[SOC] OT: Is it just me?

f5pbl [email protected]
Wed, 1 Jan 2003 19:19:33 +0100 

Hello Rob,

Wednesday, January 1, 2003, 7:01:47 PM, you wrote:

Rob> Am I the only one or is there something going around?

There is something around. I have received an info/cure email from a
friend, but not sure abt it, so I will give it "as is".
The tool mentionned in the text is available at :
http://www.teamcti.com/pview/prcview.htm

<< BEGIN OF QUOTE

Greets, people.

I'm sorry, but I had a virus on my comp some days back. All you guys may
have received a message from me (a screensaver named `Love'). Tino, I got it
from you (you're infected, buddy). If you have received it and run it, then
you're infected too. If you haven't opened it, DON'T! Don't trust anti-virus
programs, unless you have the latest updates. Norton 2002 didn't detect it).
Here's what I did.

NOTE:

I have XP. I don't know if this process will work on Win9x. If it doesn't,
mail me, I'll try to help. Also, you have to follow these steps in the right
order.

CLEANING:

1. Delete the message (Not this one, stupid! The one that says `Love
screensaver' or something).

1. Try opening task-manager (press Ctrl-Alt-Del). If it disappears
immediately, it means you're infected. Regedit, Norton, etc. most probably
won't open too.

2. Download any process-viewer/killer application. I used PrcView (which
was, fortunately, already installed on my system). Get it at
http://www.teamcti.com.

3. Run it, kill the process called `WinServices.exe' or `WinServices'.
Confirm that you want to kill it when it asks you. Note that it is
`WinServices', not merely `Services', which is a legitimate process.

4. Delete the file
        c:\windows\system32\WinServices.exe
If you don't trust me, just back it up (keep it zipped, and rename it to
.tmp, so that there's no chance of accidental re-infection).

5. Go to `Start' > `Run'. Type `regedit', and click OK.

6. Navigate to
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

7. Delete the value on the right that says something like this:
        c:\windows\system32\WinServices.exe

9. Forward this mail to everyone in your address-book (if you use Outlook
Express/Netscape Messenger/Eudora/etc.) Web-mail users are safe (I think).

SYMPTOMS OF INFECTION:

1. Task manager closes as soon as it's opened.

2. Regedit, Anti-virus programs don't run.

3. You get mail from people in your people you don't know, saying that you
sent them a message.

4. People in you address-book get mail from you, when you haven't sent any.

5. Your hard-disk is thrashing.

Sorry for the long (and possibly unnecesary) mail.

END OF QUOTE>>

72!
Claude