WARNING and RECOMMENDATION re: Kama Sutra Worm

Discussion in 'Computer Security' started by Jim Byrd, Feb 2, 2006.

  1. Jim Byrd

    Jim Byrd Guest

    There is currently in the wild a particularly destructive worm called by
    variety of names but most commonly know as the "Kama Sutra" worm which has a
    payload scheduled to be activated tomorrow, Feb 3rd.

    The following is courtesy of a special edition of the www.spywareinfo.com
    newsletter. See following this for some additional recommendations:

    <Newsletter Extract>
    Special Edition

    The Kama Sutra worm, which has numerous aliases, is set to deliver its first
    destructive payload TOMORROW (February 3). This worm is believed to have
    infected anywhere from 200,000 to 700,000 computers worldwide.

    The worm is programmed to destroy numerous antivirus program files and
    Microsoft Office document files, thirty minutes after an infected machine is
    powered up, on the third day of each month.

    Microsoft has included detection for this worm in its Malicious Software
    Removal Tool. However, Microsoft is withholding that update from all but
    paying members of their "Windows Live Safety" and "OneCare" beta services.
    Microsoft refuses to release the update to the general public, before their
    regularly scheduled general update, on February 14th. I will have plenty to
    say about that in tomorrow's newsletter, believe me.

    Whether you believe that you are infected or not, you should take
    precautionary steps now, just in case. Any documents created by Microsoft
    Office as well as .rar and .zip archives should be backed up and stored on
    separate, removable storage, such as a CD or DVD. Files and documents of
    this type will be corrupted beyond repair on infected machines.

    Symantec has released a free tool that will remove the virus. Download the
    tool and run it, even if you are certain that you are not infected. It is a
    very small file and you have nothing to lose by running it. You don't want
    to be wrong and lose your boss's spreadsheets, now do you?
    http://securityresponse.symantec.com/avcenter/venc/data/

    If you already have an antivirus program, make certain it is updated and run
    a full scan of your computer.
    </Newsletter Extract>



    I would recommend that you run this Removal Tool from a "Clean Boot". Below
    are directions for this from my Blog, Defending Your Machine, addy below in
    my Signature. (Note that this tool may take quite a long time to run, and
    that it should be rerun immediately BEFORE the third day of each month in
    the future using a new, fresh download of the Removal Tool each time.):


    <Blog Extract>
    #########IMPORTANT#########

    Show hidden files and run all of the following removal tools from Safe mode
    or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
    running these tools, be sure to clear all Temp files and your Temporary
    Internet Files (TIF) (including offline content.) Reboot and test if the
    malware is fixed after using each tool.

    HOW TO Enable Hidden Files
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339

    Clean Boot - General Win2k/XP procedure, but see below for links for other
    OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
    http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):

    1. StartRun enter msconfig.

    2. On the General tab, click Selective Startup, and then clear the 'Process
    System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
    boxes. Leave the 'boot.ini' boxes however they are currently set.

    3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
    and then click the "Disable All" button. If you use a third party firewall
    then re-check (enable) it. For example, if you use Zone Alarm, re-check the
    True Vector Internet Monitor service (and you may also want to re-check
    (enable) the zlclient on the Startup tab.) Equivalent services exist for
    other third party firewalls. An alternative to this for XP users is to
    enable at this time the XP native firewall (Internet Connection Firewall -
    ICF). Be sure to turn it back off when you re-enable your non-MS services
    and Startup tab programs and restore your normal msconfig configuration
    after cleaning your machine.

    4. Click OK and then reboot.

    For additional information about how to clean boot your operating system,
    click the following article links to view the articles in the Microsoft
    Knowledge Base:

    310353 How to Perform a Clean Boot in Windows XP
    http://support.microsoft.com/kb/310353
    281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
    http://support.microsoft.com/kb/281770/EN-US/
    267288 How to Perform a Clean Boot in Windows Millennium Edition
    http://support.microsoft.com/kb/267288/EN-US/
    192926 How to Perform Clean-Boot Troubleshooting for Windows 98
    http://support.microsoft.com/kb/192926/EN-US/
    243039 How to Perform a Clean Boot in Windows 95
    http://support.microsoft.com/kb/243039/EN-US/
    #########IMPORTANT#########
    </Blog Extract>


    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/
     
    Jim Byrd, Feb 2, 2006
    #1
    1. Advertising

  2. Jim Byrd

    rehsifttam Guest

    Re: WARNING and RECOMMENDATION re: Kama Sutra Worm

    Thanks Jim that sould help everyone out!
     
    rehsifttam, Feb 2, 2006
    #2
    1. Advertising

  3. On that special day, Jim Byrd, () said...

    > There is currently in the wild a particularly destructive worm called by
    > variety of names but most commonly know as the "Kama Sutra" worm which has a
    > payload scheduled to be activated tomorrow, Feb 3rd.


    For instance Blackmal, Nyxem.E, MyWife, and a couple more. Read
    Is everyone ready for Blackworm? (Feb 3)

    and see that your message is BY NO MEANS new.


    Gabriele Neukam




    --
    Ah, Information. A property, too valuable these days, to give it away,
    just so, at no cost.
     
    Gabriele Neukam, Feb 2, 2006
    #3
  4. Jim Byrd

    Todd H. Guest

    isc.sans.org has among its recommendations a simple batch file to
    take a look for things:

    @echo off
    dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
    dir /b %WinDir%\system\Update.exe >> %username%_%computername%.rgh
    dir /b %WinDir%\system\scanregw.exe >> %username%_%computername%.rgh
    dir /b %WinDir%\Rundll16.exe >> %username%_%computername%.rgh
    dir /b %WinDir%\winzip_tmp.exe >> %username%_%computername%.rgh
    dir /b c:\winzip_tmp.exe >> %username%_%computername%.rgh
    dir /b "%Temp%\word.zip .exe" >> %username%_%computername%.rgh



    Drop that into a text file ending in .bat and run it from a command prompt. If all is happy, you should see a bunch of file not found messages, supposedly. I'm not sure if it's fool proof though.




    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 2, 2006
    #4
  5. Jim Byrd

    Todd H. Guest

    Gabriele Neukam <> writes:

    > On that special day, Jim Byrd, () said...
    >
    > > There is currently in the wild a particularly destructive worm called by
    > > variety of names but most commonly know as the "Kama Sutra" worm which has a
    > > payload scheduled to be activated tomorrow, Feb 3rd.

    >
    > For instance Blackmal, Nyxem.E, MyWife, and a couple more. Read
    > Is everyone ready for Blackworm? (Feb 3)
    >
    > and see that your message is BY NO MEANS new.


    No, his message is not new, but it is timely since the activation hour
    is fast approaching (and past in many parts of the world).

    Jim, thanks for the reminder.

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 2, 2006
    #5
  6. Jim Byrd

    Virus Guy Guest

    "Todd H." wrote:

    > isc.sans.org has among its recommendations a simple batch file


    Wouldn't it just be simpler to do a file-find for one or two of these
    files?

    Like maybe Rundll16.exe or winzip_tmp.exe ?

    And scanregw.exe is a legit file (but not necessarily located in the
    \system directory)

    Do ALL of those files have to be present in order to have a
    fully-functional infection?

    Or is it just a single file that goes by those various names?

    What about an alternative, like Start->Run->msconfig->startup and then
    look for a run reference to any of those files?
     
    Virus Guy, Feb 2, 2006
    #6
  7. Jim Byrd

    Harold Guest

    Gabriele Neukam wrote:
    > On that special day, Jim Byrd, () said...
    >
    >
    >>There is currently in the wild a particularly destructive worm called by
    >>variety of names but most commonly know as the "Kama Sutra" worm which has a
    >>payload scheduled to be activated tomorrow, Feb 3rd.

    >
    >
    > For instance Blackmal, Nyxem.E, MyWife, and a couple more. Read
    > Is everyone ready for Blackworm? (Feb 3)
    >
    > and see that your message is BY NO MEANS new.


    I, for one, was well aware of the worm. But the links were BY ALL MEANS
    new to me :)

    Thanks for your useful post, Jim.

    --
    Harold
     
    Harold, Feb 2, 2006
    #7
  8. Jim Byrd

    Todd H. Guest

    Virus Guy <> writes:

    > "Todd H." wrote:
    >
    > > isc.sans.org has among its recommendations a simple batch file

    >
    > Wouldn't it just be simpler to do a file-find for one or two of these
    > files?
    >
    > Like maybe Rundll16.exe or winzip_tmp.exe ?
    >
    > And scanregw.exe is a legit file (but not necessarily located in the
    > \system directory)
    >
    > Do ALL of those files have to be present in order to have a
    > fully-functional infection?
    >
    > Or is it just a single file that goes by those various names?
    >
    > What about an alternative, like Start->Run->msconfig->startup and then
    > look for a run reference to any of those files?


    As I understand it, worry if any of those batch file tests comes back
    positive.

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 2, 2006
    #8
  9. Jim Byrd

    nt4-ever Guest

    Re: WARNING and RECOMMENDATION re: Kama Sutra Worm

    saw on news:
    "Blackworm, Blackmal, Nyxem, Kama Sutra - whatever you call it, this
    worm will attack this Friday, February 3rd"

    from:
    http://securityresponse.symantec.com/avcenter/venc/data/
    "W32.Blackmal@mm Removal Tool"
    "Important: You must have administrative rights to run this tool on
    Windows NT 4.0, Windows 2000, or Windows XP."

    so assume by above, its Ok for NT-4 ??
    has anyone tried it on NT-4 ??
     
    nt4-ever, Feb 2, 2006
    #9
  10. Jim Byrd

    Jim Byrd Guest

    To all that have commented, YW. :) Glad you've found it useful (at least
    those that have.)

    --
    Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
    My Blog, Defending Your Machine, here:
    http://DefendingYourMachine.blogspot.com/



    "Harold" <> wrote in message
    news:43e2700b$0$6998$
    > Gabriele Neukam wrote:
    >> On that special day, Jim Byrd, () said...
    >>
    >>
    >>> There is currently in the wild a particularly destructive worm called by
    >>> variety of names but most commonly know as the "Kama Sutra" worm which

    has a
    >>> payload scheduled to be activated tomorrow, Feb 3rd.

    >>
    >>
    >> For instance Blackmal, Nyxem.E, MyWife, and a couple more. Read
    >> Is everyone ready for Blackworm? (Feb 3)
    >>
    >> and see that your message is BY NO MEANS new.

    >
    > I, for one, was well aware of the worm. But the links were BY ALL MEANS
    > new to me :)
    >
    > Thanks for your useful post, Jim.
     
    Jim Byrd, Feb 2, 2006
    #10
  11. Jim Byrd

    Echy Guest

    Jim Byrd wrote:
    > There is currently in the wild a particularly destructive worm called by
    > variety of names but most commonly know as the "Kama Sutra" worm which has a
    > payload scheduled to be activated tomorrow, Feb 3rd.
    >
    > The following is courtesy of a special edition of the www.spywareinfo.com
    > newsletter. See following this for some additional recommendations:
    >
    > <Newsletter Extract>
    > Special Edition
    >
    > The Kama Sutra worm, which has numerous aliases, is set to deliver its first
    > destructive payload TOMORROW (February 3). This worm is believed to have
    > infected anywhere from 200,000 to 700,000 computers worldwide.
    >
    > The worm is programmed to destroy numerous antivirus program files and
    > Microsoft Office document files, thirty minutes after an infected machine is
    > powered up, on the third day of each month.
    >
    > Microsoft has included detection for this worm in its Malicious Software
    > Removal Tool. However, Microsoft is withholding that update from all but
    > paying members of their "Windows Live Safety" and "OneCare" beta services.
    > Microsoft refuses to release the update to the general public, before their
    > regularly scheduled general update, on February 14th. I will have plenty to
    > say about that in tomorrow's newsletter, believe me.
    >
    > Whether you believe that you are infected or not, you should take
    > precautionary steps now, just in case. Any documents created by Microsoft
    > Office as well as .rar and .zip archives should be backed up and stored on
    > separate, removable storage, such as a CD or DVD. Files and documents of
    > this type will be corrupted beyond repair on infected machines.
    >
    > Symantec has released a free tool that will remove the virus. Download the
    > tool and run it, even if you are certain that you are not infected. It is a
    > very small file and you have nothing to lose by running it. You don't want
    > to be wrong and lose your boss's spreadsheets, now do you?
    > http://securityresponse.symantec.com/avcenter/venc/data/
    >
    > If you already have an antivirus program, make certain it is updated and run
    > a full scan of your computer.
    > </Newsletter Extract>
    >
    >
    >
    > I would recommend that you run this Removal Tool from a "Clean Boot". Below
    > are directions for this from my Blog, Defending Your Machine, addy below in
    > my Signature. (Note that this tool may take quite a long time to run, and
    > that it should be rerun immediately BEFORE the third day of each month in
    > the future using a new, fresh download of the Removal Tool each time.):
    >
    >
    > <Blog Extract>
    > #########IMPORTANT#########
    >
    > Show hidden files and run all of the following removal tools from Safe mode
    > or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
    > running these tools, be sure to clear all Temp files and your Temporary
    > Internet Files (TIF) (including offline content.) Reboot and test if the
    > malware is fixed after using each tool.
    >
    > HOW TO Enable Hidden Files
    > http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
    >
    > Clean Boot - General Win2k/XP procedure, but see below for links for other
    > OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
    > http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):
    >
    > 1. StartRun enter msconfig.
    >
    > 2. On the General tab, click Selective Startup, and then clear the 'Process
    > System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
    > boxes. Leave the 'boot.ini' boxes however they are currently set.
    >
    > 3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
    > and then click the "Disable All" button. If you use a third party firewall
    > then re-check (enable) it. For example, if you use Zone Alarm, re-check the
    > True Vector Internet Monitor service (and you may also want to re-check
    > (enable) the zlclient on the Startup tab.) Equivalent services exist for
    > other third party firewalls. An alternative to this for XP users is to
    > enable at this time the XP native firewall (Internet Connection Firewall -
    > ICF). Be sure to turn it back off when you re-enable your non-MS services
    > and Startup tab programs and restore your normal msconfig configuration
    > after cleaning your machine.
    >
    > 4. Click OK and then reboot.
    >
    > For additional information about how to clean boot your operating system,
    > click the following article links to view the articles in the Microsoft
    > Knowledge Base:
    >
    > 310353 How to Perform a Clean Boot in Windows XP
    > http://support.microsoft.com/kb/310353
    > 281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
    > http://support.microsoft.com/kb/281770/EN-US/
    > 267288 How to Perform a Clean Boot in Windows Millennium Edition
    > http://support.microsoft.com/kb/267288/EN-US/
    > 192926 How to Perform Clean-Boot Troubleshooting for Windows 98
    > http://support.microsoft.com/kb/192926/EN-US/
    > 243039 How to Perform a Clean Boot in Windows 95
    > http://support.microsoft.com/kb/243039/EN-US/
    > #########IMPORTANT#########
    > </Blog Extract>
    >
    >


    Would like to add my thanks to those already given. Much appreciated.

    Echy
    Melbourne Australia
    About Melbourne: www.thatsmelbourne.com.au
    About Commonwealth Games Melbourne: www.melbourne2006.com.au
     
    Echy, Feb 2, 2006
    #11
  12. Jim Byrd

    Jim Byrd Guest

    Jim Byrd, Feb 2, 2006
    #12
  13. Jim Byrd

    Mike Jones Guest

    "Todd H." <> wrote in message
    news:...
    >
    > isc.sans.org has among its recommendations a simple batch file to
    > take a look for things:
    >
    > @echo off
    > dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh

    It should be just the one backslash there
    > dir /b %WinDir%\system\Update.exe >> %username%_%computername%.rgh
    > dir /b %WinDir%\system\scanregw.exe >> %username%_%computername%.rgh
    > dir /b %WinDir%\Rundll16.exe >> %username%_%computername%.rgh
    > dir /b %WinDir%\winzip_tmp.exe >> %username%_%computername%.rgh
    > dir /b c:\winzip_tmp.exe >> %username%_%computername%.rgh
    > dir /b "%Temp%\word.zip .exe" >>

    %username%_%computername%.rgh
    >
    >
    >
    > Drop that into a text file ending in .bat and run it from a command

    prompt. If all is happy, you should see a bunch of file not found messages,
    supposedly. I'm not sure if it's fool proof though.
    >

    I think you should get a zero length file called
    %username%_%computername%.rgh in the folder you ran it from.
    I did! (W98 here, so my file was just_.rgh)
     
    Mike Jones, Feb 2, 2006
    #13
  14. Jim Byrd

    Earlybird Guest

    Re: WARNING and RECOMMENDATION re: Kama Sutra Worm

    Is the Kama Sutra worm related to W32.Blackmal.E? Norton antivirus
    tells me I have it. The tool sometimes cleans it but it reappears every
    time I reboot. I follow all instructions to a T. Same with NOD32 which
    calls it Win32/VB.NEI.
    Here is a story on it. http://isc.sans.org/diary.php?storyid=1067

    Here is a link from that story on how to remove it manually.
    http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32/Mywife.E@mm

    I wasn't worried about damage until I read to story today about Kama
    Sutra. I have been getting by using my computer in safe mode. Looks
    like the clock is ticking. Can I change my PC clock to stop the launch?
     
    Earlybird, Feb 2, 2006
    #14
  15. Jim Byrd

    Virus Guy Guest

    Re: WARNING and RECOMMENDATION re: Kama Sutra Worm

    Earlybird wrote:

    > Norton antivirus tells me I have it.


    U R Toast.

    Click this link and run it:

    http://securityresponse.symantec.com/avcenter/FixBmalE.exe

    If that doesn't work, and you're NOT running Windows 98, then remove
    your hard drive and connected it as a slave to a second computer that
    you trust. With the infected drive connected to a working and trusted
    (and non-infected) computer, you should be able to use any competent
    AV software to clean the infected drive.

    If you want to manually inspect and de-contaminate the infected drive,
    use this as a guide:

    http://securityresponse.symantec.com/avcenter/venc/data/

    Look for files with one of these names:

    %Windir%\Rundll16.exe
    %System%\WINZIP_TMP.EXE
    %System%\SAMPLE.ZIP
    %System%\New WinZip File.exe
    movies.exe
    Zipped Files.exe

    You will have one of the above, as well as one of these:

    %System%\scanregw.exe
    %System%\Winzip.exe
    %System%\Update.exe

    %Windir% is a variable that refers to the Windows installation folder.
    By default, this is C:\Windows or C:\Winnt.

    %System% is a variable that refers to the System folder. By default
    this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32
    (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    In your case, if you have slaved the drive to a second computer, the
    infected drive will be D: so replace C: with D: in the above.

    If you are running Windows 98, simply re-start the computer in MS-DOS
    mode and look for the above-mentioned files and delete them (or rename
    them). Note that there is legit version of scanregw.exe but it should
    be located in the %Windir and not the %System directory.
     
    Virus Guy, Feb 2, 2006
    #15
  16. Jim Byrd

    Todd H. Guest

    Re: WARNING and RECOMMENDATION re: Kama Sutra Worm

    "Earlybird" <> writes:

    > Is the Kama Sutra worm related to W32.Blackmal.E? Norton antivirus
    > tells me I have it. The tool sometimes cleans it but it reappears every
    > time I reboot. I follow all instructions to a T. Same with NOD32 which
    > calls it Win32/VB.NEI.
    > Here is a story on it. http://isc.sans.org/diary.php?storyid=1067
    >
    > Here is a link from that story on how to remove it manually.
    > http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32/Mywife.E@mm
    >
    > I wasn't worried about damage until I read to story today about Kama
    > Sutra. I have been getting by using my computer in safe mode. Looks
    > like the clock is ticking. Can I change my PC clock to stop the
    > launch?


    Yes. Do it now. And get it cleaned up and get your data backed up.


    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 3, 2006
    #16
  17. Re: WARNING and RECOMMENDATION re: Kama Sutra Worm

    In article <>, says...
    > "Earlybird" <> writes:
    >
    > > Is the Kama Sutra worm related to W32.Blackmal.E? Norton antivirus
    > > tells me I have it. The tool sometimes cleans it but it reappears every
    > > time I reboot. I follow all instructions to a T. Same with NOD32 which
    > > calls it Win32/VB.NEI.
    > > Here is a story on it. http://isc.sans.org/diary.php?storyid=1067
    > >
    > > Here is a link from that story on how to remove it manually.
    > > http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32/Mywife.E@mm
    > >
    > > I wasn't worried about damage until I read to story today about Kama
    > > Sutra. I have been getting by using my computer in safe mode. Looks
    > > like the clock is ticking. Can I change my PC clock to stop the
    > > launch?

    >
    > Yes. Do it now. And get it cleaned up and get your data backed up.
    >
    >
    >


    I get the following results:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\HP_Owner>@echo off
    dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
    File Not Found
    dir /b %WinDir%\system\Update.exe >> %username%_%computername%.rgh
    File Not Found
    dir /b %WinDir%\system\scanregw.exe >> %username%_%computername%.rgh
    File Not Found
    dir /b %WinDir%\Rundll16.exe >> %username%_%computername%.rgh
    File Not Found
    dir /b %WinDir%\winzip_tmp.exe >> %username%_%computername%.rgh
    File Not Found
    dir /b c:\winzip_tmp.exe >> %username%_%computername%.rgh
    File Not Found
    dir /b "%Temp%\word.zip .exe"
    >> %user

    name%_%computername%.rgh
    File Not Found

    I observe nothing out of order. If anyone notes cause for concern let
    me know. Batten down the hatches and be ready for a viral storm. I saw
    a number of strange HQX attachments in Yahoo Groups earlier. Thus my
    concern. Thanks todd for this file.

    --
    James E. Morrow
    Email to:
     
    James E. Morrow, Feb 3, 2006
    #17
  18. Jim Byrd

    Notan Guest

    Re: WARNING and RECOMMENDATION re: Kama Sutra Worm

    "James E. Morrow" wrote:
    >
    > <snip>
    >
    > C:\Documents and Settings\HP_Owner>@echo off
    > dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b %WinDir%\system\Update.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b %WinDir%\system\scanregw.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b %WinDir%\Rundll16.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b %WinDir%\winzip_tmp.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b c:\winzip_tmp.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b "%Temp%\word.zip .exe"
    > >> %user

    > name%_%computername%.rgh
    > File Not Found


    It's one of the few times where "File Not Found" is a *good* thing! <g>

    Notan
     
    Notan, Feb 3, 2006
    #18
  19. Jim Byrd

    Todd H. Guest

    Re: WARNING and RECOMMENDATION re: Kama Sutra Worm

    James E. Morrow <> writes:
    > I get the following results:
    >
    > Microsoft Windows XP [Version 5.1.2600]
    > (C) Copyright 1985-2001 Microsoft Corp.
    >
    > C:\Documents and Settings\HP_Owner>@echo off
    > dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b %WinDir%\system\Update.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b %WinDir%\system\scanregw.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b %WinDir%\Rundll16.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b %WinDir%\winzip_tmp.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b c:\winzip_tmp.exe >> %username%_%computername%.rgh
    > File Not Found
    > dir /b "%Temp%\word.zip .exe"
    > >> %user

    > name%_%computername%.rgh
    > File Not Found
    >
    > I observe nothing out of order. If anyone notes cause for concern let
    > me know. Batten down the hatches and be ready for a viral storm. I saw
    > a number of strange HQX attachments in Yahoo Groups earlier. Thus my
    > concern. Thanks todd for this file.


    That all looks groovy.


    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Feb 3, 2006
    #19
  20. Jim Byrd

    Jake Dodd Guest

    "Todd H." <> wrote in message news:...

    > dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh


    The double backslash gave me an invalid directory message (Win 98) plus the EV's in the destination filename are non-existent on my
    system.
     
    Jake Dodd, Feb 3, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand
    Replies:
    0
    Views:
    650
    Silverstrand
    Feb 2, 2006
  2. Lord Shaolin
    Replies:
    6
    Views:
    2,647
    John Tate
    Aug 20, 2003
  3. Imhotep
    Replies:
    4
    Views:
    689
    Edw. Peach
    Jan 30, 2006
  4. Eric T
    Replies:
    6
    Views:
    579
    Eric T
    Aug 26, 2005
  5. Jim Byrd

    WARNING and RECOMMENDATION re: Kama Sutra Worm

    Jim Byrd, Feb 2, 2006, in forum: Computer Support
    Replies:
    19
    Views:
    601
Loading...

Share This Page