Virus protection (Re: What is APE?)

To: Tom Sanor <mygoose@domain.elided>
Subject: Virus protection (Re: What is APE?)
From: Scott Fisher <sfisher71@domain.elided>
Date: Tue, 7 May 2002 08:26:45 -0700 (PDT)
Cc: alfa@domain.elided
Content-type: text/plain; charset=us-ascii
In-reply-to: <005001c1f5d6$242697c0$f81245cf@oemcomputer>
Reply-to: Scott Fisher <sfisher71@domain.elided>
Sender: owner-alfa@domain.elided

Tom,

This is acting like the W32Klez virus that has been
hitting an alarming number of computers around the
world -- I've read figures claiming that from 7% to
18% of the world's Windows computers are infected with
this virus.  

The subject line is part of its tricks -- the virus
looks through the mailbox of the person it infects and
looks for two things:

1 - Subject lines
2 - To/From lines

It then sends out mail to everybody in your mailbox,
using subject lines you (and presumably they) have
seen before and appearing to be from people you may
recognize.  For example, I got one earlier today that
appeared to be from Richard Welty.  Scary.

Another nice trick: it disables your virus protection
programs.  The Symantec site includes a removal tool
for the primary version of this virus at the following
URL:

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@domain.elidedl

There are several variants, however -- read the page
for more details.  In addition, the more "nerdy" among
us can use the info on that page figure out whether
we're infected or not by reading the registry and
looking for the entries that Symantec says indicate
we've been hit.  If those registry entries aren't
there, you're clean for the time being.  If you don't
know how to edit a Microsoft registry entry, don't
worry, just keep downloading the virus-protection
updates, and also the security updates from Microsoft
if you use Outlook.

As a reminder, the Alfa digest software strips
attachments before sending out digest messages, so
it's technically not possible to get a virus directly
from the Digest.  However, if you've ever done a
"reply-all" to a Digest posting -- or more to the
point, if someone else has done a "reply-all" to one
of YOUR postings -- that introduces a possible vector
from another innocent Digest member.  

Be careful, all, and get well soon --

--Scott Fisher
  Tualatin, Oregon

--- Tom Sanor <mygoose@domain.elided> wrote:
> I would like to advise everyone that I received a
> virus (or, probably, a
> malicious program) by opening an email that was
> titled something like
> "newwebsite/ape".    Maybe you can see why I fell
> for it.  This one's a real
> killer.  It's taken me awhile to figure out the
> damage it has caused.  (Don't
> worry, I'm sending this from another computer.)
> 
> First it disabled my Norton Anti-Virus software, and
> Norton System Doctor.
> Every time I got on line it seemed to be SENDING at
> a fast clip, even tho I
> wasn't personally sending anything.  I suspect it
> was cleaning out my
> confidential records, etc., so I immediately
> disconnected.  In order to
> restore the Norton program I Uninstalled it, then
> attempted to re-install, but
> discovered it had made my CDROM drive inoperable
> (Norton comes on a CD).
> 
> This monster appears to be codenamed  WINKFQ  (I
> think I see a meaning
> here...), and it has made itself a part of WINDOWS
> so I can't delete it.
> 
> Anyone else get this?  If so, I'm looking for
> advice.
> 
> Tom Sanor
> --
> to be removed from alfa, see
> /bin/digest-subs.cgi
> or email "unsubscribe alfa" to majordomo@domain.elided
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
--
to be removed from alfa, see /bin/digest-subs.cgi
or email "unsubscribe alfa" to majordomo@domain.elided

References:
- What is APE?
  - From: "Tom Sanor" <mygoose@domain.elided>

Prev by Date: Another Alfa Mention
Next by Date: Spider's got the pox
Previous by thread: What is APE?
Next by thread: WTB - 164S Spoiler
Index(es):
- Date
- Thread

Home | Archive | Main Index | Thread Index