[Premium-Rx] OFF TOPIC- Virus that attacks Google and other search Engines

Greg W. Bailey gbailey at mail.sdsu.edu
Sat Mar 22 21:57:46 EST 2003 

Fellow Members:

If you have recently noted that your Google search engine has been operating a little strange .... read on .... if Google is operating okay, then hit the 'delete key' and continue chasing DX on your Premium-Rx.

SYMPTOM:  This problem was first encountered when I went to Google and looked up a topic (example: 2N2222), I received the normal page or two of findings.  Selecting any of the references, and then clicking on the highlighted word 'cached', 'translate', or 'similar pages', would basically lock up Google or result in some other form of undesired result.

I am posting this off topic item to assist others that may find, as Jan and I did, that our computers had been hacked resulting in the strange operation of Google.  The findings were the same on Jan's Windows 98 and my Windows Me.  This is not to suggest the Premium-Rx List has been the point of distribution of this virus, only that we got it somewhere and thought we would bring it to your attention.

Jan, who has become the co-moderator of the List, states the situation as:  

"In the last few days Microsoft has publicized a critical security threat that affects all versions of Windows from Win98 on. The weakness allows an attacker to execute their code on your machine. It is transmitted either by email, or by entering what MS calls "a malicious website." There is no way, as far as I know, to tell if a particular email or website is the culprit.

Both Greg and I have experienced this problem, but it may impact different "victims" in different ways - I just don't know. For both of us, it showed up as a malfunction in the Google search engine. Doing a search resulted in apparently normal results, but attempting to access "cached" pages, or to hit the "similar pages" or "translate" links under any hit resulted in a redirect to another website, or the system simply froze. I keep Netscape on my machine, as well as IE, and Google behaved normally through it. So it seems possible that Internet Explorer is necessary to attacker access. I don't know if this problem can be spread from infected computer to others, as are viruses.

What the attack did to us was to install programs that automatically start when you boot your computer.  My solution was to find what files had been installed on my computer, uninstall the files, and all was well.  The exact same files were found on Greg's computer. When he followed the same basic uninstall steps I suggested, his computer returned to normal.  The files seem to have been installed around March 19/03.

SO, if you are NOT having trouble, you should consider installing the MS fix! Look at:

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-008.asp

If you ARE having problems, I don't know if installing the fix will correct the problem. As it happened I generated a solution prior to finding the MS link!  If you are having problems, and if you are very familiar with Windows, you should be able to locate any executable programs installed within the last few days that you don't recognize. Look for things that start and run automatically when you boot. Depending on what version of Windows you have, there will be various MS utilities on your hard drive that might help. Sorry I can't be more specific as the number of variables (i.e. computer types, Windows versions, internet software, etc) makes one-fix-fits-all an impossibility."

Search software is NOT the primary interest of this group, however, I think 90% of the value of the internet is the searching and sharing of information.  The hacked software on my (Greg) machine basically curtailed the search portion of that equation.  I know we have a number of IT and system administrators in our membership.  Perhaps one of them may have also encountered the byproduct of this hacker.  I know that Jan spent the better part of 6 hours finding a cure.  While he did all the work, I can assure you that I would like to use my baseball bat to short circuit the hacker who caused this virus.   

Hey, to all, have a great weekend-

Jan Skirrow, Duncan BC, Canada
Greg Bailey, San Diego

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.qth.net/pipermail/premium-rx/attachments/20030322/6b368dc3/attachment.htm

More information about the Premium-Rx mailing list