More Viruses!
 

Got a virus this morning - I think it was this morning - a fairly innocuous e-mail which held a virus called CFGWIZ32.EXE it is part of a what McAfee call medium risk W32/MAGISTR @MM - I have deliberately spaced the at sign to avoid someone clicking on it.

What this one does, but you probably won't know it, is that it sends mail to some of your addresses in OE. It doesn't seem to be serious but all viruses are at best a nuisance.

My virus checker found all elements of it (22) and deleted them. I also, as a safeguard, got McAfee to check online and I am clear.

Pain though, and it's rife in Europe at the moment.

This is, in fact, quite a destructive virus. As InFinRetirement says, it sends mail to all of your contacts via Outlook. It composes a message using random words taken from .txt or .doc files on your PC and then searches for a .scr or .exe file of less than 128KB to infect and attach to the e-mail, so the attachment may vary as the e-mail is passed on.

The following is a brief extract of the virus description, with acknowledgement to Symantec. The full text can be found at http://www.symantec.com/avcenter/[email protected]

"If the computer has been infected for one month and at least 100 people have been sent an infected file, and if at least three files contain at least three examples from the following list:

sentences you
sentences him to
sentence you to
ordered to prison
convict
, judge
circuit judge
trial judge
found guilty
find him guilty
etc

then the virus will activate the first of its payloads which does the following:

Deletes the infected file
Erases CMOS (Windows 9x/Me only)
Erases the Flash BIOS (Windows 9x/Me only)
Overwrites every 25th file with the text YOUARE!!!! as many times as it will fit in the file
Deletes every other file
Overwrites a sector of the first hard disk

This payload is repeated infinitely."

Don't know if this is what you're talking about, but recieved email thus:


Virus-Hoax Advisory
*************************************************
Kaspersky Labs has been receiving many messages from users about a new
alarming and dangerous virus hiding in a SULFNBK.EXE file. It is necessary
to convince users that this type of virus does not actually exist, and we
classify this as a virus hoax.

Warnings about the pseudo-virus began spreading towards the end of last
week, causing a real scare amongst users. As indicated in the message's
text concerning the "virus," it contains a SULFNBK.EXE file that is
programmed to activate the destructive payload on June 1. As is typical
when a virus hoax is making the rounds, it is reported that not one
anti-virus program is able to detect this "virus"; therefore, the only
means of ridding a computer of this threat is to erase the
SULFNBK.EXE virus-carrying file.
Contrary to this report, the SULFNBK.EXE file is absolutely safe, and
moreover is a part of the operating system included in the Windows
delivery.
The program is a Windows application used for backup files with long
file names. By deleting this file, a user causes a change in the system
function as a whole, causing several operations on the computer to be
rendered inoperable.
In addition to this, as reported by SecurityPortal.com - the popular
information center for problems regarding information safety - its experts
have been able to receive the original SULFNBK.EXE file and establish
the reason for this hoax appearance. It turned out that this file on the
user's computer, who initiated the hoax, was really infected with the
Magistr virus, currently found in the virus list of the most widespread viruses


"What we see now is the sincere wishes of users to warn their friends
and colleagues about the possibility of a dangerous virus. However, this
event confirms the famous saying, 'the road to hell is paved with good
intentions.' The attempt to warn the world about an actual dangerous
virus could cause other users to trigger a computer failure with their own
hands," commented Denis Zenkin, Head of Corporate
Communications for Kaspersky Lab.


----------------------------------------------------------------
Metropolitan Network BBS Inc. AntiViral Toolkit Pro CH
WWW: http://www.metro.ch/ http://www.avp.ch/
Email: [email protected] [email protected] * [email protected]
----------------------------------------------------------------

I am one of the recipients of IFR's e-mail. The strange thing is is that it seems to be a file for installing ISDN on the PC. I have COMMAND ANTIVIRUS running on my PC but no viruses have been detected and nothing seems to be amiss with my computer.

Likewise, Sensible. I have Norton AV running but it didn't detect anything at the time or later, and, touch wood, my computer seems to be running OK.

I have Windows ME, and I notice that I have this file already, in the Windows System directory!

Anyone know if this is normal?

I didn't personally send those e-mails. My machine did! Hence the problem!!

Might be a good idea to check out www.mcafee.com - and look up this particular virus. They have a comprehensive list, including the one I have indicated above - W32 etc.,

[This message has been edited by InFinRetirement (edited 23 May 2001).]

Another good anti virus site to check out is www.sophos.com

There are so many viruses out there, that your best defense is to think about each attachment before you open it. Is it from someone that you know?, is it the sort of message that they normally send? check the properties to see what the actual attachment is called, or save it to a file where you can scan it with an anti virus program. Stopping a virus is a lot easier than trying to remove one.

Be careful out there!

Mutt :)

All very well mutt, but I get upwards of 20-40 mails a day, nearly always from Gatbashers or Wannabes or friends on PPRuNe.

If they send me an attachment I will almost certainly open it.

The person who gave me the above did not know until I mentioned it. But by then the worm had sent three mails from me. Fortunately my V checker found it and deleted it in toto.

IFR,

Didnt your Anti Virus software find the worms before they went into action?

With Norton AV 5.0, if i have a virus in an email, the Norton program will immediately jump on it if i try to open it or move it. This at least gives me some peace of mind, especially as I'm receiving at least one virus a week!

What software are you using?

Mutt :)

I don't mean to scare anybody but just so you are aware that you don't need to open an attachment to get worked over. I still haven't sorted out the effects of the e-mail that launched a porno spam attack on my machine. The e-mail was addressed correctly and had the subject line "re:update" This lookes innocent enough but when I opened the e-mail, (NOT notice, an attachment) my browser immediately spawned a swarm of of "pop-up" windows that were mostly porn sites. These windows came up as fast as I could close them until eventually the PC crashed. So far, Symantec don't know what happened, they have no other reports.

Maybe this was revenge for my deleting an unauthorised hidden and locked 500 Megs file that I found sitting in a partition on my hard drive, I don't know. I found a host of files hiding as "cookies" in the temporary internet files folder but no directory entries or changes. I hope I got rid of most but there are half a dozen files shown as cookies that I still cannot delete by any means. So far there haven't been any repeats of the spam Netscape windows but I do still get lots of "dodgy" e-mails.

The attack was launched through a firewall and active virus detection. Oh, and the e-mail deleted itself as well, which prevents tracking.

**********************************
Through difficulties to the cinema

Black sheep,

You would have had the "Hompage" virus.

This is still an attachment, but maybe your setup opens automaticaly in the preview pane?

see http://www.symantec.com/avcenter/[email protected]

read the technical description

Once little trick :

Before opening ANY attachment, click on it ONCE and then click "save as..." so you can see it's full name. Often something that looks like nudeannie.jpg is really nudeannie.jpg.vbs I just made these filesnames up but you get the idea.

I get anywhere between 50 and 200 emails per day and it's a rare week when I don't get sent at least one virus. I treat EVERY email I get as potentially dangerous.

---PPRuNe Dispatcher

Came to this forum looking for advice as I'd been infected with a virus through an email attachment from a reputable source (whose PC keeps trying to re-infect me)

IFR's lead to www.mcafee.com worked fine and fixed the snag, thanks.

One of the viruses had W32/BadTrans [at] MM trojan in it. Is this a well known one?

I suggest that you put a false e-mail address in your address book. If you get a message bounced back from that address, then you will know that a virus has forwarded a message to all in your address book.

Airclues

Thanks CA, splendid idea. Now done.

Can any 'whizz' explain, in simple language, how the Outlook Express 'preview' function can let a virus run? Is it possible to set a virus inside an email text? I understood there always had to be an attachment of some sort?

I wish it was true that a virus had to be in an attachment. Microsoft, for some reason, wanted it otherwise.

The Outlook preview pane will automatically run any Javascript or VBScript that is in the main body of the message. As an exercise, some people at my workplace have demonstrated this.

I would strongly advise any Outlook Express user to do the following :
Click on Tools/Options...
Click on the Security tab
Set the Zone to be "Restricted Sites"
Click on Settings... (this will bring up a warning box, click OK to acknowledge it)
Click on Custom Level...
Set "Script ActiveX controls marked safe for scripting" to Disable
Set "Java permissions" to Disable Java

---PPRuNe Dispatcher

"CFGWIZ32.exe" appears in the C:\WINDOWS\SYSTEM directory of both my office pooter and my laptop (I'll check the home machine when I get there)

The file name would suggest to me some sort of "Configuration Wizard" under windows.

I also noticed that it has the date of May 11 1998, the same as many other files in my "system" directory, which would tend to suggest that it is a "real" microsoft file.

Cerainly McAfee online hasn't "pulled it" and it seems to be pretty good when other odd files have appeared.

My bet, unless anyone else can confirm otherwise, that this file is supposed to be there.

ESG, I thought I would get you to look at McAfee on this URL, near the bottom.

http://vil.nai.com/vil/virusSummary.asp?virus_k=99040

Then let me know what you think. THAT file is still in my Virus files!

Interesting innit?

I checked again - I have wincfg32.exe and wincfg.exe, but no "31" files, so I guess I'm okay (?) - but doing an online scan now just to be sure!

Thanks for the link - useful to note

ESG,

I'm running a new laptop which is not my primary source for email. cfgwiz32.exe shows up in the c:\windows\system directory.

This is with Windows98 2nd Edition. So i think that you can safely say that the file is supposed to be there.

Mutt.

That's as I read the virus warning - it's the presence of cfgwiz31.exe that tells you there is a problem.

Seem to be having a big difficulty though in getting the latest update for McAfee - the first download (dcom98.exe, from microsoft downloads) file fails and everything just stops http://www.pprune.org/ubb/NonCGI/confused.gif

Just been sent the following email entitled:
SUBJECT: "Hand" - Follow the instructions.
DO:

Leave your hand on the mouse

Doubleclick the symbol below (it'svirus checked)

Concentrate on the dot in the middle of the screen andcount to 30 (It's very important to watch it for 30 seconds! Otherwiseit won't work!)

Now look at your hand on the mouse

5. Don't scream!

The attached file it asks you to click on is a file entitled SULFNBK.EXE
Being somewhat suspicious anyway, I attempted to examine the file from a web based mail account. Norton Anti Virus immediately pinged it as being the virus W32.Magistr.24876@ mm (I have added the space to preclude inadvertent click).
So be warned - it is out there in various guises. And I don't recognise the person who sent it to me either, though it sounds a fairly genuine sort of sender who probably doesn't realise they've got the bug!

I had that sent to me ages ago and didn't think any more of it.
Yesterday I was checking my "exe." files to see if this CFGWIZ 32/31 that is mentioned a few posts up was in my system, it wasn't. Thing is I came across a very strange file that had hand written title that didn't make any sense. Tried to open it and couldn't, in fact I couldn't do anything with it or examine it in any detail, so I left it.
Guess what??? Just checked my files for the SULFNBK.EXE and..........it turns up the same strange file that I found yesterday. I have now deleted it.
I run Mcafee which didn't flag anything up and I regulary scan my files.
Now that I have deleted it do I need to do anything else?
Regards
FBW

Now here's a funny thing, just searched my hard drive, I've got SULFNBK.EXE listed as a 44kb application in c|windows|c.... and it was modified 23/4/99 I have scanned the drive with Command Antivirus which reports "no viruses"

Anyone know what this application is? surely it can't be a virus if Command Antivirus doesn't pick it up given that it has presumably been laying in my hard drive since 23/4/99 ?

DON'T automatically delete files - especially in the Windows directory or subdirectories http://www.pprune.org/ubb/NonCGI/eek.gif

Check my post "A new type of virus - almost Irish" at http://www.pprune.org/ubb/NonCGI/For...ML/000983.html

This file may be infected, but it's a file that should be there. If you really want to delete it, save it to a floppy first in case you later decide you need it!

Keep up to date with your virus scanner - it's only $20 a year or so for McAfee :)

------------------
What goes around . . .
. . often lands better!

Too late !!!!!!!!!!!!!

http://www.gifs.net/animate/cberanim6.gif

Haven't noticed any adverse effects though. Does anyone actually know what this file is supposed to do?

[This message has been edited by Flybywyre (edited 01 June 2001).]

Ummmmmm! Like ESG says, don't just delete a file. It so happens that the alarms concerning SULFNBK.EXE are a hoax!

Click on this url:

=http://vil.mcafee.com/dispVirus.asp?virus_k=99084&

You will have to put that file back I am afraid!

[This message has been edited by InFinRetirement (edited 02 June 2001).]

[This message has been edited by InFinRetirement (edited 02 June 2001).]

The genuine SULFNBK.EXE is a system file to do with long file name backups. I don't know when you would use it, but I guess Windows does, so you should leave it where it is.

Pilot999, I received tha same toy prog that you received - I found it quite interesting, by the way. :) I received it as a Word document with a file called optical.exe embedded in it.

AA

Have look at this too:

http://www.symantec.com/avcenter/ven...e.warning.html

It does seem that sulfnbk.exe is not a virus but is an important file working in the background of W9*; but I can't find it in Win2000.

If you deleted it you can get it back using Symantec's guidance.


[This message has been edited by fobotcso (edited 01 June 2001).]

Not sure that I want it back.....everythings working fine without it.

FBW,

I believe it's used for certain file backup procedures - now who'd want to do a silly thing like a backup :)

Re-visited by "Snow White." I think she likes me!

E-mail had a subject line of Hahaha! With an attachment. "Snow White" is hiding in there - so DO NOT open it. Just delete it. I expect McAfee would have done so but having received it before it I just deleted it.

IFR, You will just need to be more careful when choosing your pen-pals! :)

I'm not sure how people like "hahaha" get our email addresses (they've got mine too!) but one thing worth remembering is, when sending out an email to a large addres list, to send the email "to" yourself, and put all the other addressees in "blind copy" (Bcc)

That stops each addressee getting a list of the whole of your email address book - one way in which spammers "harvest" addresses

Hi Guys,

You get what you pay for.......as they say.

Have a look at the table in the link below and make up your own mind about the AV you have at present.

http://www.nod32.com/awards.htm

I've just changed my AV to the NOD32 !!!

Cheers,

TG

Just got Snow White....Hahaa, by email tonight but was picked up by Nortons on the way in and it was quarantined by Nortons. I have removed it but what would have this virus done to me if had got through?

Thanks

ExSimGuy - you wonder how people get addresses.

It's amazing how the same things crop up in different guises!
Viruses (virii?) usually want to do one or more of 3 things:
1) Cause damage to your system
2) Gather information
3) Cause damage to other systems

First of all we had code to do all this, then the clever guys realised they could also cause havoc by disseminatibg the virus hoax e-mails, rather than going to the trouble of writing the real virus.

Think about it. You get a plausible sounding e-mail that warns you about a virus, and exhorts you to forward the e-mail to all your contacts. If you do so, it's a bit like a chain letter building up. It may not damage your machine, but if enough people forward it on then the mail system becomes clogged up. Also, after the mail has been forwarded quite a few times, it builds up quite a long list of e-mail addresses - great for someone down stream who gets it and can them use the information to start spamming you.

Now the clever guys are realising they can also achieve the same results with the opposite - that is an e-mail telling you that something isn't a virus, but is safe. What a hoax!

So, beware. Don't blindly forward mails, and if you do forward something do everyone a favour and strip off all the previous recipients addresses

There are many excellent websites describing virii hoaxes. Some of the best are

http://www.symantec.com/avcenter/hoax.html
http://www.datafellows.com/news/hoax.htm
http://www.stiller.com/hoaxes.htm
http://vil.mcafee.com/hoax.asp

---PPRuNe Dispatcher