Got a virus this morning - I think it was this morning - a fairly innocuous e-mail which held a virus called CFGWIZ32.EXE it is part of a what McAfee call medium risk W32/MAGISTR @MM - I have deliberately spaced the at sign to avoid someone clicking on it.

What this one does, but you probably won't know it, is that it sends mail to some of your addresses in OE. It doesn't seem to be serious but all viruses are at best a nuisance.

My virus checker found all elements of it (22) and deleted them. I also, as a safeguard, got McAfee to check online and I am clear.

Pain though, and it's rife in Europe at the moment.

This is, in fact, quite a destructive virus. As InFinRetirement says, it sends mail to all of your contacts via Outlook. It composes a message using random words taken from .txt or .doc files on your PC and then searches for a .scr or .exe file of less than 128KB to infect and attach to the e-mail, so the attachment may vary as the e-mail is passed on.

The following is a brief extract of the virus description, with acknowledgement to Symantec. The full text can be found at http://www.symantec.com/avcenter/[email protected]

"If the computer has been infected for one month and at least 100 people have been sent an infected file, and if at least three files contain at least three examples from the following list:

sentences you
sentences him to
sentence you to
ordered to prison
convict
, judge
circuit judge
trial judge
found guilty
find him guilty
etc

then the virus will activate the first of its payloads which does the following:

Deletes the infected file
Erases CMOS (Windows 9x/Me only)
Erases the Flash BIOS (Windows 9x/Me only)
Overwrites every 25th file with the text YOUARE!!!! as many times as it will fit in the file
Deletes every other file
Overwrites a sector of the first hard disk

This payload is repeated infinitely."

Don't know if this is what you're talking about, but recieved email thus:


Virus-Hoax Advisory
*************************************************
Kaspersky Labs has been receiving many messages from users about a new
alarming and dangerous virus hiding in a SULFNBK.EXE file. It is necessary
to convince users that this type of virus does not actually exist, and we
classify this as a virus hoax.

Warnings about the pseudo-virus began spreading towards the end of last
week, causing a real scare amongst users. As indicated in the message's
text concerning the "virus," it contains a SULFNBK.EXE file that is
programmed to activate the destructive payload on June 1. As is typical
when a virus hoax is making the rounds, it is reported that not one
anti-virus program is able to detect this "virus"; therefore, the only
means of ridding a computer of this threat is to erase the
SULFNBK.EXE virus-carrying file.
Contrary to this report, the SULFNBK.EXE file is absolutely safe, and
moreover is a part of the operating system included in the Windows
delivery.
The program is a Windows application used for backup files with long
file names. By deleting this file, a user causes a change in the system
function as a whole, causing several operations on the computer to be
rendered inoperable.
In addition to this, as reported by SecurityPortal.com - the popular
information center for problems regarding information safety - its experts
have been able to receive the original SULFNBK.EXE file and establish
the reason for this hoax appearance. It turned out that this file on the
user's computer, who initiated the hoax, was really infected with the
Magistr virus, currently found in the virus list of the most widespread viruses


"What we see now is the sincere wishes of users to warn their friends
and colleagues about the possibility of a dangerous virus. However, this
event confirms the famous saying, 'the road to hell is paved with good
intentions.' The attempt to warn the world about an actual dangerous
virus could cause other users to trigger a computer failure with their own
hands," commented Denis Zenkin, Head of Corporate
Communications for Kaspersky Lab.


----------------------------------------------------------------
Metropolitan Network BBS Inc. AntiViral Toolkit Pro CH
WWW: http://www.metro.ch/ http://www.avp.ch/
Email: [email protected] [email protected] * [email protected]
----------------------------------------------------------------

I am one of the recipients of IFR's e-mail. The strange thing is is that it seems to be a file for installing ISDN on the PC. I have COMMAND ANTIVIRUS running on my PC but no viruses have been detected and nothing seems to be amiss with my computer.

Likewise, Sensible. I have Norton AV running but it didn't detect anything at the time or later, and, touch wood, my computer seems to be running OK.

I have Windows ME, and I notice that I have this file already, in the Windows System directory!

Anyone know if this is normal?

I didn't personally send those e-mails. My machine did! Hence the problem!!

Might be a good idea to check out www.mcafee.com - and look up this particular virus. They have a comprehensive list, including the one I have indicated above - W32 etc.,

[This message has been edited by InFinRetirement (edited 23 May 2001).]

Another good anti virus site to check out is www.sophos.com

There are so many viruses out there, that your best defense is to think about each attachment before you open it. Is it from someone that you know?, is it the sort of message that they normally send? check the properties to see what the actual attachment is called, or save it to a file where you can scan it with an anti virus program. Stopping a virus is a lot easier than trying to remove one.

Be careful out there!

Mutt

All very well mutt, but I get upwards of 20-40 mails a day, nearly always from Gatbashers or Wannabes or friends on PPRuNe.

If they send me an attachment I will almost certainly open it.

The person who gave me the above did not know until I mentioned it. But by then the worm had sent three mails from me. Fortunately my V checker found it and deleted it in toto.

IFR,

Didnt your Anti Virus software find the worms before they went into action?

With Norton AV 5.0, if i have a virus in an email, the Norton program will immediately jump on it if i try to open it or move it. This at least gives me some peace of mind, especially as I'm receiving at least one virus a week!

What software are you using?

Mutt

I don't mean to scare anybody but just so you are aware that you don't need to open an attachment to get worked over. I still haven't sorted out the effects of the e-mail that launched a porno spam attack on my machine. The e-mail was addressed correctly and had the subject line "re:update" This lookes innocent enough but when I opened the e-mail, (NOT notice, an attachment) my browser immediately spawned a swarm of of "pop-up" windows that were mostly porn sites. These windows came up as fast as I could close them until eventually the PC crashed. So far, Symantec don't know what happened, they have no other reports.

Maybe this was revenge for my deleting an unauthorised hidden and locked 500 Megs file that I found sitting in a partition on my hard drive, I don't know. I found a host of files hiding as "cookies" in the temporary internet files folder but no directory entries or changes. I hope I got rid of most but there are half a dozen files shown as cookies that I still cannot delete by any means. So far there haven't been any repeats of the spam Netscape windows but I do still get lots of "dodgy" e-mails.

The attack was launched through a firewall and active virus detection. Oh, and the e-mail deleted itself as well, which prevents tracking.

**********************************
Through difficulties to the cinema

Black sheep,

You would have had the "Hompage" virus.

This is still an attachment, but maybe your setup opens automaticaly in the preview pane?

see http://www.symantec.com/avcenter/[email protected]

read the technical description

Once little trick :

Before opening ANY attachment, click on it ONCE and then click "save as..." so you can see it's full name. Often something that looks like nudeannie.jpg is really nudeannie.jpg.vbs I just made these filesnames up but you get the idea.

I get anywhere between 50 and 200 emails per day and it's a rare week when I don't get sent at least one virus. I treat EVERY email I get as potentially dangerous.

---PPRuNe Dispatcher

Came to this forum looking for advice as I'd been infected with a virus through an email attachment from a reputable source (whose PC keeps trying to re-infect me)

IFR's lead to www.mcafee.com worked fine and fixed the snag, thanks.

One of the viruses had W32/BadTrans [at] MM trojan in it. Is this a well known one?

I suggest that you put a false e-mail address in your address book. If you get a message bounced back from that address, then you will know that a virus has forwarded a message to all in your address book.

Airclues

Thanks CA, splendid idea. Now done.

Can any 'whizz' explain, in simple language, how the Outlook Express 'preview' function can let a virus run? Is it possible to set a virus inside an email text? I understood there always had to be an attachment of some sort?

I wish it was true that a virus had to be in an attachment. Microsoft, for some reason, wanted it otherwise.

The Outlook preview pane will automatically run any Javascript or VBScript that is in the main body of the message. As an exercise, some people at my workplace have demonstrated this.

I would strongly advise any Outlook Express user to do the following :
Click on Tools/Options...
Click on the Security tab
Set the Zone to be "Restricted Sites"
Click on Settings... (this will bring up a warning box, click OK to acknowledge it)
Click on Custom Level...
Set "Script ActiveX controls marked safe for scripting" to Disable
Set "Java permissions" to Disable Java

---PPRuNe Dispatcher

"CFGWIZ32.exe" appears in the CWINDOWS\SYSTEM directory of both my office pooter and my laptop (I'll check the home machine when I get there)

The file name would suggest to me some sort of "Configuration Wizard" under windows.

I also noticed that it has the date of May 11 1998, the same as many other files in my "system" directory, which would tend to suggest that it is a "real" microsoft file.

Cerainly McAfee online hasn't "pulled it" and it seems to be pretty good when other odd files have appeared.

My bet, unless anyone else can confirm otherwise, that this file is supposed to be there.

ESG, I thought I would get you to look at McAfee on this URL, near the bottom.

http://vil.nai.com/vil/virusSummary.asp?virus_k=99040

Then let me know what you think. THAT file is still in my Virus files!

Interesting innit?