 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Mon, 25 Jan 1999 19:31:06 +0100, "Rudy Velthuis" <rve### [at] gmx net>
wrote:
>
>Marc Schimmler schrieb in Nachricht
><36AC83DB.C6D589EE@ica.uni-stuttgart.de>...
>>I mailed the newsadmin and asked him to remove the offending attachment!
>>
>>
>>Marc
>>--
>>Marc Schimmler
>
>(Now I hope I'm not sending multiples again)
>
>Dan Connely also did the same, so I suppose they're gone by now.
>
>For everyone (esp.Remco): scan for everything which looks like: liste.dat,
>ska.exe, ska.dll and happyXX.exe. The word "liste" makes me think this was a
>German program.
HM... It definitely appears to be doing _something_ : I also found a file
called c:\win98\system\liste.ska, which contains the 4 e-mail addresses
where I most recently send something to...
I better warn them!
And something else caught my eye: All of a sudden wsock32.dll has a
datestamp of today, and there also is a file called wsock32.ska
Which I find rather _suspocious_... And considering that it seems to be
able to intercept e-mail addresses in Eudora, it looks like this
SKA-thingey has taken over Winsock, the control center of your internet
access... That means that it could also be capable of e-mailing those
intercepted e-mail addresses to whoever it feels like without you knowing
about it, should the programmer wanted to do so... (And given the fact that
they are harvesting those e-mail addresses, that wouldn't surprise me in
the least!)
A re-install of Win98 didn't change anything for me...
Could anyone who's also running Win98 please give me the system dates and
filesize of their wsock32.dll?
The wsock32.ska file is different from the wsock32.dll file, even though
the filesize is identical... wsock32.ska has a more normal datestamp, so it
might be a backup copy of the original .dll...
Thanks in advance!
--
Marc van den Dikkenberg
--
The PowerBasic Archives -- http://www.xs4all.nl/~excel/pb.html
All Basic Code Archives -- http://come.to/abcpackets
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Marc van den Dikkenberg wrote:
>
> On Mon, 25 Jan 1999 19:31:06 +0100, "Rudy Velthuis" <rve### [at] gmxnet>
> wrote:
>
> >
> >Marc Schimmler schrieb in Nachricht
> ><36AC83DB.C6D589EE@ica.uni-stuttgart.de>...
> >>I mailed the newsadmin and asked him to remove the offending attachment!
> >>
> >>
> >>Marc
> >>--
> >>Marc Schimmler
> >
> >(Now I hope I'm not sending multiples again)
> >
> >Dan Connely also did the same, so I suppose they're gone by now.
> >
> >For everyone (esp.Remco): scan for everything which looks like: liste.dat,
> >ska.exe, ska.dll and happyXX.exe. The word "liste" makes me think this was a
> >German program.
>
> HM... It definitely appears to be doing _something_ : I also found a file
> called c:\win98\system\liste.ska, which contains the 4 e-mail addresses
> where I most recently send something to...
>
> I better warn them!
>
> And something else caught my eye: All of a sudden wsock32.dll has a
> datestamp of today, and there also is a file called wsock32.ska
> Which I find rather _suspocious_... And considering that it seems to be
> able to intercept e-mail addresses in Eudora, it looks like this
> SKA-thingey has taken over Winsock, the control center of your internet
> access... That means that it could also be capable of e-mailing those
> intercepted e-mail addresses to whoever it feels like without you knowing
> about it, should the programmer wanted to do so... (And given the fact that
> they are harvesting those e-mail addresses, that wouldn't surprise me in
> the least!)
>
> A re-install of Win98 didn't change anything for me...
>
> Could anyone who's also running Win98 please give me the system dates and
> filesize of their wsock32.dll?
>
> The wsock32.ska file is different from the wsock32.dll file, even though
> the filesize is identical... wsock32.ska has a more normal datestamp, so it
> might be a backup copy of the original .dll...
>
> Thanks in advance!
> --
> Marc van den Dikkenberg
> --
> The PowerBasic Archives -- http://www.xs4all.nl/~excel/pb.html
> All Basic Code Archives -- http://come.to/abcpackets
If you read this message: I've deleted the wsock32.dll and replaced it with the
wsock32.ska file (renaming it of course). I hope this works.
Perhaps this explains why my post to a dutch newsgroup on the server of my ISP
was rejected. I believe it has some huge filters/firewalls, whatever...
Could it be it detected a corrupt WSOCK, or perhaps some sort of ID in the
message? I'll give it a try...
Anyways, I don't think it's fair to blame Rudy Velthuis and I hope this thing
can be over soon.
Regards,
Remco
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Remco de Korte wrote:
> Anyways, I don't think it's fair to blame Rudy Velthuis and I hope this thing
> can be over soon.
>
> Regards,
>
> Remco
I don't blame Rudy. I was concerned for the safety of my system
but since I never activated the .exe it appears I have remained
unneffected by it. Big sigh of relief !!!
It's over for me.
--
Ken Tyler
tyl### [at] pacbellnet
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Remco de Korte wrote in message <36AB9A24.795DB0A0@xs4all.nl>...
>Yep, thanks, now I have it in my Windows directory. I scanned the happy-exe
>before running it, but still it does this thing.
>
>Remco
What virus scanner do you use??? I have McAfee VirsusScan 95 and for the
last six months I have been unable to update the virus list... it has an
auto-update feature that updates thru the net, but it just times out.
E-mails to the company get no response. So much for eternal free upgrades.
Eric
--
"Truth derives its strength not so much from itself
as from the brilliant contrast it makes with what is
only apparently true." --- Emanual Lasker
--------------------------------
http://www.geocities.com/SiliconValley/Heights/2354/
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
I get a "Good Times" feel over this... *sigh*
Well. i'm glad I dind't get this, I had enough with JDK 1.2 ...
(Anyone here runs JDK1.2 ??? I need HELP)
//Spider
Ken wrote:
>
> Remco de Korte wrote:
> > Anyways, I don't think it's fair to blame Rudy Velthuis and I hope this thing
> > can be over soon.
> >
> > Regards,
> >
> > Remco
>
> I don't blame Rudy. I was concerned for the safety of my system
> but since I never activated the .exe it appears I have remained
> unneffected by it. Big sigh of relief !!!
>
> It's over for me.
>
> --
> Ken Tyler
>
> tyl### [at] pacbellnet
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>If you read this message: I've deleted the wsock32.dll and replaced it with the
>wsock32.ska file (renaming it of course). I hope this works.
It should take care of everything... I posted another message, describing
how to eliminate this virus from your system.
>Perhaps this explains why my post to a dutch newsgroup on the server of my ISP
>was rejected. I believe it has some huge filters/firewalls, whatever...
>Could it be it detected a corrupt WSOCK, or perhaps some sort of ID in the
>message? I'll give it a try...
I think that the 'new' winsock detects an e-mail message being send (or a
usenet posting) and before closing the socket, sends out a UUencoded
version of the virus itself. This shouldn't be too difficult to program...
And the problem is that the sender itself doesn't see it happening, it
would work with ANY mailclient, etc... Anyway, you've seen the results.
when my system was infected, I couldn't post to newsgroups at all: I simply
got a "500: What?" Error. Apparently the xs4all newsserver couldn't process
the message + attachment in the form winsock provided it to them...
Luckily.
>Anyways, I don't think it's fair to blame Rudy Velthuis and I hope this thing
>can be over soon.
He couldn't help it -- the winsock-thing totally bypasses your application,
it's invisible to the infected person, AND none of my virus-killers could
detect it...
--
Marc van den Dikkenberg
--
The PowerBasic Archives -- http://www.xs4all.nl/~excel/pb.html
All Basic Code Archives -- http://come.to/abcpackets
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Eric Freeman wrote:
>
> Remco de Korte wrote in message <36AB9A24.795DB0A0@xs4all.nl>...
> >Yep, thanks, now I have it in my Windows directory. I scanned the happy-exe
> >before running it, but still it does this thing.
> >
> >Remco
>
> What virus scanner do you use??? I have McAfee VirsusScan 95 and for the
> last six months I have been unable to update the virus list... it has an
> auto-update feature that updates thru the net, but it just times out.
> E-mails to the company get no response. So much for eternal free upgrades.
>
> Eric
>
Norton, but I must admit I haven't updated it lately.
Remco
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Marc van den Dikkenberg wrote:
>
>
> when my system was infected, I couldn't post to newsgroups at all: I simply
> got a "500: What?" Error. Apparently the xs4all newsserver couldn't process
> the message + attachment in the form winsock provided it to them...
>
That's what bugged me at first: I could post to the POV-groups, not the rest,
getting the same error (interesting error-message).
Remco
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Remco de Korte schrieb in Nachricht <36A### [at] xs4allnl>...
>Marc van den Dikkenberg wrote:
>>
>>
>> when my system was infected, I couldn't post to newsgroups at all: I
simply
>> got a "500: What?" Error. Apparently the xs4all newsserver couldn't
process
>> the message + attachment in the form winsock provided it to them...
>>
>
>That's what bugged me at first: I could post to the POV-groups, not the
rest,
>getting the same error (interesting error-message).
I also got a "500: ..." something error message (it was bit more
descriptive, but I don't remember the text) when I tried to post to this
server (news.povray.org) but the junk newsgroup. Funny, I could post to
every newsgroup, only not to junk (which is the one I expected to accept
almost everything - even junk <g>).
Just before Marc posted his message I had exactly done the same. Seems to be
ok again now.
Groetjes!
--
Rudy Velthuis
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Perhaps you folks all know this, since it's been a few days...
But: If you're interested in the happy99.exe and what
it does and what not, and how to get rid of it, see:
http://www.avp.com/happy/happy.html
Markus
--
Ich nicht eine Sekunde!!!" H. Heinol in Val Thorens
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
