Re: Need some help and guidance, please....RE: TROJAN: Symantec: New Serious Virus found. (fwd)

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Fri Jul 18 2003 - 15:40:53 PDT

Next message: Michal Zalewski: "strange protocol scans (and MOBP plug)"

Previous message: George Peek: "RE: Need some help and guidance, please....RE: TROJAN: Symantec: New Serious Virus found. (fwd)"
In reply to: Maria J. Vello: "Need some help and guidance, please....RE: TROJAN: Symantec: New Serious Virus found. (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

<mjvelloat_private> wrote:

> I made the sad mistake of clicking on the link that Jay sent ...

Clicking on the link to the EXE, per se, is not dangerous (well, unless 
you have some really wacky Email client or browser that automatically 
executes EXEs from URL-style links!).  So long as you either cancelled 
or selected the "Save" option when IE gave you the "Would you like to 
open the file or save it to your computer?" prompt, you were safe.

> ... to read more
> and did get the virus.  I don't think I am infected, as Norton did a full
> scan when I rebooted and found the virus and quarantined it.  But it was
> found in an odd location (or at least I think so, but maybe not since I got
> it from the link)
> 
> Here is where it was:   doc and settings\administrator\local\Temporary
> Internet Files\Content IE5\RRLJFH08

My guess is that, even if you selected cancel, the whole file may have 
been "pre-fetched" by IE -- the EXE is only 5664 bytes and would 
transfer in just a few packets.  If so, even though you cancelled the 
actual download, IE probably still caches it "just in case" you ever 
"revisit" the link.

> Strange thing though, my admin ID showed a change made on the same date that
> this happened.  I checked the regedit keys and found no changes, how do I
> know for sure that my computer has not been compromised?  I did not execute
> anything.

If you had run this thing, you would not be able to write the Email I'm 
replying to, assuming you are writing from the same computer (which 
your message very strongly suggests).  In general, simply downloading a 
program file will not cause you trouble (though there have been many 
examples of badly written client applications that allow, or even 
default, to writing stuff where they really "shouldn't" and thus open 
their users up to all manner of trouble...).

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Michal Zalewski: "strange protocol scans (and MOBP plug)"
Previous message: George Peek: "RE: Need some help and guidance, please....RE: TROJAN: Symantec: New Serious Virus found. (fwd)"
In reply to: Maria J. Vello: "Need some help and guidance, please....RE: TROJAN: Symantec: New Serious Virus found. (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jul 19 2003 - 08:48:39 PDT