View Full Version : EPO's virus
Hi Epo, I received an email from yourself earlier today with a virus attachment. The email had the subject line ?I?m in love?. I originally thought that you were purposely trying to send me a virus buit since have realised what virus it is.
It?s a W32.Mota.B@mm is a worm also known as W32/Mabutu.a@MM
that propagates by sending itself to the email addresses gathered from the system. Luckily it only affects Windows systems.
When W32.Mota.B@mm runs, it does the following:
1. Copies itself as %Windir%\<random value>.exe (27,136 bytes).
2. Creates the following files:
? %Windir%\<random value>.dll (39,936 bytes)
? %WinDir%\CFG.DAT
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and creates the files in that location.
3. Adds the value:
"winupdt"="RUNDLL32.EXE %Windir%\[random value].dll,_mainRD"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsfot\Windows\Curr entVersion\Run
so that the worm runs when you restart Windows.
4. Connects to an IRC server using port 6667:
5. Gathers the email addresses from the Windows Address Book and from the files that have file names containing any of the following strings:
? HTM
? HTML
? WAB
? TXT
(But why would you have my email address in ur address book?)
6. Uses its own SMTP engine to send itself to the email addresses that it finds.
The email has the following characteristics:
From: The sender of the email may be spoofed.
(possibly spoofing but epo_sri@ntlworld.com is a bit of a coincidence?)
Subject: The subject line may be one of the following:
? Hi
? Hello
? Important
? I'm in love (<-- thats the one i had)
? Sex
? Wet girls
? I'm nude
? Fetishes
? gutted
? Ok ****
Attachment: The attachment may have one of the following extensions:
? britney.jpg
? jenifer.jpg
? photo.jpg
? creme_de_gruyere.jpg
? details
? document (<-- thats the one i had)
? message
followed with .scr or .txt.
The attachment may have multiple spaces.
For example, the attachment can be:
creme_de_gruyere.jpg(multiple spaces).SCR
The worm may also send a .zip file as the attachment.
Just letting other people know that your sending viruses or on the other hand letting you know that theres a virus roaming your system.
scott.parker
14-11-04, 07:30 PM
I get thesee all the time to my yahoo acount,i just look and think humm why wold that person send me a mailon that,if i dont know them i just deleet it..
scott
General Baxter
14-11-04, 07:31 PM
iv had this :lol:
but i had 'I'm nude' from a male on my Msn
kinda strange i still opened it :o
Philsutton
14-11-04, 07:33 PM
kinda strange i still opened it
thats quite worrying lol
scott.parker
14-11-04, 07:38 PM
kinda strange i still opened it
thats quite worrying lol
Not really look at his pic in his avatar he looks like a bandit there.. :lol:
scott
I know were to send stuff now when i want to propogate it Lol.
I usually open them up in a texteditor, that way you can see what its doing.
You can usually tell wether it's spoofed or not by looking at the headers of the email.
email header:
X-Message-Info: JGTYoYF78jEHjJx36Oi8+YDSEg8qKPPD
Received: from home-27l9vnszbc ([81.131.151.223]) by mc3-f28.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713);
Sun, 14 Nov 2004 03:14:01 -0800
Message-ID: <484bcf13.4a1194fa@home-27l9vnszbc>
From: <epo_sri@ntlworld.com>
To: <Glytch_nct@hotmail.com>
Subject: I'm in love
Date: Sun, 14 Nov 2004 11:13:59 +0000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="bc>"
Return-Path: epo_sri@ntlworld.com
X-OriginalArrivalTime: 14 Nov 2004 11:14:02.0389 (UTC) FILETIME=[0BD95450:01C4CA3B]
That bit in bold looks like were the email was spoofed from and leaves epo off the hook. Might have come from someone who has epo's addy in there address book.
Ping 81.131.151.223
Reply from 81.131.151.223
telnet 81.131.151.223
Connection failed
telnet 81.131.151.223 7
Connection failed.. could not connect to host on port 7
TCP: 81.131.151.223 [25-smtp]
TCP: 81.131.151.223 [80-www-http]
TCP: 81.131.151.223 [81-hosts2-ns]
TCP: 81.131.151.223 [82-xfer]
TCP: 81.131.151.223 [83-mit-ml-dev]
TCP: 81.131.151.223 [110-pop3]
TCP: 81.131.151.223 [119-nntp]
TCP: 81.131.151.223 [1080-socks]
Nbtstat ?A 81.131.151.223 7
Host not found
telnet 81.131.151.223 25
Connection failed.. could not connect to host on port 7
Ping 81.131.151.223
Request timed out
Thanks for that, please use the PM system if you need to tell just one individual.
Jim
are we suposed to be able to understand that bollocks
scott.parker
14-11-04, 09:30 PM
are we suposed to be able to understand that b******s
I thought that but couldnt be arssed to say it :lol:
scott
soz lads, was tryin to track the exploiter.
Apologies to Epo, I never really thought was you, honest :oops: .
Either way mate there's a virus somewhere masquerading as you, I'd be a little concerned.
Only reason it wasnt PM'd was to let everybody know, either is a precautionary tool or to unmask the malicious user.
are we suposed to be able to understand that b******s
I thought that but couldnt be arssed to say it :lol:
scott
you lazy get!! :lol:
aparently i have a virus aswell sounds similar to this one. glytch being as you seem to be rather good with this do you think this email is genuine and that i should do as it ses
Hello, burgo90 I have been receiving this email from burgo90@hotmail.com for a long time which has had a virus in it. My anti-virus has detected it and cleaned it but it seems that you are unable to keep your computer clean from this virus. I'm starting to get a little tired of getting viruses from your computer and/or email address. If you do not clean your system soon, your ISP (Internet Service Providor) will be contacted and told about how your computer has been mailing me viruses for weeks. If it comes to this, your ISP will most likely shut down your internet until the issue can be resolved. If you want to avoid this, I have included a patch that you can run on your computer that will clean your system of this virus. It is very easy to use and does not require any computer knowledge. So if you want to avoid having futher problems, i suggest you run the attached file (configh.exe) to clean your system. Sincerely, Abner
scott.parker
15-11-04, 12:08 AM
are we suposed to be able to understand that b******s
I thought that but couldnt be arssed to say it :lol:
scott
you lazy get!! :lol:
aparently i have a virus aswell sounds similar to this one. glytch being as you seem to be rather good with this do you think this email is genuine and that i should do as it ses
Hello, burgo90 I have been receiving this email from burgo90@hotmail.com for a long time which has had a virus in it. My anti-virus has detected it and cleaned it but it seems that you are unable to keep your computer clean from this virus. I'm starting to get a little tired of getting viruses from your computer and/or email address. If you do not clean your system soon, your ISP (Internet Service Providor) will be contacted and told about how your computer has been mailing me viruses for weeks. If it comes to this, your ISP will most likely shut down your internet until the issue can be resolved. If you want to avoid this, I have included a patch that you can run on your computer that will clean your system of this virus. It is very easy to use and does not require any computer knowledge. So if you want to avoid having futher problems, i suggest you run the attached file (configh.exe) to clean your system. Sincerely, Abner
Humm well he sounds very polite,and i would do it mate just to get it checked..
scott
:D lol luke if you run that patch you WILL be known as the stupid member forever lol :lol: :lol: :lol:
so your saying i should ignore it riggy ??
well put it this way you run that pacth and its either a virus itself or it leave you ports open for him to use you account however he pleases
then you will be gettin cut off from you isp lol
email the email to your isp and let them see if youve been sending any :D
Personally when it comes to computer security you cant be too carefull.
I'd be weary of the virus and i would be weary of the person sending you this. THe easiest way to hack a computer is to get the user to do it for you, it's known as social engineering.
I've never come across configh.exe before?
msconfig is a legit microsoft one but wont do any good for virus removal, unless... I'll stop there :)
If your using an antivirus program, surely you must be, disable your system restore, Update the virus definitions, Restart the computer in Safe mode, Run a full system scan and delete all the files detected as W32.Mota.B@mm.
Delete the value that was added to the registry:
goto your start menu / run and type 'regedit'.
Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsfot\Windows\Curr entVersion\Run
and delete something that looks like this:
"winupdt"="RUNDLL32.EXE \....\.....dll,_mainRD"
where .... can be any random value
"winupdt"="RUNDLL32.EXE \....\.....dll,_mainRD
i dont have that mate
DirtyDave
15-11-04, 02:12 AM
Hats off to you Glytch for being able to explain all that and understanding it but i'm afraid to a computer novice like myself its wasted. i got lost at the beginning, however, is there a website that explains computer jargon??? coz i would like to learn some of the intresting info i need to no.
thanx
Dave
"winupdt"="RUNDLL32.EXE \....\.....dll,_mainRD
i dont have that mate
Have a look in ur registry, although yhat one is specific to the W32.Mota.B@mm worm only. If you navigate through the registry it will give you a list of applications that RUN when windows starts, you should be able to recognize most of them.
msmsgs (msn messenger) will be there, usually such as anything else that starts up when windoze does so a virus can quite often be found there.
Be warned though, some virus will create more instances of them selves when you delete the value in the registry. The virus does not live in the registry, all the registry does is start the virus when windows boots.
Hats off to you Glytch for being able to explain all that and understanding it but i'm afraid to a computer novice like myself its wasted. i got lost at the beginning, however, is there a website that explains computer jargon??? coz i would like to learn some of the intresting info i need to no.
The Internet is full of web sites like that dont any off hand though.
If its Jargon you want then type computer glossary into a search engine.
If you want to learn about viruses then do a search for .BAT files, but be careful you could give yourself a virus.
oh dear. It's no wonder viruses are so abundant.
Yes Burgo, run that patch.......
lmfao. seriously, don't.
I am very shocked that these days people dont have firewalls, virus protection and spy/adware detectors. It should be made compulsory by law on all windows machines, especially "off the shelf" ones which is what most non "IT people" buy.
my machine at home hasnt got a firewall on it lol, its like the internets whipping boy :)
Philsutton
15-11-04, 05:23 PM
computers arent my friends, i dont get on with them very well. All the stuff about the viruses looks like complete jibberish. The worsest thing is i have to do computer programming as part of my course at uni, that doesnt go very well lol
computers arent my friends, i dont get on with them very well. All the stuff about the viruses looks like complete jibberish. The worsest thing is i have to do computer programming as part of my course at uni, that doesnt go very well lol
What language are you doing? I might be able to point you to some good resources
Philsutton
15-11-04, 05:27 PM
i think its C i was doing, I just cant grasp the random codes, just looks someone has fell asleep on the keyboard an has no real meaning to me at all.
oh dear. It's no wonder viruses are so abundant.
Yes Burgo, run that patch.......
lmfao. seriously, don't.
I am very shocked that these days people dont have firewalls, virus protection and spy/adware detectors. It should be made compulsory by law on all windows machines, especially "off the shelf" ones which is what most non "IT people" buy.
i do have both adware and and spybot i also have a firewall!! i didnt run that patch i just ignored but bein as this post came up i thought i would just ask
i think its C i was doing, I just cant grasp the random codes, just looks someone has fell asleep on the keyboard an has no real meaning to me at all.
Keep at it mate, once you grasp it the same knowledge can be applied to any programming language.
I do have both adware and and spybot i also have a firewall!! i didnt run that patch i just ignored but bein as this post came up i thought i would just ask
Adaware and spybot are the best free ones to have, make sure you run adaware 1st and spybot S&D after.
first of all
i get these emails all the time
i have neither the knowledge or the be arsed factor to send them
also i didnt have a clue what half the stuff was in that email that you got
am not right up on these comchuters you
see
the things i use mine for are :-
porn
mp3's
novaload
and ebay :lol: :lol: :lol:
no worries anyway
but like jim said just send us a pm next time and id have cleared it up :wink:
novalew
16-11-04, 09:31 PM
my machine at home hasnt got a firewall on it lol, its like the internets whipping boy :)
funniest thing ive heard all week
:lol: :lol: :lol: :lol: :lol: :lol: :lol:
ambridge wrote:
my machine at home hasnt got a firewall on it lol, its like the internets whipping boy
funniest thing ive heard all week
Same here, What's ur I.P?
Just to clear things up for all of you none IT minded people:
The Virus did not come from Epo
The virus was only masquerading as Epo
Although it has come from somebody's computer who has both mine and Epo's email address stored somewhere on their computer.
This means that there are people on this site who are unknowingly sending out viruses from their computer.
It could be you! :infinity:
lol virus dressed up as epo
it had better have piercings and be wearing burberry
andybishop
17-11-04, 09:19 AM
If anyone is not running any Anti-virus Software on there PC's install AVG, It's a decent Free piece of Anti-Virus Software. Available from www.grisoft.com
or Direct Link to the download for the New Version is http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5
where do i download ad-aware from please anybody
gimmie a hout if you have trouble i have it installed here i can send you the exe
gimmie a hout if you have trouble i have it installed here i can send you the exe
Don't its a virus that Denny is sending Epo! lol
its ok ive already installed it on me pc
its for r kids computer i couldnt remember where id downloaded it from
Ad-Aware
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
Spybot Search & Destroy
http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but
Tip: Always run Ad-Aware first and Spybot after.
?Marty?
21-11-04, 11:37 PM
It doesn't even mean that someone sent that e-mail, just because their e-mail address is set as the return/originator path.
I also have been getting e-mails from lots of people on here, containing attachments, which i just delete.
But all virus containing e-mails from me, are not accidental. I just don't like some people.
But all virus containing e-mails from me, are not accidental. I just don't like some people.
:lol: lol
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.