Good night. Bear appears to have entered a hibernation, right after
starting this informative thread. That is why we need you here, Kelly!
What is the cure for a hibernation virus?
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
| >I am weary & must go to bed.
|
| 'Night!
|
| --
| All the Best,
| Kelly
|
| Microsoft-MVP Windows® XP-Shell/User
| 2004 Windows MVP "Winny" Award
|
| Troubleshooting Windows XP
|
http://www.kellys-korner-xp.com
|
| Taskbar Repair Tool Plus!
|
http://www.kellys-korner-xp.com/taskbarplus!.htm
|
|
| | > Ah! Now I've clicked...
| >
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
| > ..., & I'm sure I have seen some of those Subjects ("Hi!", "Hello",
| > "Confirmation") in my Inbox. Likely, I've never clicked one. Surely,
| > I've never clicked anything inside. That is why I have nothing named
| > "<whatever>32.exe" in my "START, Run, MSConfig, Startup tab".
| >
| > Now, I'm thinking, evidence may not show up in the Sent Items
folder,
| > though, as the virus "uses its own SMTP engine to send a
mass-mailing to
| > the email addresses that it finds".
| >
| >
| > --
| > Thanks or Good Luck,
| > There may be humor in this post, and,
| > Naturally, you will not sue,
| > should things get worse after this,
| > PCR
| > (e-mail address removed)
| > | > | I am weary & must go to bed. Well, OK, as I am tired, I SUPPOSE it
is
| > | CONFIRMED now, but I can't go clicking your URLs till later. Lucky
I
| > | have message rules for this sort of thing & I don't go clicking
| > strange
| > | E-Mails, either,-- much less any link inside. Good night. (No, it
| > isn't
| > | nighttime, but I'm sleepy. I suppose I caught a hibernation-virus
from
| > | the Bear.)
| > |
| > |
| > | --
| > | Thanks or Good Luck,
| > | There may be humor in this post, and,
| > | Naturally, you will not sue,
| > | should things get worse after this,
| > | PCR
| > | (e-mail address removed)
| > | | > | How about this for a little convincing then.
| > |
| > |
| >
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
| > |
| > | Also Known As : W32/Mydoom.ag@MM [McAfee], WORM_MYDOOM.AG [Trend
| > Micro],
| > | W32/Bofra-A [Sophos], MyDoom.AG [F-Secure], Win32.Mydoom.AF
[Computer
| > | Associates], I-Worm.Mydoom.ad [Kaspersky]
| > |
| > | Systems Affected : Windows 2000, Windows 95, Windows 98, Windows
Me,
| > | Windows NT, Windows Server 2003, Windows XP
| > |
| > | And as mentioned in Pa Bears post, you must click on the
hyperlink to
| > | execute the virus, unless I'm mis-interpreting it.
| > |
| > | The email contains a hyperlink that, when clicked on, takes the
user
| > to
| > | an .html page that exploits the Microsoft Internet Explorer
Malformed
| > | IFRAME Remote Buffer Overflow Vulnerability (BID 11515). When this
| > page
| > | is viewed the file
http://[remote address]:1639/reactor is
downloaded
| > as
| > | %Desktop\vv.dat to the infected computer and executed. This file
is
| > | detected as W32.Mydoom.AH@mm.
| > |
| > | --
| > |
| > | Brian A.
| > |
| > | Conflicts start where information lacks.
| > |
http://www.dts-l.org/goodpost.htm
| > |
| > |
| > | | > | > It hasn't been confirmed for us (Win98) yet, PA.
| > | >
| > | > Internet Explorer IFRAME Buffer Overflow Vulnerability
| > | >
http://secunia.com/advisories/12959/
| > | > .....Quote................
| > | > The vulnerability has been confirmed in the following versions:
| > | > * Internet Explorer 6.0 on Windows XP SP1 (fully patched).
| > | > * Internet Explorer 6.0 on Windows 2000 (fully patched).
| > | > ....EOQ...................
| > | >
| > | > Anyway, I see nothing in Sent Items over the last few days that
I
| > | > haven't personally sent!
| > | >
| > | >
| > | > --
| > | > Thanks or Good Luck,
| > | > There may be humor in this post, and,
| > | > Naturally, you will not sue,
| > | > should things get worse after this,
| > | > PCR
| > | > (e-mail address removed)
| > | > | > | > | From:
http://forums.mcafeehelp.com/viewtopic.php?t=34893
| > | > |
| > | > | <quote>
| > | > | This brand new version of MyDoom is HTML based and does not
| > contain
| > | > | attachments. It also exploits a critical IE vulnerability, so
AV
| > | > protection
| > | > | plus best practices are needed -- as this one has some
potential.
| > | > |
| > | > | W32/Mydoom.ag@MM - Zero Day IE I-FRAME Attack
| > | > |
http://secunia.com/virus_information/13213/mydoom.ag/
| > | > |
http://vil.nai.com/vil/content/v_129630.htm
| > | > |
| > | > | This W32/Mydoom@MM variant makes use of a zero day attack
| > targeting
| > | a
| > | > | Microsoft Internet Explorer IFRAME buffer overflow
vulnerability.
| > | The
| > | > virus
| > | > | spreads by sending email messages to addresses found on the
local
| > | > system.
| > | > | The message appears as follows:
| > | > |
| > | > | From: Spoofed address
| > | > | Subject: may vary
| > | > |
| > | > | * funny photos
| > | > | * hello
| > | > | * hey!
| > | > | * blank
| > | > |
| > | > | There is no attachment to the message. The homepage hyperlink
| > points
| > | > to the
| > | > | infected system which sent the email message. Clicking on the
| > link,
| > | > accesses
| > | > | a web server running on the compromised system. The web server
| > | serves
| > | > HTML
| > | > | that contains IFRAME buffer overflow code to automatically
execute
| > | the
| > | > | virus.
| > | > | </quote>
| > | > | --
| > | > | ~Robear Dyer (PA Bear)
| > | > | MS MVP-Windows (IE/OE)
| > | > |
| > | >
| > | >
| > |
| > |
| >
| >
|
|