KYMCCREA-L Archives

Archiver > KYMCCREA > 2004-03 > 1080350283


From: "Timothy N. West" <>
Subject: [KYMCCREA] No Scott Co, TN Update for Mar 2004
Date: Fri, 26 Mar 2004 17:18:22 -0800


All,

I'm sorry to say there will be no update to the Scott Co, TN website for
Mar. My computer got hit with a Trojan Horse infection last Friday
night that defeated my hardware firewall and Norton Antivirus. Don't
worry -- I didn't loose any data. I immediately disconnected my
computer from the Internet and I spent several days trying to disinfect
my system to no avail. Even spent $30 calling Symantec and talking with
one of their experts for a couple hours. Together we could not defeat
it. I finally gave up on Thursday morning and reformatted my hard
drive. I've been reinstalling software ever since. Once I got my email
systems back up (two of them) I started to answer emails. I got 538
emails in less than one week -- that has got to be a record for me.

For those "bent" like me, the name of the virus was "Backdoor.Prorat" as
cataloged by Symantec. It is written in Delphi (thank-you Borland) - a
C++ programming environment and seems to have originated in Turkey. Its
great to have NATO allies -- not! The one making the rounds now is a
brand new version and significantly enhanced which is why it defeated
all attempts to detect and later remove. This thing is too smart.
Symantec sent me a program I could use to make a copy of the virus and
send to them. As soon as the virus detected what I was up to, it would
delete the files I was trying to send Symantec -- even if I tried
sending them to someone else first. Fortunately, it was not a
destructive virus but it did cause me to change a bunch of account
numbers, passwords, etc.

Apparently one of you out there has this trojan on your computer or one
of the people you correspond with as I received this little surprise in
an apparent "JPG" image file from somebody I might have expected to
receive a genealogically related image. There is no way to determine
who really sent me this fun as email address spoofing is a typical
hidding technique.

Before you get excited about JPG image files and shut them down.
Don't! JPG image files are not executable nor do JPG buffer overflows
cause executable code to be run. They just can't be used as vectors for
computer viruses.. So how did I get infected with a JPG file. The
trojan author calls his infection file something like this:

"some
image.jpg
.scr"

"SCR" files are executable. What happens is you double click on the
image attachment and your local program asks if you want open the "some
image.jpg " file. The dialogue box isn't wide enough to
accommodate all 255 characters of an allowable file name. In my case
the ".scr" file extension was truncated on display so I never knew I had
a ".scr" file. I know better than to open a "SCR" file. The slick part
is the guy even displays an image -- a porn one at that.

Symantec now has a signature for the trojan to detect pre- and
post-infection. Symantec does not yet have a removal scheme post
infection until they can lure the virus to a machine they host.

I suggest you all download the latest virus signatures from you
antivirus provider and run a full comprehensive system scans.

...tim west...
Scott Co, TN Coordinator for the TNGenWeb Project
http://www.tngenweb.org/scott



This thread: