THE WELCH COMPANY
440 Davis Court #1602
San Francisco, CA 94111-2496
415 781 5700
rodwelch@pacbell.net
S U M M A R Y
DIARY: October 31, 2003 11:25 AM Friday;
Rod Welch
Mimail C virus attacking computers in Europe and US.
1...Summary/Objective
2...Virus Mimail C Reported in News
........Email Subject -- Our private photos
........Virus Not Believed to Harm Computer by Destroying Files
3...Detection of Mblast Virus
.....Denial of Service Attack Self-perpetuates Virus
.....Virus Blocks Use of Windows Update System to Correct Problem
.....Impact on Performance Caused by Virus
......We No Symptoms So Far....
.....Recovery from Virus and Protection Against Future Problems
4...C13 McAee Detected and Deleted Virus Softwarfe
5...McAfee Detected and Deleted Virus Softwarfe on C13
6...Microsoft Recommends Calling Microsoft for Support to Recover
7...Decided to transfer operations from c13 to c11.
8...C13 Downloaded and Installed Corrective Software from Microsoft
9...C11 Virus Msblast.exe Found
10...Virus Msblast.exe Found on C11 as Well as C13
11...C11 Update McAfee to Check for the Virus
.....Virus Program File Denies Access to Delete Within Widows
.....Safe Mode Permits Deleting Virus from the Disk
.....Virus File Deleted from C11 with Windows Safe Mode Op
12...C12 Appears to Not Have Virus Msblaster Installed
13...Work Plan to Recover from Virus ad Prevent Future Problems
............McAfee Online Purchase Update Virus Definitions Failed C12
..............
Click here to comment!
CONTACTS
SUBJECTS
Virus Mcmail C Reported by Reuters
0703 -
0703 - ..
0704 - Summary/Objective
0705 -
070501 - Follow up ref SDS 7 0000. ref SDS 5 0000.
070502 -
070503 - A new virus is sweeping around the world. Investigation seems to
070504 - show we have not been infected this time, suggesting new measures
070505 - developed following 030812 have been effective.
070506 -
070507 -
070508 -
070509 -
070511 - ..
0706 -
0707 -
0708 - Progress
0709 -
070901 - Virus Mimail C Reported in News
070902 -
070903 - Follow up ref SDS 7 YU6G.
070904 -
070905 - There is a report on the Internet today...
070906 -
070907 - http://story.news.yahoo.com/news?tmpl=story&ncid=578&e=8&u=/nm/20031031/tc_nm/teirus_dc
070908 -
070909 - ....saying that a computer virus is spreading throughout the world.
070911 - ..
070912 - The virus seems to be limited to email. Home computers are at risk --
070913 - the article says....
070914 -
070915 - LONDON (Reuters) - A new e-mail virus capable of turning
070916 - infected personal computers into "spamming" machines emerged on
070917 - Friday targeting corporate and home users in Europe and the
070918 - United States, a computer security expert said. ref OF 1 0001
070919 -
070921 - ..
070922 - Email Subject -- Our private photos
070923 -
070924 - The virus carries the subject message line "our private photos
070925 - ???." Opening the e-mail triggers the virus into action.
070926 - ref OF 1 LPSQ
070928 - ..
070929 - The virus installs an SMTP, or simple mail transfer protocol,
070930 - program on an infected PC that turns the computer into a type
070931 - of e-mail computer server capable of sending out torrents of
070932 - virus-infected messages, Genes said. ref OF 1 PPSU
070933 - ..
070934 - The e-mail has spread quickly because it spoofs e-mail
070935 - addresses, making it appear as if the e-mail comes from a
070936 - friend or co-worker. "It's an old spammers trick," said Genes.
070937 - ref OF 1 008P
070938 -
070940 - ..
070941 - Virus Not Believed to Harm Computer by Destroying Files
070942 -
070943 - The virus is not believed to be particularly damaging to the
070944 - infected computer, but it has the potential to unleash a flood
070945 - of virus e-mails that could bog down corporate networks, Genes
070946 - said. ref OF 1 PPTU
070947 -
070948 -
070950 - ..
070951 - Background...
070952 -
070953 - On 030812 computers c11 and c13 were infected by a virus
070954 - Msblaster. ref SDS 7 0001 Previously, on 030618 a virus was
070955 - reported from downloading files from Microsoft. ref SDS 4 M58P
070956 - McAfee disabled the virus. Microsoft was notified and on
070957 - 030619 Microsoft reported they are unaware of a problem.
070958 - ref SDS 5 HX7H
070959 -
070960 -
070961 -
070962 -
070963 -
0710 -
SUBJECTS
Procedures for Detecting Presence of Virus Software on Computers
080301 - ..
080302 - Detection of Mblast Virus
080303 -
080304 - Follow up ref SDS 7 VU4P.
080305 -
080306 - The fact this virus is spread by email under the subject "Our private
080307 - photos???" enables detection. ref SDS 0 GU9N
080309 - ..
080310 - Additionally, SBC "spam" detection may have intercepted the letter if
080311 - sent to us, since we have not seen this letter show up in email so
080312 - far.
080314 - ..
080315 - There is a report saying....
080317 - ..
080318 - Denial of Service Attack Self-perpetuates Virus
080319 - Virus Blocks Use of Windows Update System to Correct Problem
080320 -
080321 - Follow up ref SDS 7 T86G.
080322 -
080323 - The article says the virus does not harm the computer. ref SDS 0
080324 - PPTU
080325 -
080326 -
080328 - ..
080329 - Impact on Performance Caused by Virus
080330 -
080331 - Follow up ref SDS 7 0078.
080332 -
080333 - The virus can reduce performance by taking up cpu time and
080334 - clogging the Internet. ref SDS 0 PPSU
080335 -
080336 -
080337 -
080338 -
080339 -
080340 -
080341 -
0804 -
SUBJECTS
Symptoms Indicating Presence of Virus Software on Computers
090301 - ..
090302 - We No Symptoms So Far....
090303 -
090304 - Follow up ref SDS 7 1T6I.
090305 -
090306 - There is no indication so far that we have this virus.
090307 -
090308 -
090309 -
0904 -
SUBJECTS
Filtering TCP/IP Network Connections Firewall Virus Protection Intern
Software Patch from Microsoft Download to Prevent Future Problems
TCP/IP Filtering Firewall Virus Protection Internet Security
Recovery C11 C12 C13
Microsoft Requirements and Guidance for Recovery
Virus Protection Software McAfee to Detect and Delete Virus Program
Article Provides Link to Microsoft Guidance on Detecting Recovery and
150901 - ..
150902 - Recovery from Virus and Protection Against Future Problems
150903 -
150904 - Follow up ref SDS 7 0125.
150905 -
150906 -
150907 -
1510 -
SUBJECTS
McAfee Ran Detected and Deleted Virus
Symptom Sychost.exe Has Generated Errors and Will be Closed by Window
190401 - ..
190402 - C13 McAee Detected and Deleted Virus Softwarfe
190403 - McAfee Detected and Deleted Virus Softwarfe on C13
190404 -
190405 - Follow up ref SDS 7 Q15H.
190406 -
190407 - Ran McAfee
190408 -
190409 - Updated virus definitions on McAfee on c13 using standard
190410 - procedure to download from the Internet.
190411 -
190412 -
190413 -
190415 - ..
1905 -
1906 -
1907 - 1349
1908 -
190801 - Report McAfee found the virus....
190802 -
190803 - I:\00\02\system32\msblast.exe
190805 - ..
190806 - W32/Lovsan.worm
190807 -
190808 - ...which fits the warning in the news, per above. ref SDS 7 0078
190809 -
190810 - [...below, c11 has the same problem. ref SDS 7 HN7L
190812 - ..
190813 - [...below, c12 seems not to have the virus. ref SDS 7 5M9O
190815 - ..
190816 - We need to find out what damage is typically caused by this virus?
190817 -
190818 - Symptoms and impact is developed above. ref SDS 7 0078
190819 -
190820 -
190821 -
190823 - ..
1909 -
1910 -
1911 - 1451
1912 -
191201 - Just got the following message....
191202 -
191203 - sychost.exe has generated errors and will be closed by Windows.
191204 - You will need to restart the program.
191206 - ..
191207 - An error log is being created.
191208 -
191209 - OK
191210 -
191212 - ..
191213 - This message appeared a few days ago. Clcking OK did not seem to
191214 - have any impact. The program...
191215 -
191216 -
191217 - sychost.exe
191218 -
191219 -
191220 - ...is not familiar. Seems like candidate for symptom of virus, per
191221 - above. ref SDS 7 1T6I
191222 -
191223 - A search on the disk for....
191225 - ..
191226 - sychost.exe
191227 -
191228 - ...and for....
191230 - ..
191231 - sychost*.*
191232 -
191233 - ....was not successful, indicating this is a registry error of
191234 - some kind.
191235 -
191236 -
191237 -
191238 -
191239 -
191240 -
1913 -
SUBJECTS
Call Microsoft for Guidance and Support
2003 -
2004 - 1455
200501 - ..
200502 - Microsoft Recommends Calling Microsoft for Support to Recover
200503 -
200504 - Follow up ref SDS 7 YQ5W.
200505 -
200506 - Per Microsoft guidance, above, ref SDS 7 HS6M, called Microsoft at....
200507 -
200508 - 866 727 2338
200509 -
200510 - ...getting busy signal.
200511 -
200512 -
200514 - ..
2006 -
2007 -
2008 - 1556
2009 -
200901 - Still busy.
200902 -
200904 - ..
2010 -
2011 -
2012 - 1620
2013 -
201301 - Still busy
201302 -
201303 - Microsoft's number remained busy throughout the day and night.
201304 - Eventually got an answer that was a recording that said they are
201305 - busy. Referred to a website and said that at the end of the
201306 - recorded message, if there is a busy signal to call back later.
201307 -
201308 -
201309 -
201310 -
201311 -
2014 -
SUBJECTS
Transferred Operations from C13 to C11 Because Virus Detected on C13
2203 -
2204 - 1620
220501 - ..
220502 - Decided to transfer operations from c13 to c11.
220503 -
220504 - Follow up ref SDS 7 PRWP.
220505 -
220506 - Think I am okay, because nothing is transferred from i: drive where
220507 - the operating system is located.
220509 - ..
220510 - Need to format the hard drive for partition I and install w2k again,
220511 - plus configure all the software, as shown in the record on....
220512 -
220513 - Orignial installation.............. 010202, ref SDS 1 0001
220514 -
220515 - Re-installation.................... 010214, ref SDS 2 0001
220517 - ..
220518 - The symptoms from the virus, and perhaps other non-virus related
220519 - issues suggest a new installation for w2k on c13 is needed.
220520 - ref SDS 7 1T6I
220522 - ..
220523 - Since the keyboard is broke on c11, switched keyboards for production
220524 - work.
220526 - ..
220527 - Also, need to connect DSL to update McAfee on C11 to ensure it is not
220528 - infected from transfers from c13.
220529 -
220530 -
220531 -
220532 -
220533 -
2206 -
SUBJECTS
Patch Microsoft Software Download for Windows 2000 OS that Prevents t
2303 -
2304 - 2027
230501 - ..
230502 - C13 Downloaded and Installed Corrective Software from Microsoft
230503 -
230504 - Follow up ref SDS 7 AN3F.
230505 -
230506 - Was finally able to access Microsoft website and download the software
230507 - recommended to prevent further access by the virus, per above.
230508 - ref SDS 7 235K
230510 - ..
230511 - After downloading and installing software from Microsoft, some of the
230512 - symptoms have been eliminated. ref SDS 7 9M58
230514 - ..
230515 - After installing the corrective software, was able to use the regular
230516 - Windows Update feature which had been failing, per above. ref SDS 7
230517 - VO3V
230519 - ..
230520 - Tried updating Windows 2000 on c13, but get message saying....
230521 -
230522 - HTTP/1.1 Server Too Busy
230523 -
230524 - This suggests that upgrading software on c13 may not be a good
230525 - idea, because will not have access to Microsoft servers for a
230526 - day or so.
230527 -
230528 -
230529 -
230530 -
230531 -
2306 -
SUBJECTS
Virus Bssx.exe Reported by McAfee After Downloading Update r W2k fr
Virus Bssx.exe Reported by McAfee After Downloading Update for W2k fr
Virus Reported by McAfee on W2K Update Downloaded from Microsoft bssx
Virus Definitions on c11 Updated for 1 Year from Today 030526 Cost $1
260601 - ..
260602 - C11 Virus Msblast.exe Found
260603 - Virus Msblast.exe Found on C11 as Well as C13
260604 - C11 Update McAfee to Check for the Virus
260605 -
260606 - Follow up ref SDS 7 AN6M.
260607 -
260608 - Tried to update McAfee on c11, but got a message saying the account
260609 - needs additional payment.
260611 - ..
260612 - This means we need the McAfee update.
260613 -
260614 - McAfee was updated for c13 on 030526. ref SDS 3 0001
260615 -
260616 - [On 030813 purchased virus upgrade from McAfee. ref SDS 8 0001
260617 -
260618 -
260620 - ..
260621 - Did a search on c11 and found....
260622 -
260623 - i: 00 02 system32 msblast.exe
260624 -
260625 - ...per Microsoft guidance, shown above. ref SDS 7 VU4P
260626 -
260628 - ..
260629 - Tried to delete msblast.exe from c11 using Windows file management
260630 - tools, and got an error message saying....
260631 -
260632 - Cannot delete msblast Access is denied. The source file
260633 - may be in use.
260634 -
260635 -
260636 -
260637 -
2607 -
SUBJECTS
Could Not Delete Msblaster Virus Reported by Reuters Patch Available
F8 Safe Mode During Boot Sequence System Maintenance Delete Files
Safe Mode System Maintenance F8 During Boot Sequence Delete Files
290501 - ..
290502 - Virus Program File Denies Access to Delete Within Widows
290503 -
290504 - Follow up ref SDS 7 H43G.
290505 -
290506 - Tried deleting the file from a DOS Window and got same message.
290508 - ..
290509 - Tried booting c11 and selecting the DOS boot option, and got an
290510 - error message.
290511 -
290512 -
290514 - ..
290515 - Safe Mode Permits Deleting Virus from the Disk
290516 - Virus File Deleted from C11 with Windows Safe Mode Op
290517 -
290518 - Follow up ref SDS 7 M346.
290519 -
290520 - Called Morris.
290521 -
290522 - Morris recalled that w2k can be started in safe mode by
290523 - pressing F8 early in the boot sequence.
290525 - ..
290526 - Safe mode is similar to working at a DOS promt without
290527 - standard w2k processes tha enable the virus to avoid being
290528 - deleted, per above. ref SDS 7 HN8R
290530 - ..
290531 - Booted the computer and launched safe mode using the F8 option.
290533 - ..
290534 - Safe Mode gives two options....
290535 -
290536 - 1. Windows 2000
290537 -
290538 - 2. MS DOS
290540 - ..
290541 - Since the MS DOS mode failed previously, selected option 1 for
290542 - Windows 2000.
290544 - ..
290545 - This takes several minutes to boot, i.e., there is a long pause,
290546 - but eventually a DOS prompt appears on the screen, rather than the
290547 - standard Windows screen.
290549 - ..
290550 - Changed the directory to...
290551 -
290552 - i: 00 02 system32
290554 - ..
290555 - Did a dir and found
290556 -
290557 - msblast.exe
290559 - ..
290560 - Called command....
290561 -
290562 - I:\00\02\System32>del msblast.exe
290564 - ..
290565 - Got a message saying file deleted.
290567 - ..
290568 - Did....
290569 -
290570 - I:\00\02\System32>dir msblast.exe
290572 - ..
290573 - Got a message saying file not found.
290574 -
290575 -
290576 -
290577 -
290578 -
2906 -
SUBJECTS
McAfee Will Not Update on Internet Using DSL Connection
Virus Blaster on C13 Reported by Reuters Patch Available from Microso
310401 - ..
310402 - C12 Appears to Not Have Virus Msblaster Installed
310403 -
310404 - Follow up ref SDS 7 5M9O.
310405 -
310406 - A search on c12 did not find....
310407 -
310408 - msblast.exe
310409 -
310410 - ...per Microsoft guidance, shown above. ref SDS 7 VU4P
310412 - ..
310413 - Appears to suggest that c12 is not infected. Will switch to c12 as
310414 - primary work system while correcting problems with c11 and c13.
310416 - ..
310417 - However, was unable to run McAfee because could not update the virus
310418 - definitions.
310419 -
310420 -
310421 -
310422 -
310423 -
310424 -
310425 -
3105 -
SUBJECTS
Develop Work Plan to Detect Recover and Prevent Future Problems
Work Plan Virus Recovery Protection Work Plan
Virus Protection Firewall Hardware Software
340501 - ..
340502 - Work Plan to Recover from Virus ad Prevent Future Problems
340503 -
340504 - Follow up ref SDS 7 N96G.
340505 -
340506 - We have taken some initial steps to detect and recover from access and
340507 - hard caused by virus software. Identify a methodical process to treat
340508 - each computer comprehensively, and take steps to prevent future
340509 - problems.
340511 - ..
340512 - This is a classic problem of getting the cat, the fox and the chicken
340513 - across the river.
340514 -
340515 - 1. McAfee virus protection on c13 to find and remove virus.
340516 - ref SDS 7 0125
340517 -
340518 - Did this. ref SDS 7 UO5K
340520 - ..
340521 - 2. Software to correct problems, downloaded from Microsoft.
340522 - ref SDS 7 235K
340523 -
340524 - Did this. ref SDS 7 AN3F
340526 - ..
340527 - 3. Set TCP/IP filtering to block access to Ports on c13.
340528 - ref SDS 7 IQ6R
340529 -
340530 - Did this, as alternative to installing firewall, but it
340531 - turned out to cause new problems by preventing normal
340532 - access to the Intenet, so restored original configuration.
340533 - ref SDS 7 5U6K
340535 - ..
340536 - 4. Firewall hardware network Internet router. ref SDS 7 595N
340537 -
340538 - Since modifying TCP/IP failed, per above, ref SDS 7 FL5F, need
340539 - this alternate method for blocking access by virus software to
340540 - the computer via the Internet.
340541 -
340542 - [On 030814 installed firewall router to protect c11, c12
340543 - and c13.
340545 - ..
340546 - 5. Transfer ops temporarily from c11 back to c13, because c13 now
340547 - seems clean, per above. ref SDS 7 AN3F
340548 -
340549 - Did this.
340551 - ..
340552 - 6. Disconnect network from c11 to c12 and to c13, since
340553 - msblast.exe is reported to transfer itself across networks.
340554 - ref SDS 7 0078
340555 -
340556 - Did this. Simply unplug power to the network hub.
340558 - ..
340559 - 7. Update SDS on C12.
340560 -
340561 - Did this.
340563 - ..
340564 - 8. Delete msblast.exe from c11
340565 -
340566 - Tried MS Windows file management, and this failed on c13.
340567 - ref SDS 7 HN8R
340569 - ..
340570 - Was able to delete virus file using Windows safe mode, per
340571 - above. ref SDS 7 M346
340573 - ..
340574 - 9. McAfee update license on c11 and udate virus definitions
340575 -
340576 - [On 030813 did this step. ref SDS 8 0001
340578 - ..
340579 - 10. McAfee run on c11 to verify virus successful deleted as a
340580 - backup to step 4. ref SDS 7 C67S
340581 -
340582 - After updating McAfee, did this.
340584 - ..
340585 - 11. Microsoft software correction on c11, as was done on c13, per
340586 - above. ref SDS 7 AN3F and under Recovery. ref SDS 7 0125
340587 -
340588 - After running McAfee and verifying c11 is clean, connected
340589 - to Microsoft and downloaded software correction.
340591 - ..
340592 - 12. McAfee update license on c12 and udate virus definitions
340593 -
340594 - Had to update NTS Enternet 300 with current account
340595 - status.
340596 -
340597 - Cannot connect to the McAfee network to update virus
340598 - definitions because getting another report HTTP Server
340599 - Busy. ref SDS 7 6V6G
340600 -
340602 - ..
340603 - McAfee Online Purchase Update Virus Definitions Failed C12
340604 -
340605 - Follow up ref SDS 7 FP6K.
340606 -
340607 - Finally got DSL working on c12, and was able to make some
340608 - progress on updating the McAfee software. Have so far been
340609 - unable to update McAfee virus definitions on c12 because
340610 - when this task is selected, the McAfee on-line software for
340611 - purchasing a program update executes an endless loop. It
340612 - brings up a "Purchase" screen, which is the same that was
340613 - done successfully with c11, per above. ref SDS 7 NL5N
340614 - However, when "Purchase" is selected to complete the
340615 - transaction there is some flashing as though something is
340616 - being attempted, then the original screen returns saying it
340617 - is time to update the software. For some reason, the
340618 - purchase transaction never occurs.
340619 -
340620 - [On 030813 same problem prevented purchasing an upgrade
340621 - for McAfee on c12. ref SDS 8 545G
340623 - ..
340624 - [On 030814 called McAfee technical support and was
340625 - connected to a 900 number, but the engineer could not
340626 - solve the problem. ref SDS 11 0001
340628 - ..
340629 - [On 030919 was able to complete purchase transaction of
340630 - McAfee software online. ref SDS 10 0001
340631 -
340633 - ..
340634 - 13. McAfee run on c12 to verify virus clean system as a backup to
340635 - investigation reported above. ref SDS 7 5M9O
340636 -
340637 - Was ultimately able to run McAfee on c12 across the
340638 - network from c11, where McAfee was updated.
340639 -
340640 - [On 030822 McAfee on c11 would not recognize c12, even
340641 - though c11 was recognizing c12 on the network. Was able
340642 - to run McAfee code on c11 across the nework from c12 in
340643 - order to scan for virus problems on c12. ref SDS 13 E147
340645 - ..
340646 - 14. Microsoft software correction on c12, as was done on c13, per
340647 - above. ref SDS 7 AN3F
340648 -
340649 - Did this.
340651 - ..
340652 - 15. Transfer ops to c11 again in order to replace w2k on c13.
340654 - ..
340655 - 16. Install wk2 clean on c13.
340656 -
340657 - This is a two day job.
340659 - ..
340660 - 17. Upgrade all software on c13.
340662 - ..
340663 - 18. Transfer ops from c11 back to c13.
340665 - ..
340666 - 19. Upgrade w2k on c11.
340668 - ..
340669 - 20. Upgrade w2k on c12.
340670 -
340671 -
340672 -
340673 -
340674 -
340675 -
340676 -
340677 -
340678 -
340679 -
340680 -
3407 -