Re: Worm1800.exe on UnderNet?

["Jean-Luc" <Jean-Luc () Cavey org>]

> > > > > >  cw [mailto:cw () fidei co uk]   >>>>>  :

> Hi there folks,
> Twice in the past hour I have been messaged by two separate people on
> UnderNet.

Two separate people ? Are you sure ?

> The message goes:
> > !Notice!: A Recent Port Scan on your Computer reveals that Port 1800
> is in open state. This usually means that you have been infected with
> an IRC Worm Virus. Please download the cleaner at:
> http://www.No-Hack.Us/Fixes/Worm1800.exe to remove the virus from
> your system. If you do not comply with this rule within 30 minutes,
> our client monitor will ban you from this network. -Thanks For
> Understanding. UNDERNet Exploit Team

Don't do that !

1- Verify if your port 1800 is actually open. If yes, ask yourself "Why" ?
There is no evidence at this step that it's due to an IRC Worm.
2- http://www.No-Hack.Us/Fixes/Worm1800.exe is probably the worm itself.
3- There is no reason for your ISP to ban you from the Web.

The mails you received sound like a social engineering way to constrain you
to actually install the worm on your computer instead of to protect your
machine against the worm.

Jean-Luc Cavey
National AntiVirus Specialist
KPMG France
Office : +33 (0) 1 46 39 46 21
Home : +33 1 45 43 45 62
Mobile : +33 (0) 6 15 93 77 96
E-Mail : NAVS () kpmg fr

================================
La presence de ce texte prouve que ce message
electronique a ete verifie par un logiciel anti-virus
à jour au moment de l'envoi.

The presence of this text proves that this e-mail
has been verified by an up-to-date anti-virus
software at the time of the sending.
================================



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com