Not from the list Mike... This virus is a very clever new virus - the damage it could do was only recently theoretical. The file extension is masked by a class ID, making it appear that it is a text file, image file, movie file, or other safe media. However, the file is actually a DOS executable. It auto-replies to any messages that are received.
Some of these viruses ( like this one ) aren't picked up by the major virus scanning software yet. If one gets infected, and one is baffled at the inability to find the virus, one needs to do several things: 1) download the shareware program called Dll Demon 1.0 from any shareware site, such as Tucows. Demon Dll will allow you to see and kill any single process that is running on your computer, including those programs which one cannot see by using ctrl+alt+del. Since this is a memory resident virus, there will be ONE .exe running in DOS mode which is monitoring email, and perhaps infecting other files in real time. One needs to identify which file it is... by careful examination of all processes running. When one identifies the exact .exe of the virus, one needs to send it to Norton Antivirus ( or McAfee, ect. ). Sadly, this virus is a bit buggy, and did not infect my machine, although I was able to examine some of the code from three seperate emails I received. The name of the "virus" file that is infected in the attachment is variable, it changes... It probably self-extracts an executable that always has the same name, but maybe not. Once one sends it to Norton, one can then kill the process using dll demon. One highlights the .exe file, presses Options and then Processes, then chooses Terminate. This forces the program to stop running INSTANTLY, unloading it from memory. Make sure to make note of the .exe. If one doesn't know how to send a virus to a virus company, then one can do a file search for the exact file name with the windows search feature. Upon locating the file, change the file name, ONLY changing the extention, ie the .exe to something like .vir. This will prevent the registry from being able to find the virus and loading it into memory when you reboot your machine it will also prevent the autoexec.bat file from finding it as well ). You can then, if you wish, send that file to me at this email address. The three files I received that were a part of the virus were corrupt, so I cannot do this. However, the battle is not yet won. The virus could be multi-staged and morphogenic. Chances are, this one action will inactive the virus. However, one then needs to search all of one's startup files for any reference to the original file name, ie the registry, the autoexec.bat files, ect. Eliminate any line commands that one finds with this file name in it. It appears to use the E switch to execute, so one will probably find filename.ext /e in any windows files that load the virus. Then, one reboots one's machine. Use dll demon to look at all active processes once again. Careful analysis of each process will show whether it is a program you want to be running or not! Often times, even if you don't have a virus, you will be surprised at the files running on your machine that you didn't know about. Don't panic! Go to altavista.com or Google.com. In the search box, type the exact file name in quotes ie "injection.exe" ( a common valid file that runs in norton applications). Your search will more than likely give you a clue to what the file is, and whether or not it should be running on your machine. This is an exercise everyone SHOULD do to become familiar with the programs loaded and running on one's machine. No memory resident virus can escape dll demon. If it is running on your machine, you will be able to see it! Gone will be the fear of trusting antivirus companies exclusively for virus protection. Of course, not ALL viruses run as memory resident. Some load, do their deeds, then unload themselves to stay in hiding. However, you've now become familiar with everything that should be loading on your machine, and one can then notice any anomolies in one's startup files, one's autoexec.bat, windows.ini, control.ini, ect... If you use outlook express, or other software that saves a copy of your outgoing messages, you can check to see if you're infected. Look for messages sent by you that you didn't send. The files, as I've examined them, are not large enough to contain their own email server, so they must be using an existing email package to send the message replies out. ----- Original Message ----- From: M. G. Devour <mdev...@eskimo.com> To: <silver-list@eskimo.com> Sent: Monday, April 23, 2001 4:32 AM Subject: Re: CS>VIRUS > I've gotten a couple of messages sent to me directly, not through the > list, that seem to have been silver-list messages that were quoted in > their entirety, with a clever little line added at the end, something > like: > > > look at the attachment... > > ... giving the impression the person whose machine the message was from > was replying to the content of the message with something in the > attachment. > > I've deleted them unopened, and don't remember who they were from. I > *think* Beverle's name may have been on one or both. I don't remember > if Joanne was involved. > > Has anyone received a message *FROM THE LIST* that contained a virus in > an attachment? Or anything *else* of that sort in the last few days? > > Thank you, > > Mike Devour > silver-list owner > > [Mike Devour, Citizen, Patriot, Libertarian] > [mdev...@eskimo.com ] > [Speaking only for myself... ] > > > -- > The silver-list is a moderated forum for discussion of colloidal silver. > > To join or quit silver-list or silver-digest send an e-mail message to: > silver-list-requ...@eskimo.com -or- silver-digest-requ...@eskimo.com > with the word subscribe or unsubscribe in the SUBJECT line. > > To post, address your message to: silver-list@eskimo.com > Silver-list archive: http://escribe.com/health/thesilverlist/index.html > List maintainer: Mike Devour <mdev...@eskimo.com> > >
