Author: Christopher Conkie
Date: 19:12:31 05/24/05
Go up one level in this thread
Hello, The worm itself is stopped in it's native form (as an email attachment) by all Anti-Virus software that is maintained and up to date. The problem in this instance was that the worm was "bundled" with the chess engine Fafis 2.0. The exe was compressed when compiled and Anti-Virus software is not able to notice the worm until the exe was run. It's a very good disguise in effect. This worm does not as part of it's malicious program infect existing exe's on a system but instead creates 2 brand new ones (with specific names) which then perform mailing activities amongst other things (see above and also the link). This however does not stop the creation of the stub that attempts to recreate the 2 files on reboot. This file is called C27D8FEF-D7AE-42c0-82E6-F30598265639.exe The point of this thread is that the question is still unanswered by the Fafis author as to how the worm got inside the exe. The point is that this is not what this worm does. It's a mailer. It does it's stuff all by itself even to the point of creating it's own smtp to mail with. Based on all knowledge available this only seems to leave one logical option as to how the exe became infected. It must have been put inside the exe manually. I honestly cannot see another way how. I stand corrected if I am wrong but you can read the info yourselves. I don't like saying it but what else is there to do. If you ran Fafis 2.0 do not think that because your Anti-virus software alerted you when you ran the file that you are not infected and that the worm's 2 created files are in the poison bucket so all is OK. It's not and you still have work to do. The above named file can also live in your Temporary Internet Files or in your %system% directory or windows/temp directory for example. You can read all about this nasty little beast here.... http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.bc@mm.html If you ran Fafis 2.0 you should carry out ALL the removal instructions listed on the link above. Those especially at risk are those who use IIS for website development. At this moment in time I dread to think what the people who ran this file (and had an internet connection) computer systems are like. You are all merrily mailing spam to all in your address book. It's no joke. First thing to do is check for these 3 files anywhere on your system.... C27D8FEF-D7AE-42c0-82E6-F30598265639.exe taskgmr.exe hellmsn.exe Get rid of them first. Do this while disconnected from the web. Follow the rest of the info in the link above as well. If you ran Fafis 2.0 you have open ports also and it is open season......regardless of firewalls. I would still like an explanation of how the worm got into Fafis 2.0 but the author seems to think that this a minor issue. It's not. He is conspicuous by his absence. Saying the exe was infected...so sorry...does not cut it. Why was the exe infected? We still wait to learn from him. Hope this helps you and others get your systems clean KK. Regards Christopher
This page took 0 seconds to execute
Last modified: Thu, 15 Apr 21 08:11:13 -0700
Current Computer Chess Club Forums at Talkchess. This site by Sean Mintz.