Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Feckin Mail Virus (yet again!) *BEWARE*

  • 15-10-2002 7:48pm
    #1
    Closed Accounts Posts: 1,322 ✭✭✭


    Right,

    At precisely 19:33 this evening I checked my mail and I had one wee message (with an attachment). Before you yell I'm not stupid enough to open attachments especially if they are from someone called Yoshimitzu Chung offering me some kind of eye treatment ;)

    But anyway I'm sure ye've noticed with these latest batch of bastards, they spoof the mail headers, and through some vulnerability in Outlook Express launch an attachment the moment the mail is accessed. To add to that, when mail is downloaded to my machine, it's opened as soon as it gets here. I thought I disabled that a while back, but now I remember I did a fresh re-install of my OS etc recently. So the default settings were still active. Bugger :mad:

    Anyway just like I've seen before with these viruses, a download window flashed on the screen, and all of a sudden my firewall prog tells me that a file called JHJC.exe is trying to act as a server, and do I want to let it proceed. So I click on "**** no!"., and all is well. The part that annoys me even more is my virus scanner slept through the whole thing. Anyone about 20 seconds later I go to check on my firewall logs again, and lo-and-behold, the feckin thing is still in memory, and has terminated my firewall. In the few seconds that it had, I noted it didn't try to act as a sever, but it connected to my mail server and popped off 5-6 mails in random directions (I'm sure). But this is a warning to those of you who know me, if you get any mail from phobos today, it wasn't me OK :p.

    To make matters worse I went ahead and downloaded the latest update for my virus scanner, and it still sits there happy. I went ahead and tracked down two suspicious executables. One called oio.exe sitting in my Start Menu/Startup dir, and another sitting in my [Win]/System32 dir called jhjc.exe (this is the one doing all the network connections, either trying to act like a server, or connecting to mail servers).

    Anyway the reason to my madness is basically I can't stop this bloody thing, coz my when I even point my scanner at those two specific exe's, it tells me all is well. So what I'm doing ATM is booting the machine, and killing the instance of jhjc.exe in memory. Then deleting it and the other exe. Then restarting my firewall and connecting to the web, and while I'm typing this I have blocked all in/outbound traffic from my machine (the firewall remains running while jhjc.exe is not in memory).

    Anyone seen this virus before, it's possibly that new one that has hit quite a few people (esp. in Galway). I dunno I wasn't listening, coz I didn't think I'd get it (typical). Anyway I though my scanners would defend my base if it came to it, but unfortunately not :(

    ;-phobos-)


Comments

  • Closed Accounts Posts: 1,322 ✭✭✭phobos


    OK, we're making progress.

    I decided to try and stop this file from being regenerated and loaded in to memory every time my PC boots, and I have found the source. I found another file called zfzuapk.dll, and since moving both this and jhjc.exe out of [Win]/System32, it has been unable to accomplish it's goal, of regenerating jhjc.exe in [Win]/System32. So when I start windows now (2kpro BTW), I just get a dialog telling my that jhjc.exe cannot be located, hence it can't be started. Also the program oio.exe doesn't seem to be regenerated and placed in Start Menu/Startup either. So TBH I don't know what's trying to execute jhjc.exe upon startup.

    I checked the registry, and their doesn't seem to be any entries that would suggest the program is being started. So I'm clueless yet again. But I'm making progress. If you can figure it out will ya let me know. I actually wrecked tired ATM, and I think I'll call it a night. I was up well before sunrise today, and I think I'm getting old :p

    ;-phobos-)


  • Closed Accounts Posts: 6,601 ✭✭✭Kali


    You search the registry for all 3 filenames? ..

    Might be an idea to check the standard .ini files as well..
    system.ini and win.ini, mostly redundant in w2k but still executed on startup.

    Check other main directories as well..
    c:\progra~1\common1\system\

    or if only happens with a single login try the relative documents/settings folder for the user.


  • Closed Accounts Posts: 88,972 ✭✭✭✭mike65


    ftp://ftp.europe.f-secure.com/anti-virus/tools/yahatool.zip
    ftp://ftp.europe.f-secure.com/anti-virus/tools/yahatool.txt
    You should able to find the fix above.

    If the link does'nt work I have the fix for the Yaha worm-virus thingy which is what you have by the sound of it (it caught me too) just send me a PM and I'll mail it its only 33kb.

    heres a site worth bookmarking-
    https://www.europe.f-secure.com/download-purchase/tools.shtml

    Mike.


  • Closed Accounts Posts: 16,396 ✭✭✭✭kaimera


    I cant seem to fathom WHY people still use Outlook Express when almost every virus comes through it.

    Can somebody explain it to me plz? :confused:


  • Registered Users, Registered Users 2 Posts: 2,396 ✭✭✭PPC


    Originally posted by Kaimera
    I cant seem to fathom WHY people still use Outlook Express when almost every virus comes through it.

    Can somebody explain it to me plz? :confused:

    I hate webmail and prefer to have it on my pc.
    Webmail is slow and sluggish and you have to log on to recieve your mail.

    Outlook has you mail there all the time and you can just call it up very fast and it there and you don't have to sign on.

    But it does have the virus weaknesses, but i use Outlook XP and its got security levels and it won't let you open files that look dodgy.

    Use something like norton or avg and the little virii won't get in.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,967 ✭✭✭Dun


    Originally posted by Kaimera
    I cant seem to fathom WHY people still use Outlook Express when almost every virus comes through it.

    Can somebody explain it to me plz? :confused:

    I'm just glad they do. If nobody used it, and everyone used Eudora, like I'm using, then it would be attacked instead. So everyone, Outlook (Express) is GREEEEEAT :D


  • Closed Accounts Posts: 1,006 ✭✭✭theciscokid


    if your stuck looking for a virus server file on your hard drive ,
    a handy way is to check thru a search with the corresponding date in which it was created,

    so , if you downloaded on the 10th say, do a search for that date if you are suspicious of a file simply check the properties to see the date it was created :D


  • Closed Accounts Posts: 23 morges


    Originally posted by phobos
    Right,


    But anyway I'm sure ye've noticed with these latest batch of bastards, they spoof the mail headers, and through some vulnerability in Outlook Express launch an attachment the moment the mail is accessed. To add to that, when mail is downloaded to my machine, it's opened as soon as it gets here. I thought I disabled that a while back, but now I remember I did a fresh re-install of my OS etc recently. So the default settings were still active. Bugger :mad:


    ;-phobos-)

    Very often you don't have to do a re-install of your OS to find things put back to "Redmond Default" state. Just run Windows Update on Win2K and chances are the "security enhancements" that Microsoft throws as your machine will re-set every important configuration parameter to US or British default crap, replete with more bugs and irritations.

    Time to take BSE software vendors out of the loop - no matter how big they are!

    morges


Advertisement