Readme.exe, Eudora, and Opera (was Re: [thelist] failure notice (& CF TIP))
Shirley Kaiser, SKDesigns
skaiser1 at skdesigns.com
Wed Sep 19 12:51:55 CDT 2001
Speaking of the Readme.exe file:
I do NOT use Outlook, I use Opera 5.12 as my primary browser, and I don't
have NT server or IIS server installed on my hard drive. They came in to my
computer without my knowledge in the least. (I'm on a PC with Win98)
My ISP's server got nailed yesterday morning with the Nimda virus, and I
also ended up having 5 copies of the Readme.exe file in my Eudora files in
the Embedded folder, NOT the attachments folder where virus attachments to
email would go:
Qualcomm\Eudora\Embedded\Readme.exe
And since I received it several times, Eudora changed the name
automatically, so there was:
Readme.exe
Readme1.exe
Readme2.exe
Readme3.exe
Readme4.exe
The same files were also in the backup files that I've set Eudora to
automatically make.
When one of my colleagues found the virus (unknowingly at that point) at
one of my sites yesterday morning (the popup window came up with the weird
message), he told me about this weird popup window and why was I doing
that..... so I went to my site with Opera and checked it out, at that point
neither of us knowing why I had this weird popup window. Fortunately he
found out why within minutes and emailed me information, and then I called
my ISP about it. (Thanks to Charles Johnson of
http://www.littlegreenfootballs.com/ for happening to visit my site and
find it and let me know yesterday....)
After that Opera kept crashing and I couldn't open it with my usual "Open
with previously saved windows".... and Opera never crashes on me. So I knew
something was up. So I opened it with no windows and immediately deleted my
cache and my history. Then it worked fine.
That's when I also wondered if anything was on my computer anywhere else,
ran the Readme.exe search and found those files in the Embedded folder in
Eudora. I'd already looked in the Attachments folder (the usual spot for
virii) and didn't find anything. This was before the virus updates were
available.
Needless to say, I also ran a complete scan of my entire computer after I
downloaded the latest virus software update yesterday afternoon.
So even if you don't think you have any problems, I'd still suggest running
a search on your computer and making sure you don't have any of the problem
files residing in it. The problem files may just sit there not do anything,
as mine hadn't yet, but I also didn't open that Readme.exe file either (and
I wouldn't have, either).
So that's my story. ;-) Hope it helps someone else.
Warmly,
Shirley
--
Shirley E. Kaiser, M.A.
SKDesigns mailto:skaiser1 at skdesigns.com
Website Development http://www.skdesigns.com/
Pianist, Composer http://www.shirleykaiser.com/
Moderator, I-Design http://www.adventive.com/lists/idesign/summary.html
At 07:05 AM 09/19/2001, you wrote:
>One more tip while people are tossing them about about virii and windows..
>
>Search your IIS server for a file called root.exe and delete it - if you
>have it you've been compromised. *NO* patches from MS delete this file.
>
>Ironically, I blogged this last week:
>root.exe allows anyone on the internet to have commands on the machine
>executed with web server privileges, and can typically be used to set up
>logging of credit card information and other sensitive data on SSL
>servers. This has created a new class of ecommerce site which has been
>correctly patched for known server vulnerabilities, but have a live
>backdoor facility enabling attackers to continue to remain in control of
>the machine.
>
>typcially you'll find the file in the inetpub/scripts directory. I had
>four clients yesterday who had their machines 100% patched, but were still
>being controlled through the root.exe file. whats more scary is 13% of
>*SSL* IIS websites on the internet have the root.exe exploit installed on
>them according to Netcraft..
>
>.djc.
>
>Richard H. Morris wrote:
>
>>John Handelaar [genghis at members.evolt.org] wrote:
>>
>>>-----Original Message-----
>>>Utterly unhelpful. Way to go, Richard.
>>>
>>>The answer:
>>>
>>>1 Look for all instances of README.EXE on your local
>>> disks and delete them
>>>
>>>2 Search the registry for 'macrosoft' and remove the
>>> keys
>>>
>>>3 Uninstall IIS and Windows Scripting Server on your
>>> desktop machine
>>>
>>>4 Disable 'active scripting' in IE at all 4 security
>>> settings. Better still, get Mozilla 0.9.4 instead
>>> 'cos it's (believe it or not) more robust and doesn't
>>> suffer from the security bug which enables one
>>> of this worm's 6 or 7 methods of propagation.
>>Re: 4, just get a Mac and don't worry about Wintel executables? Just as
>>helpful advice...
More information about the thelist
mailing list