Security Incidents mailing list archives
Re: suspected virus
From: "Engle [SecEng], Michael T" <mengle () LEHMAN COM>
Date: Wed, 26 Jul 2000 16:01:47 -0400
James, Try this: On an infected machine, set all unnecessary services to start up manually (if it's NT). Also take everything out of the startup folders (for ALL USERS and also the current user) and out of the LMachine/SOFTWARE/Microsoft/Windows/CurrentVersion/Run LMachine/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce CUser/SOFTWARE/Microsoft/Windows/CurrentVersion/Run registry keys. Then, reboot. See if the problem still exists. If it does, it'll be easy to catch. Now that you don't have much crap running, use REGMON.EXE from www.sysinternals.com to see what is modifying the HKLM\Software\Microsoft registry keys. I'm not sure where Outlook Express stores its "blocked" list. If it's in a file somewhere, then you're going to have to use FILEMON.EXE instead. You can probably search technet to get this information, or just use regmon/filemon to watch outlook and see what it's doing when you add someone to the blocked list. If the "virus" is active when you have regmon/filemon active, the tools should point you towards an executable name. If the problem doesn't exist, then the problem was in one of the registry entries or shortcut keys you removed - check them out to see what they are. Mike ..Michael Engle ...Lehman Brothers ....Security Engineering -----Original Message----- From: james [mailto:demarest () X25 NET] Sent: Tuesday, July 25, 2000 4:12 PM To: INCIDENTS () SECURITYFOCUS COM Subject: suspected virus I am a internet support tech and have been getting frequent calls concerning something that sounds like a virus. I don't have a copy of the virus, but the symptoms are as follows: 1)Email have been added to the blocked senders list in outlook (express) without the user having added them. 2)I believe that once they have the virus, that the email addresses from outgoing emails are added to the list. Not sure of that though. 3)You can go into the message rules, and the blocked senders list and remove the people that have been added. They will stay empty until the computer is reset. After reboot the email addresses will be back in the blocked senders list. 4)This virus appears to be propogating through Texas. I do not know the name of the file that is sent. If you have any other questions or info that you need please feel free to email me back at demarest () x25 net. I will attempt to get more info about this on future calls i recieve. I would also appreciate any information that you can give me on this, including fixes if any. Thank you, James Demarest Level 2 Support Tech, Telenetwork, Inc.
Current thread:
- suspected virus james (Jul 26)
- <Possible follow-ups>
- Re: suspected virus Engle [SecEng], Michael T (Jul 27)