| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 2909.1 | | BUSY::SLAB | A Parting Shot in the Dark | Mon Apr 21 1997 02:41 | 12 |
|
I can give you my entire \windows\command directory if you want
to copy it to a disk and put it on your own system ... but I'm
not sure how I'd do it right now since I'm still having problems
writing to my own NT server. And I'm a nice guy and all, but I
don't feel like mailing every file to you individually. 8^)
But if you don't get a better offer by Tuesday I'll dump it all
to a location that you can reach.
40 files, 1.03MB.
|
| 2909.2 | | AXEL::FOLEY | http://axel.zko.dec.com | Mon Apr 21 1997 10:43 | 6 |
|
Delete from a command line will not dump things in the
wastebasket.. Your best bet is to re-install.
mike
|
| 2909.3 | Cheer up; my NT disk got hosed from installing Norton AntiVirus | SMURF::PBECK | Who put the bop in the hale-de-bop-de-bop? | Mon Apr 21 1997 10:47 | 18 |
| re .0
Sounds like it might have been AOL4FREE.COM -- there's an actual
trojan horse by that name that apparently does a deltree (in
addition to the "good times" style hoax of the same name).
In any event, deletions from the command line don't go to the
wastebasket, so unless you were running Norton Utilities for W95,
what got deleted is gone (much of the file data may still be there,
but it would be a major operation with a DOS-based undeleter to
recover, with no longname recovery unless you have Norton).
Time to break out that recent backup you've got (?), and maybe pack
the kid off to the foreign legion for a few years... Or get him an
etch-a-sketch and tell him it's the latest notebook.
If no backup, it's reinstall time (but that won't restore your data
files and custom setups).
|
| 2909.4 | | BUSY::SLAB | Act like you own the company | Mon Apr 21 1997 12:10 | 4 |
|
Actually, even deleting from File Manager won't send to the re-
cycle bin ... those files are gone forever.
|
| 2909.5 | 2 options.... | JULIET::HARRIS_MA | Networks Sales Exec | Mon Apr 21 1997 13:56 | 9 |
| 1. Re-install
or
2. Buy Norton V2 for W95 and sit down with a tall cup of coffee and
start UNDELETING the files. (Assuming you have done NOTHING to WRITE to
the harddrive yet!!)
Mark
|
| 2909.6 | bummer... | FIREBL::LEEDS | From VAXinated to Alphaholic | Mon Apr 21 1997 19:53 | 10 |
| Thanks for the replies - problem is, I'm out of town for a week, and he's
stuck at home with a hosed system..... guess he'll have to wait 'til I get
home......
BTW - sorry about all the typos in the base note... yesterday was a looong
day...
Arlan
|
| 2909.7 | | BUSY::SLAB | Basket Case | Tue Apr 22 1997 10:57 | 5 |
|
Well, if you want the directory, you can copy it from:
BUSY::BUSY_USR02:[SLAB.WINDOWS.COMMAND]*.*
|
| 2909.8 | | JHAXP::DECARTERET | Live mice sit on us | Tue Apr 22 1997 18:35 | 4 |
| Reinstall 95 over the old installation. It will retain all of what is
still left. We've done it thousands of times.
Jason
|
| 2909.9 | AOL4FREE.COM Trojan Horse | NETCAD::SCARAMUZZO | Adapters Product Group, LKG1-3 | DTN 226-6977 | Wed Apr 23 1997 10:43 | 46 |
|
FYI, more on AOL4FREE Trojan Horse from: http://www-is-security.mso.dec.com
AOL4FREE.COM
As of April 17, 1997 23:00 GMT a CIAC Bulletin announced:
PROBLEM: A Trojan Horse program called AOL4FREE.COM that deletes all files on
a hard drive is circulating the Internet.
PLATFORM: DOS/Windows-based PCs
DAMAGE: When the AOL4FREE.COM program is executed, all files and directories
on the users C: drive are deleted.
SOLUTION: DO NOT execute this program. If the program starts executing, quickly
pressing Ctrl-C will save some of your files.
CIAC has obtained a Trojaned copy of AOL4FREE.COM that destroys hard drives.
NOTE: This is different from the AOL4FREE Virus Warning hoax message.
If you are e-mailed this file, or if you have downloaded it from an online
service, do not attempt to run it. If the program was received as an attachment
to an e-mail message, do not double click (open) it. Opening an attached
program runs that program, which in this case deletes all the files on your
hard drive. The original AOL4FREE was a Macintosh program for fraudulently
creating free AOL (America Online) accounts. Note that any attempt to use the
original AOL4FREE program may subject you to prosecution.
NOTE: Most antivirus programs will not detect this or other Trojan Horse
programs.
AOL4FREE.COM is a Trojan program that is 993 bytes (2 sectors) long. If you open
the AOL4FREE.COM file with a disk editor or with the Windows Notepad program,
the following text is found at the end of the second sector of the file.
PATH
COMMANDC earc
/C C:
/C CD\
DELTREE /y *.*
ECHOOYOUR COMPUTER HAS JUST BEEN F***ED BY *VP* F*** YOU AOL-LAMER
Pressing Ctrl-C before the Trojan Horse finishes deleting all your files will
save some of them. If the program runs to completion, all the files on your
root drive will have been deleted. The files are deleted with the DOS DELTREE
command, so the contents of the files are still on your hard disk, only the
directory entries have been deleted. Any program that can recover deleted files
will allow you to recover some or all of the files on your hard disk.
|
| 2909.10 | not AOL4FREE, but same results... | FIREBL::LEEDS | From VAXinated to Alphaholic | Mon Apr 28 1997 16:44 | 31 |
| Interestingly, this was NOT the AOL4FREE problem !!! Here's the scoop:
My son downloaded a file to my home PC, which has the same destructive
affect as the AOL4FREE virus - it issues a "deltree /y c:\*.*" !!!!
The file was disguised as a "wav" file called "homerum.wav".
If you look at the file properties, it says it's a wav file, but the
details tab, where it normally shows media length and audio format said that
the file had a corrupt format.
If you type the file from DOS, after all the garbage, you can see the
deltree command near the end of the file.
When run, instead of bringing up the sound player and playing the wav sound,
it issues a message that says "installing", then it issues the "deltree /y
c:\*.*" which obviously wipes out the C drive.
After I recovered, I ran 4 different virus checkers against the file
(Norton, Sweep, F-PROT and Dr. Solomon), none of them identified this file
as containing a virus.
The file actually came zipped, with a VBRUN300.DLL that unpacked into the
same directory - I suspect somehow it used the VBRUN to make W95 run it as a
program instead of treating it like a real wav file.
How do we protect against this in the future ??
Is there someplace to report this so others don't get hit by it ?
Arlan
|
| 2909.11 | | ACISS1::sch-dhcp-1-215.chi.dec.com::Andrews | Rob Andrews, PSG | Mon Apr 28 1997 17:47 | 7 |
| >(Norton, Sweep, F-PROT and Dr. Solomon), none of them identified this file
>as containing a virus.
That's because it's NOT a virus. It's a Trojan Horse.
You let it in and it does sneaky stuff...
|
| 2909.12 | Some protection is available. | DANGER::ARRIGHI | and miles to go before I sleep | Mon Apr 28 1997 18:00 | 14 |
| My own personal rules are that I don't run executables from untrusted
sites, and I check the contents of .zip files (with Norton File
Manager) and toss them if they contain executables.
Virus checkers won't protect you from a Trojan horse, as your
experience shows, but something like Norton Anti-Virus will allow you
to set up some alarms to warn of "virus-like" activity. This can be
something of a nuisance when, for instance, you try to save a revised
document in Word and Norton prompts you to confirm that you really want
to do it, but it will give you a chance to reconsider what you've just
done before blowing anything away.
Tony
|
| 2909.13 | Where to report viruses and the like | CADSYS::GROSS | The bug stops here | Mon Apr 28 1997 18:09 | 3 |
| POWDML::PC_SECURITY is where you can discuss this sort of problem.
Dave
|
| 2909.14 | | TARKIN::LIN | Bill Lin | Mon Apr 28 1997 18:10 | 12 |
| re: .10 by FIREBL::LEEDS
How did you manage to "RUN" a .WAV file? The operating system won't
run that file extension. Even if you double clicked on the file under
file manager or explorer, your operating system will launch some kind
of media player and pass the wav file to it.
So... how did you "RUN" the file?
Puzzled,
/Bill
|
| 2909.15 | I didn't see it happen.... | FIREBL::LEEDS | From VAXinated to Alphaholic | Mon Apr 28 1997 18:52 | 22 |
| > How did you manage to "RUN" a .WAV file? The operating system won't
> run that file extension. Even if you double clicked on the file under
> file manager or explorer, your operating system will launch some kind
> of media player and pass the wav file to it.
>
> So... how did you "RUN" the file?
>
Well - I wasn't here when he did it, and I sure don't want to do it
again just to see what happens.
He claims that he double-clicked on it, and instead of the usual
sound-player appearing, a window poppoed up that said something about
"installing", then the "deltree" command. As I mentioned in an earlier
note, it also came with it's own VBRUN300.DLL, so maybe that was somehow
tied to it not bringing up a normal player for a wav file.... If you want to
look at the stuff, I copied it off to a floppy just to save in case someone
with more expertise than I have wanted to look at it..... I'd mail it to you
if you don't sue me ... :^)
Arlan
|
| 2909.16 | | TARKIN::LIN | Bill Lin | Mon Apr 28 1997 20:03 | 13 |
| re: .15 by FIREBL::LEEDS
My guess is that if this file came from a hostile source, then it is
possible that a file description might say file type .WAV but the file
could actually have been a .EXE. I don't see any other possibility,
though I don't do much in the way of random web downloads.
If you have the original downloaded file, go ahead and send it to me
(Exchange mail to either "Bill Lin" or [email protected] or via foreign
VAXmail to TARKIN::LIN). I won't sue. ;-) I suspect those in the
pc_security conference will be interested as well.
/Bill
|
| 2909.17 | done | FIREBL::LEEDS | From VAXinated to Alphaholic | Tue Apr 29 1997 19:48 | 13 |
| >
> If you have the original downloaded file, go ahead and send it to me
> (Exchange mail to either "Bill Lin" or [email protected] or via foreign
> VAXmail to TARKIN::LIN). I won't sue. ;-) I suspect those in the
> pc_security conference will be interested as well.
>
Done ... and they were....
Thanks
Arlan
|
| 2909.18 | | TARKIN::LIN | Bill Lin | Wed Apr 30 1997 10:32 | 7 |
| HOMERUM.WAV certainly has the earmarks of a Windows executable.
(starts with MZ and has all sorts of strings that are typical of
Windows applications) I'm sure if I rename it to .EXE and run it, I'll
have problems. I still don't see how anyone could have possibly
executed a .WAV file. I'm not brave enough to do any real testing.
Bill
|
| 2909.19 | a way to execute a `wav' file... | FIEVEL::FILGATE | Bruce Filgate SHR3-2/W4 237-6452 | Wed Apr 30 1997 15:27 | 4 |
|
If winzip were used to zip this bogus executable, then double clicking
on the resultant self extracting file would expand both winzip and
the included, then transfer control to the `wav' file. right?
|
| 2909.20 | | POBOXA::KEEFER | Craig PK03-1/R11, DTN:223-4902 | Thu May 01 1997 10:52 | 24 |
| reL <<< Note 2909.18 by TARKIN::LIN "Bill Lin" >>>
>> HOMERUM.WAV certainly has the earmarks of a Windows executable.
It's probably a VB3 program that simply "shells out" and executes the DELTREE
command. This would be trivial to do from VB.
>> I still don't see how anyone could have possibly
>> executed a .WAV file.
It's possible to tell Windows which extentions are executable by editing the
WIN.INI (or was it SYSTEM.INI?) and adding WAV to ProgramEXE (or something like
that). I added SCR to this line in order to directly execute Screen Savers by
double-clicking on an SCR file. There's probably a way to do it in the registry
too.
However, simply unziping the HOMERUM.WAV file and double-clicking it from
file manager/explorer would cause the "Corrupt format" dialog to appear.
Since the words "Installing..." appeared before executing the DELTREE, I
believe another program was executed (SETUP.EXE ???) which then ran
HOMERUM.WAV.
-Craig
|