Speak of the Devil... Here I am, bravely going forth to complete my task (see what happens when you download a trial programs from a reputable site like downloads.com, only to find that when you try and use it, the only thing it will say is "trial period expired"?)
Anyway, I was also hoping to run into that nasty rar again *combative look*
I look to my results, and find PC Surgeon Crack, an exe, 263kb. However, it contains a lovely little worm called W32.Tibick.
From Symantec:
W32.Tibick is a worm that propagates through file-sharing networks. This worm also connects to an IRC channel and listens for messages from the attacker.
Also Known As: Worm.P2P.Tibick [Kaspersky]
Type: Worm
Infection Length: 12,820, vary
When W32.Tibick executes, it does the following:
Copies itself as %System%\svcnet.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds the value:
"System Restore" = "svcnet.exe" to one of these registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
so that the worm runs when you start Windows.
Creates a folder named %Windir%\msview and copies itself as multiple file names (here they name all sorts of files one might find at a file sharing site).
Modifies the settings of various file-sharing applications, if present, to use the newly created folder as the default sharing folder. This applies to the following applications:
Kazaa
iMesh
Morpheus
wareo
eMule
DC++
The worm may also update itself when a new version is available.
This seemed familiar, so I looked at my incomplete dl's - it was the file responsible for the W32.Tibick I mentioned in my 1st posting! Here it is, just lurking & waiting for another victim!
I blocked the sender, 208.191.143.130. In 2 days time, even the densest of people would have noticed the changes (mentioned above), in their system. Several of the anti-malware, antivirus pgms I used were free ones on the web. There really is no excuse for ignorance in this matter!
I don't understand deliberate, casual cruelty, especially to those who you have never even met. Is there any other way a worm-bearing file could still be around 2 days later, unless its deliberate? |