F@mm (NAV) WORM_SOBIG.F (Trend) © Copyright 2002 Network Associates Technology, Inc. All Rights Reserved [/QUOTE]
Insert quotes…
Verification
Post reply
Community
General Tabletop Discussion
*Geek Talk & Media
Virus festival?
Top
