I just sent the following message to the formu adm
I was just trying to post a reply to the Open Roads forum "Dinghy Towing 1999 GMC Jimmy". In editing my reply I recevied a message from Norton Anti Verius that the file I was receiving from the Forum was cominnated with the virus
W32.Datom.Worm in file MSVXD.EXE and in File MSVXD.DLL (2 times).
Norton stopped the loading of thei virus and stopped the executing of it.
You may wish to find and remove this virus from the forum.
I doubt that the virus came from the forum. It is more likely that you got it from the Lan/Wan you use.
Here is the latest info on the worm:
Quote:
W32.Datom.Worm is a worm which spreads through shared network drives. It exists as three files:
MSVXD.EXE - loads and runs MSVXD16.DLL
MSVXD16.DLL - adds a reference to MSVXD32.DLL to the registry and then runs MSVXD32.DLL
MSVXD32.DLL - enumerates network shares and copies all three files into the WINDOWS folder on that share
The files have likely been separated in an attempt to avoid heuristic detection.
The worm attempts to connect to machines on the local subnet via TCP port 139 (NETBIOS). If this is successful, it searches for shared resources. It searches for the WINDOWS directory and the directory referenced by the "WinDir=" line in MSDOS.SYS.
If the system drive is shared, it attempts to copy itself to the WINDOWS directory.
Once the worm has copied all three files, it modifies the following line in the WIN.INI file on the remote machine so that the worm will be executed on startup:
RUN=MSVXD.EXE
In some cases, the worm has been observed to add extra characters after the file name which may cause an error to be displayed when Windows restarts.
W32.Datom.Worm also tries to add a shortcut called "VxD Manager.lnk" to the "All Users" startup folder to launch it when Windows starts. It attempts to find the directory in English, French, and Italian:
The worm attempts to send an e-mail message to one of two addresses, which may belong to the worm author. These messages contain information about the infected system.
Norton's and McAfee's sites give detailed instructions about preventing and deleting this worm.
It sounds like while you were editing, Norton AV started up and found your system infected, those two files. As Charles says via your WAN/LAN or from email, not from editing a Web form.
I would recommend running Norton AV and doing a complete system check.
Charles,
Nice post. Good and correct information. Most of the computers items listed on the forum have only small parts of truth or correctness. Yours was very good.
Wrong.
I am not on any LAN or WAN. I have no shared network drives. I received 3 Emails the day the virus was received. All three were from eBay, auto generated messages about bids and outbids. All my email - both incoming and outgoing is checked by Norton AV - No indication of any virus.
The files Cindows/msvcd.exe and .dll are time/date stamped the exactly time I was on and receiving files form the Forum. 09/30 22:21, 22:22 and 22:23
Norton AV did not start and was not running and was last started 09/20/02 20:22 with no virus found. Norton AV does, of course, check files as they are received from this forum (and all other sources)
Paul
*This Message was edited on 01-Oct-02 06:36 PM by phespe*
No one doubts Norton AV found a virus/worm. The question is where did it come from?
If your email is scanned, then that's an unlikely source.
Let's go back to:
Quote: I was just trying to post a reply to the Open Roads forum "Dinghy Towing 1999 GMC Jimmy". In editing my reply I recevied a message from Norton Anti Verius that the file I was receiving from the Forum was cominnated with the virus.
Can you explain what files you are recieving from the forum when you reply and edit? I'm replying and editing now and not receiving any files--never do. You mean the html, embedded script and pictures that you look at in your browser?
You are on a WAN, so to speak, if you're connected to the Internet, by LAN, cable, dial up, what-have-you. Being so connected you can be hacked such that viruses are downloaded to your system, and Norton won't see it. It happened to me, files appearing on my system with current time stamps, until I got a firewall, like ZoneAlarm.
*This Message was edited on 01-Oct-02 07:02 PM by cmoehle*
Chris
Are you running the free version or Pro?
I upgraded to Pro and all my popups went away.
I had one site I gave up on because I could not get to the forum. I had been running the free version. After I got Pro, no more popups.
Admin
Pro. Ran free till I decided ZA was good enough to pay for and it gets you tech support. Their tech support isn't worth a penny though, so I'll switch back to free soon.
Oh, the pop ups. Go to the ZA interface (double click icon in system tray) and select Privacy (left hand column) and turn Ad Blocking off. Or click on Ad Blocking Custom, and uncheck pop ups. I also turn Cookie Control off.
Offline
indows/msvcd.exe and .dll are time/date stamped the exactly time I was on and receiving files form the Forum. 09/30 22:21, 22:22 and 22:23
