Exploit

[David Kelsey]

Yesterday, my cursor suddenly started moving on its own, with no input from
me, and I could not stop it. It moved to the start button, clicked it, then
clicked run, entered the address of my other network computer plus 'my
documents' and the name of my accounts file, which it opened. While all
this was going on, I was trying to end task with the Task Manager, where the
open task was called 'too funny LA 21' or something similar, which was the
subject line of an e-mail I received from a friend in Canada. It contained
a nun joke within the body of the message. It took several attempts to end
task.

Then I started removing all trace of the e-mail from both computers, and
emptied whatever folders I could. My deleted items folder on one computer
had already been emptied (not by me) of all mails except about 30 or 40
ZDNet pages which I had received and deleted over several months. I have
e-mailed ZDNet with the details in case they know anything about it.

I got the latest updates, and scanned both machines with Norton and AVG,
with no result. MS Antispyware ran and found nothing, but then it never has
found anything ever on either machine. I checked with Symantec, and found
nothing relating to this activity, either real or hoax.

Since then, both machines appear to be running normally.

Does anyone recognise this exploit, if that is what it is, please? It seems
to be a macro of sorts, but I don't have it in my EZ Macros list, and I have
deleted any trace of macros from Excel, not that there appeared to be
anything active. I can't think how anything could know the address of my
accounts file, nor can I think of any reason for accessing it. It doesn't
contain any passwords or anything that could be used to get into my bank or
whatever. However, it is very worrying, because obviously the run command
could have been anything. Having said all that, it could be a useful macro,
if I knew where to find it. I am the only user of the machine it cropped up
on, and my wife is the only other person in the house. She wouldn't set up
any macros. Could there be a key logger on board?

I have XP Pro SP2 with all updates, four spyware programs, and two antivirus
programs, plus the XP firewall and my ISP's firewall. You'd think the thing
would be locked down tight, wouldn't you?

David Kelsey

 

[David H. Lipman]

From: "David Kelsey" <[email protected]>

| Yesterday, my cursor suddenly started moving on its own, with no input from
| me, and I could not stop it. It moved to the start button, clicked it, then
| clicked run, entered the address of my other network computer plus 'my
| documents' and the name of my accounts file, which it opened. While all
| this was going on, I was trying to end task with the Task Manager, where the
| open task was called 'too funny LA 21' or something similar, which was the
| subject line of an e-mail I received from a friend in Canada. It contained
| a nun joke within the body of the message. It took several attempts to end
| task.
|
| Then I started removing all trace of the e-mail from both computers, and
| emptied whatever folders I could. My deleted items folder on one computer
| had already been emptied (not by me) of all mails except about 30 or 40
| ZDNet pages which I had received and deleted over several months. I have
| e-mailed ZDNet with the details in case they know anything about it.
|
| I got the latest updates, and scanned both machines with Norton and AVG,
| with no result. MS Antispyware ran and found nothing, but then it never has
| found anything ever on either machine. I checked with Symantec, and found
| nothing relating to this activity, either real or hoax.
|
| Since then, both machines appear to be running normally.
|
| Does anyone recognise this exploit, if that is what it is, please? It seems
| to be a macro of sorts, but I don't have it in my EZ Macros list, and I have
| deleted any trace of macros from Excel, not that there appeared to be
| anything active. I can't think how anything could know the address of my
| accounts file, nor can I think of any reason for accessing it. It doesn't
| contain any passwords or anything that could be used to get into my bank or
| whatever. However, it is very worrying, because obviously the run command
| could have been anything. Having said all that, it could be a useful macro,
| if I knew where to find it. I am the only user of the machine it cropped up
| on, and my wife is the only other person in the house. She wouldn't set up
| any macros. Could there be a key logger on board?
|
| I have XP Pro SP2 with all updates, four spyware programs, and two antivirus
| programs, plus the XP firewall and my ISP's firewall. You'd think the thing
| would be locked down tight, wouldn't you?
|
| David Kelsey
|

What kind of mouse do you use (PS/2, USB, wireless, etc) ?

 

[R. McCarty]

The "Issue" is jokes and cartoons via email. Always read email in Plain
text. Active content in email is dangerous.

 

[Guest]

MS spy ware is a useless utility.
If you ever suspect a spy ware, malware, key logger, scan using Lava soft
Adaware SE & Spy bot.
Plus is your IE protected against DSO exploit? If not do it.
Regards!

--
I apologize about my command on English, am a newbie & it is my first
experience in a newsgroup!

Ivanov



:

 

[David H. Lipman]

From: "Yezinki" <[email protected]>

| MS spy ware is a useless utility.
| If you ever suspect a spy ware, malware, key logger, scan using Lava soft
| Adaware SE & Spy bot.
| Plus is your IE protected against DSO exploit? If not do it.
| Regards!
|


The DSO Exploit is very old. It was corrected years ago in a IE Cummulative Update.

SpyBot S&D v1.3 was known to continuously indicate a False Positive DSO Exploit presence.
SpyBot S&D v1.4 had a update that re-introduced that False Positive declaration and it was
subsequently corrected in a later update. Nobody using WinXP is affected by the DSO
Exploit.

As for MS Anti Spyware Beta (soon to become Windows Defender). It is a good product and
many report good things about it. I personally don't recomend its use until it is no longer
a Beta product. However, MS Anti Spyware Beta is far from useless.

 

[David Kelsey]

Thanks for your response David. I have a PS2 mouse.

David

 

[David Kelsey]

Thanks R.

You're right - I should know better. I was rash enough to think that all my
protective stuff would actually work. Shame, though having to live in a
dull text world forever, just because of some spotty youth trying to be
clever.

David

 

[David Kelsey]

Your English is better than some on this newsgroup!

I have Ad-Aware, Spybot Search and Destroy, and Spyware Doctor, as well as
the Microsoft malware thing, and I run them all frequently. In my
experience, the Microsoft thing has never found anything at all in the six
weeks or so I have used it to scan every day on both computers. Ad-Aware
finds the usual trackers and the like and deletes them on request, but if I
run Spybot afterwards, it never finds anything, and congratulates me on
having such a clean computer. Spyware Doctor is the same, and has so far
found nothing, inspite of glowing recommendations from everyone. I also
have Norton AV, and AVG. Norton rarely finds anything, and has found
nothing at all over the last month or so, while AVG, which is on my second
computer in the network, keeps finding the same two things as it has from
the first installation, but will not delete them. They seem to be the
standard Java runtime conflict. Today, it has found an e-mail virus, but it
refuses to define it or do anything at all that I ask it to do, and insists
that it can't do so on this type of virus. So it has denied access to it.
I also have two firewalls. I used to have Zone Alarm, but it interfered
with something (I forget what) and put up so many alarms it became a
nuisance. It claimed to have prevented, over two installations, to have
prevented about 4000 attempts to hijack my machine, but since I uninstalled
it six months or so ago, I don't seem to have any hijacks. Except, of
course, MSN, which hijacks my browser every time I start up, and can only be
removed by foul language and resetting the browser to about:blank, which is
my normal URL (or non-URL). Symantec has nothing to say about my problem,
either as a hoax or a virus or whatever.

On advice from people on this newsgroup, who said scanning e-mail is a waste
of time, I have not scanned incoming or outgoing mail, but after my latest
experience, I am now doing so, for what it may be worth.

David

 

[David Kelsey]

Thanks David

My Spyware S&D is 1.2, so I had better update it! So far, my attempt to
update causes the program to stall, and MS says PepiMK does not have a
solution. I don't know how to judge MS Anti Spyware - it finds nothing at
all, and says nothing about anything, so I don't know what it is up to. One
might draw the conclusion from that that it is useless.

David

 

[David H. Lipman]

From: "David Kelsey" <[email protected]>

| Thanks David
|
| My Spyware S&D is 1.2, so I had better update it! So far, my attempt to
| update causes the program to stall, and MS says PepiMK does not have a
| solution. I don't know how to judge MS Anti Spyware - it finds nothing at
| all, and says nothing about anything, so I don't know what it is up to. One
| might draw the conclusion from that that it is useless.
|
| David


Use SpyBot S&D v1.4 and there is a pull-down menu of available servers that updates can be
downloaded from. Some are more problematic tan other download sites.

About MS AS... One might also draw the conclusion that there is nothing to find ! See what
SpyBot S&D finds.

 

[David H. Lipman]

From: "David Kelsey" <[email protected]>

| Your English is better than some on this newsgroup!
|
| I have Ad-Aware, Spybot Search and Destroy, and Spyware Doctor, as well as
| the Microsoft malware thing, and I run them all frequently. In my
| experience, the Microsoft thing has never found anything at all in the six
| weeks or so I have used it to scan every day on both computers. Ad-Aware
| finds the usual trackers and the like and deletes them on request, but if I
| run Spybot afterwards, it never finds anything, and congratulates me on
| having such a clean computer. Spyware Doctor is the same, and has so far
| found nothing, inspite of glowing recommendations from everyone. I also
| have Norton AV, and AVG. Norton rarely finds anything, and has found
| nothing at all over the last month or so, while AVG, which is on my second
| computer in the network, keeps finding the same two things as it has from
| the first installation, but will not delete them. They seem to be the
| standard Java runtime conflict. Today, it has found an e-mail virus, but it
| refuses to define it or do anything at all that I ask it to do, and insists
| that it can't do so on this type of virus. So it has denied access to it.
| I also have two firewalls. I used to have Zone Alarm, but it interfered
| with something (I forget what) and put up so many alarms it became a
| nuisance. It claimed to have prevented, over two installations, to have
| prevented about 4000 attempts to hijack my machine, but since I uninstalled
| it six months or so ago, I don't seem to have any hijacks. Except, of
| course, MSN, which hijacks my browser every time I start up, and can only be
| removed by foul language and resetting the browser to about:blank, which is
| my normal URL (or non-URL). Symantec has nothing to say about my problem,
| either as a hoax or a virus or whatever.
|
| On advice from people on this newsgroup, who said scanning e-mail is a waste
| of time, I have not scanned incoming or outgoing mail, but after my latest
| experience, I am now doing so, for what it may be worth.
|
| David
|

Scanning out-going email is always a waste. If you had a virus then the "On Access" scanner
of teh AV softwae would have eliminated it prior to it be sent via email. If you had a
virus that was not recognized by you AV software then it wouldn't help in email either.

Scanning incoming email depends on the the AV application and the email application. Is the
AV email scanner a POP3 Proxy scanner ? is is VIM or MAPI compliant ? Is the Email
application VIM or MAPI compliant ?

This type of discussion would be better served in an AV News Group. However, if your AV
scanner is properly performing "On Access" scanning then when an attachment is extracted
from the email message and is written to the TEMP folder or other disk location it will be
scanned at that time.

Anti Virus News Groups...

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus