I believe you have been hit with the BugBear virus based on the symptoms and actions you spoke of. I would suggest you clean your system promptly as you are most likely now a host and may be propagating the virus to any shares on you LAN.
Norton may not have detected it because the virus attempts to shut down virus scanning programs as its first action. Good luck, Brett -----Original Message----- From: Bassam ALHUSSEIN Sent: Saturday, October 05, 2002 2:14 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Somebody saw this trojan ? Hello .. I have received an e-mail today that is not supposed to be sent to me (they were calling somebody else that I don't know ..). When I read the mail with Outlook Express I noticed that the popup window of dowmloading the attachement is invoked rapidly (Slow computer) without asking for +ACI-Open+ACI- or +ACI-Save as+ACI- ... Well, I have some basic concepts about viruses and security. I am using NAV 2001 with the virus definitions of 16/09/2002 and it generally scans the incoming emails. but after reading that email I noticed that NAV is not running +ACEAIQAh- With Ctrl-Alt-Del I Didn't see any +ACI-Strange+ACI- runnong program. On a promt command I wrote : netstat -an and I found : TCP 0.0.0.0:36794 0.0.0.0:0 LISTENING I think it could be a trojan horse listning on the port 36794 .. I ran NAV manually to scan my system...but it (NAV) soon shut down. I ran a free +ACI-Process Viewer+ACI- and then I noticed a +ACI-strange+ACI- running program with the name +ACI-Hfyj.exe+ACI-, so I killed it. With the +ACI-Regedit+ACI- I deleted the key that was invoking this program in : HKEY+AF8-LOCAL+AF8-MACHINE+AFw-Software+AFw-Microsoft+AFw-Windows+AFw-CurrentVersion+AFw-RunOnce I deleted the exe file and when I rebooted I noticed that it is always there and that Nav is not running. I killed the program again ..deleted the registry key... ran Nav to scan the exe file but it sayed that it is not infected +ACEAIQAh- Help.. The Resident Evil is always here and runing ... Note : the mail was sent from a fake address ....and I didn't found the +ACI-To: +ACI- statement in the header ....How could it come to me without the +ACI-To :+ACI- statement. what about sending the exe file to Symantec ??? thanx
