This was just posted on the beck rife list...same problem there. Directions how to fix. ~Hanan
<FWD> I was targeted by a worm sent via an attachment from someone on a yahoo list I am on. The thing was very sneaky in that it quoted bits from one of my posts to the list, as thought this gal were replying to me privately. After that I couldn't access the list homepage, but luckily I had some digests to read -- and lo and behold, there were several posts about this very thing. And even more luckily, one of the members of the list is an expert in computer security, who posted a description and fix. I don't think I sent the worm to any of you because I didn't re-boot between the time I downloaded the file and the time I did the fix, but I post it in case any of you were hit elsewhere. <<Subject: The attachment is a worm. Win32.Badtrans.13312 Badtrans is a worm spreading via e-mail. The worm replies to all unread messages and attaches itself using one of the following 16 names: fun.pif Humor.TXT.pif docs.scr s3msong.MP3.pif Sorry_about_yesterday.DOC.pif Me_nude.AVI.pif Card.pif SETUP.pif searchURL.scr YOU_are_FAT!.TXT.pif hamster.ZIP.scr news_doc.scr New_Napster_Site.DOC.scr README.TXT.pif images.pif Pics.ZIP.scr When a user opens the attachment, the worm copies itself to the Windows directory as: inetd.exe and modifies the file win.ini by including the line executing that program. Additionally, the Badtrans worm, drops a backdoor trojan (Win32.Badtrans.21882 Trojan). The worm creates and executes a 21882- byte file in the Windows System directory: kern32.exe and modifies the registry in order to run it on the next reboot: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\kernel32=kern32 .exe The Trojan, which is in fact a backdoor server also uses its own library: hksdll.dll (a 5632-byte file created in the same directory). To fix: First: search your hard drive for the files named INETD.EXE, KERN32.EXE and CP_23421.NLS. Delete them. Then: Run SYSEDIT by clicking START-RUN. On RUN Window type SYSEDIT then click OK. In SYSTEM CONFIGURATION EDITOR select the window C:\WINDOWS\WIN.INI then delete the entry "C:\WINDOWS\INETD.EXE" under RUN key. All done.>> -- The silver-list is a moderated forum for discussion of colloidal silver. To join or quit silver-list or silver-digest send an e-mail message to: silver-list-requ...@eskimo.com -or- silver-digest-requ...@eskimo.com with the word subscribe or unsubscribe in the SUBJECT line. To post, address your message to: silver-list@eskimo.com Silver-list archive: http://escribe.com/health/thesilverlist/index.html List maintainer: Mike Devour <mdev...@eskimo.com>
