RV.Net Open Roads Forum: Technology Corner: Virus from the Forum

RV Blog

  |  

RV Sales

  |  

Campgrounds

  |  

RV Parks

  |  

RV Club

  |  

RV Buyers Guide

  |  

Roadside Assistance

  |  

Extended Service Plan

  |  

RV Travel Assistance

  |  

RV Credit Card

  |  

RV Loans

Open Roads Forum Already a member? Login here.   If not, Register Today!  |  Help

Newest  |  Active  |  Popular  |  RVing FAQ Forum Rules  |  Forum Help and Support  |  Contact

Search:   Advanced Search

Search only in Technology Corner

Open Roads Forum  >  Technology Corner

 > Virus from the Forum

This Topic Is Closed  |  Print Topic  |  Post New Topic  | 
Page of 2  
Next
Sponsored By:
phespe

Santa Fe, NM

Full Member

Joined: 04/23/2001

View Profile


Offline
Posted: 09/30/02 08:58pm Link  |  Print  |  Notify Moderator

I just sent the following message to the formu adm

I was just trying to post a reply to the Open Roads forum "Dinghy Towing 1999 GMC Jimmy". In editing my reply I recevied a message from Norton Anti Verius that the file I was receiving from the Forum was cominnated with the virus

W32.Datom.Worm in file MSVXD.EXE and in File MSVXD.DLL (2 times).

Norton stopped the loading of thei virus and stopped the executing of it.

You may wish to find and remove this virus from the forum.

Paul








NH_Bob

Nashua, NH

Senior Member

Joined: 04/17/2002

View Profile


Offline
Posted: 09/30/02 11:42pm Link  |  Print  |  Notify Moderator

curious, to say the least.

Charles Holley

Tuscaloosa, Alabama

Senior Member

Joined: 10/10/2001

View Profile



Posted: 10/01/02 06:12am Link  |  Print  |  Notify Moderator

phespe,

I doubt that the virus came from the forum. It is more likely that you got it from the Lan/Wan you use.

Here is the latest info on the worm:
Quote:


W32.Datom.Worm is a worm which spreads through shared network drives. It exists as three files:

MSVXD.EXE - loads and runs MSVXD16.DLL
MSVXD16.DLL - adds a reference to MSVXD32.DLL to the registry and then runs MSVXD32.DLL
MSVXD32.DLL - enumerates network shares and copies all three files into the WINDOWS folder on that share

The files have likely been separated in an attempt to avoid heuristic detection.

The worm attempts to connect to machines on the local subnet via TCP port 139 (NETBIOS). If this is successful, it searches for shared resources. It searches for the WINDOWS directory and the directory referenced by the "WinDir=" line in MSDOS.SYS.

If the system drive is shared, it attempts to copy itself to the WINDOWS directory.

Once the worm has copied all three files, it modifies the following line in the WIN.INI file on the remote machine so that the worm will be executed on startup:

RUN=MSVXD.EXE

In some cases, the worm has been observed to add extra characters after the file name which may cause an error to be displayed when Windows restarts.

W32.Datom.Worm also tries to add a shortcut called "VxD Manager.lnk" to the "All Users" startup folder to launch it when Windows starts. It attempts to find the directory in English, French, and Italian:

Start Menu\Programs\Startup
Menu Démarrer\Programmes\Démarrage
Menu Avvio\Programmi\Esecuzione automatica

The worm attempts to send an e-mail message to one of two addresses, which may belong to the worm author. These messages contain information about the infected system.


Norton's and McAfee's sites give detailed instructions about preventing and deleting this worm.

Charles

cmoehle

San Antonio, TX

Senior Member

Joined: 02/14/2001

View Profile



Posted: 10/01/02 06:37am Link  |  Print  |  Notify Moderator

It sounds like while you were editing, Norton AV started up and found your system infected, those two files. As Charles says via your WAN/LAN or from email, not from editing a Web form.

I would recommend running Norton AV and doing a complete system check.


CampfireSoapbox.com


rayhtx

West Texas

Senior Member

Joined: 02/08/2002

View Profile



Posted: 10/01/02 08:10am Link  |  Print  |  Notify Moderator

Charles,
Nice post. Good and correct information. Most of the computers items listed on the forum have only small parts of truth or correctness. Yours was very good.

phespe

Santa Fe, NM

Full Member

Joined: 04/23/2001

View Profile


Offline
Posted: 10/01/02 06:28pm Link  |  Print  |  Notify Moderator

Wrong.
I am not on any LAN or WAN. I have no shared network drives. I received 3 Emails the day the virus was received. All three were from eBay, auto generated messages about bids and outbids. All my email - both incoming and outgoing is checked by Norton AV - No indication of any virus.

The files Cindows/msvcd.exe and .dll are time/date stamped the exactly time I was on and receiving files form the Forum. 09/30 22:21, 22:22 and 22:23

Norton AV did not start and was not running and was last started 09/20/02 20:22 with no virus found. Norton AV does, of course, check files as they are received from this forum (and all other sources)

Paul









*This Message was edited on 01-Oct-02 06:36 PM by phespe*


cmoehle

San Antonio, TX

Senior Member

Joined: 02/14/2001

View Profile



Posted: 10/01/02 07:01pm Link  |  Print  |  Notify Moderator

No one doubts Norton AV found a virus/worm. The question is where did it come from?

If your email is scanned, then that's an unlikely source.

Let's go back to:

Quote:

I was just trying to post a reply to the Open Roads forum "Dinghy Towing 1999 GMC Jimmy". In editing my reply I recevied a message from Norton Anti Verius that the file I was receiving from the Forum was cominnated with the virus.


Can you explain what files you are recieving from the forum when you reply and edit? I'm replying and editing now and not receiving any files--never do. You mean the html, embedded script and pictures that you look at in your browser?

You are on a WAN, so to speak, if you're connected to the Internet, by LAN, cable, dial up, what-have-you. Being so connected you can be hacked such that viruses are downloaded to your system, and Norton won't see it. It happened to me, files appearing on my system with current time stamps, until I got a firewall, like ZoneAlarm.


*This Message was edited on 01-Oct-02 07:02 PM by cmoehle*


Admin

Channel Islands Harbor, Ca.

Administrator

Joined: 06/20/2000

View Profile



Posted: 10/01/02 09:24pm Link  |  Print  |  Notify Moderator

Chris
Are you running the free version or Pro?
I upgraded to Pro and all my popups went away.
I had one site I gave up on because I could not get to the forum. I had been running the free version. After I got Pro, no more popups.
Admin

LeeT

WA

Senior Member

Joined: 09/09/2002

View Profile



Posted: 10/01/02 09:28pm Link  |  Print  |  Notify Moderator

Received a file from the forum?

This is not that kind of forum. We can't post any files here, nor download them.

Someone was hacking your computer while you were visiting this forum.

I'm not trying to attack you on this, but you are the one who jumped to conclusions. What you are suggesting is just not possible.


2006 Jacyo Jay Flight 27.5BHS
1998 C2500HD X-Cab LB, Rhino Liner, 16k Dual-pivot Husky Hitch, Prodigy Brake Controller
Prev: 2003 Northern Lite 10-2000CD
Go Cougs!


cmoehle

San Antonio, TX

Senior Member

Joined: 02/14/2001

View Profile



Posted: 10/01/02 10:14pm Link  |  Print  |  Notify Moderator

Pro. Ran free till I decided ZA was good enough to pay for and it gets you tech support. Their tech support isn't worth a penny though, so I'll switch back to free soon.

Oh, the pop ups. Go to the ZA interface (double click icon in system tray) and select Privacy (left hand column) and turn Ad Blocking off. Or click on Ad Blocking Custom, and uncheck pop ups. I also turn Cookie Control off.

This Topic Is Closed  |  Print Topic  |  Post New Topic  | 
Page of 2  
Next

Open Roads Forum  >  Technology Corner

 > Virus from the Forum
Search:   Advanced Search

Search only in Technology Corner


New posts No new posts
Closed, new posts Closed, no new posts
Moved, new posts Moved, no new posts

Adjust text size:

© 2014 RV.Net | Terms & Conditions | PRIVACY POLICY | YOUR PRIVACY RIGHTS