Re: suspected virus

["Engle [SecEng], Michael T" <mengle () LEHMAN COM>]

James,

Try this:

On an infected machine, set all unnecessary services to start up manually
(if it's NT).  Also take everything out of the startup folders (for ALL
USERS and also the current user)
and out of the
LMachine/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
LMachine/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
CUser/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
registry keys.

Then, reboot.  See if the problem still exists.  If it does, it'll be easy
to catch. Now that you don't have much crap running, use REGMON.EXE from
www.sysinternals.com to see what is modifying the HKLM\Software\Microsoft
registry keys.  I'm not sure where Outlook Express stores its "blocked"
list.  If it's in a file somewhere, then you're going to have to use
FILEMON.EXE instead.  You can probably search technet to get this
information, or just use regmon/filemon to watch outlook and see what it's
doing when you add someone to the blocked list.

If the "virus" is active when you have regmon/filemon active, the tools
should point you towards an executable name.  If the problem doesn't exist,
then the problem was in one of the registry entries or shortcut keys you
removed - check them out to see what they are.

Mike
..Michael Engle
...Lehman Brothers
....Security Engineering

-----Original Message-----
From: james [mailto:demarest () X25 NET]
Sent: Tuesday, July 25, 2000 4:12 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: suspected virus


I am a internet support tech and have been getting frequent calls
concerning something that sounds like a virus.  I don't have a copy of the
virus, but the symptoms are as follows:

1)Email have been added to the blocked senders list in outlook
(express) without the user having added them.

2)I believe that once they have the virus, that the email
addresses from outgoing emails are added to the list. Not sure of that
though.

3)You can go into the message rules, and the blocked senders list and
remove the people that have been added.  They will stay empty until the
computer is reset.  After reboot the email addresses will be back in the
blocked senders list.

4)This virus appears to be propogating through Texas.  I do not know the
name of the file that is sent.

If you have any other questions or info that you need please feel free to
email me back at demarest () x25 net.  I will attempt to get more info about
this on future calls i recieve.  I would also appreciate any information
that you can give me on this, including fixes if any.

Thank you,
James Demarest
Level 2 Support Tech, Telenetwork, Inc.