Viruses on XJW-central mailing list?

Bendrr

I got on the XJW-central email list and for the last few days some of the messages look pretty suspicious.
I know I'm gonna get a security lecture for this, but I haven't been running any anti-virus. I also don't open the attachments.
Today, one of the messages had an attached .exe file and .txt file.
I did look at the .txt file and thought I'd post it to see what some of our more educated members can tell me about it.

The 2 attachments are "DETLOG.EXE" and "DETLOG.TXT" and I'm including the .txt file in this post:

[System Detection: 05/15/01 - 11:11:49]
Parameters "", InfParams "", Flags=01042023
SDMVer=040a.2222, WinVer=070a040a, Build=04.0a.2222, WinFlags=00003c29
SkipList=
DetectList=
LogCrash: crash log not found or invalid
LogCrash: crash log invalid
Estimated number of detection functions = 353
Checking for: System Bus
CheckInt86xCrash: int 1a,AX=b101,rc=0
SetVar: PCIBUS=
MatchAcpiOemIdRule: ACPI not detected
MatchAcpiOemIdRule: ACPI not detected
DetFlags: 40
Detected: *PNP0C00\0000 = [1] Plug and Play BIOS
SetVar: PNPBIOS=
Number of verify functions called = 1
ConfigMG device: HTREE\RESERVED\0
ConfigMG device: ROOT\*PNP0C01\0000
ConfigMG device: skip ForceHWVerify device ROOT\*PNP0C01\0000
ConfigMG device: ROOT\*PNP0C00\0000
ConfigMG device: skip ForceHWVerify device ROOT\*PNP0C00\0000
ConfigMG device: BIOS\*PNP0000\00
RegAvoidRes: *PNP0000\0000
IO=20-21(ffff:0:0),a0-a1(ffff:0:0)
IRQ=2
ConfigMG device: BIOS\*PNP0200\01
RegAvoidRes: *PNP0200\0000
IO=0-f(ffff:0:0),81-83(ffff:0:0),87-87(ffff:0:0),89-8b(ffff:0:0),8f-91(ffff:0:0),c0-df(ffff:0:0)
DMA=4
ConfigMG device: BIOS\*PNP0100\02
RegAvoidRes: *PNP0100\0000
IO=40-43(ffff:0:0)
IRQ=0
ConfigMG device: BIOS\*PNP0B00\03
RegAvoidRes: *PNP0B00\0000
IO=70-71(ffff:0:0)
IRQ=8
ConfigMG device: BIOS\*PNP0303\04
RegAvoidRes: *PNP0303\0000
IO=60-60(ffff:0:0),64-64(ffff:0:0)
IRQ=1
ConfigMG device: BIOS\*PNP0800\05
RegAvoidRes: *PNP0800\0000
IO=61-61(ffff:0:0)
ConfigMG device: BIOS\*PNP0C04\06
RegAvoidRes: *PNP0C04\0000
IO=f0-ff(ffff:0:0)
IRQ=13
ConfigMG device: BIOS\*PNP0C01\07
RegAvoidRes: *PNP0C01\0000
Mem=f0000-f3fff(ffffffff:0:2),f4000-f7fff(ffffffff:0:2),f8000-fbfff(ffffffff:0:2),fc000-fffff(ffffffff:0:2),0-9ffff(ffffffff:0:3),fffe0000-ffffffff(ffffffff:0:2),100000-3ffffff(ffffffff:0:3)
ConfigMG device: BIOS\*PNP0A03\08
RegAvoidRes: *PNP0A03\0000
IO=294-297(ffff:0:0),4d0-4d1(ffff:0:0),cf8-cff(ffff:0:0),480-48f(ffff:0:0),4000-403f(ffff:0:0),5000-501f(ffff:0:0)
ConfigMG device: PCI\IRQHOLDER\60
ConfigMG device: PCI\IRQHOLDER\60: Status=58000620, Problem=1a
RegAvoidRes: IRQHOLDER\0000
IRQ=11
ConfigMG device: PCI\IRQHOLDER\61
ConfigMG device: PCI\IRQHOLDER\61: Status=58000620, Problem=16
ConfigMG device: PCI\IRQHOLDER\62
ConfigMG device: PCI\IRQHOLDER\62: Status=58000620, Problem=16
ConfigMG device: PCI\IRQHOLDER\63
ConfigMG device: PCI\IRQHOLDER\63: Status=58000620, Problem=1a
RegAvoidRes: IRQHOLDER\0001
IRQ=10
ConfigMG device: PCI\VEN_8086&DEV_7180&SUBSYS_00000000&REV_03\BUS_00&DEV_00&FUNC_00
ConfigMG device: PCI\VEN_8086&DEV_7180&SUBSYS_00000000&REV_03\BUS_00&DEV_00&FUNC_00: Status=8000620, Problem=1a
RegAvoidRes: VEN_8086&DEV_7180&SUBSYS_00000000&REV_03\0000
Mem=e8000000-ebffffff(ffffffff:0:5)
ConfigMG device: PCI\VEN_8086&DEV_7181&SUBSYS_00000000&REV_03\BUS_00&DEV_01&FUNC_00
RegAvoidRes: VEN_8086&DEV_7181&SUBSYS_00000000&REV_03\0000
IO=b000-bfff(ffff:ffff:0)
Mem=e0000000-e7ffffff(ffffffff:0:1)
ConfigMG device: PCI\VEN_5333&DEV_8A10&SUBSYS_8A101092&REV_04\000800
ConfigMG device: PCI\VEN_5333&DEV_8A10&SUBSYS_8A101092&REV_04\000800: Status=8000620, Problem=20
RegAvoidRes: VEN_5333&DEV_8A10&SUBSYS_8A101092&REV_04\0000
IO=3b0-3bb(3ff:400:0),3c0-3df(3ff:400:0)
Mem=a0000-affff(ffffffff:0:1),b0000-bffff(ffffffff:0:1),e0000000-e3ffffff(ffffffff:0:1),c0000-c7fff(ffffffff:0:0)
IRQ=11
ConfigMG device: PCI\IRQHOLDER\IRQ0B
ConfigMG device: PCI\IRQHOLDER\IRQ0B: Status=58000620, Problem=1a
RegAvoidRes: IRQHOLDER\0002
IRQ=11
ConfigMG device: PCI\VEN_8086&DEV_7110&SUBSYS_00000000&REV_01\BUS_00&DEV_02&FUNC_00
ConfigMG device: ISAPNP\READDATAPORT\0
RegAvoidRes: READDATAPORT\0000
IO=274-277(ffff:0:0)
ConfigMG device: ISAPNP\SUP2084\00051202
ConfigMG device: ISAPNP\SUP2084\00051202: Status=8000620, Problem=1a
ConfigMG device: ISAPNP\ESS0003_DEV0000\FFFFFFFF
ConfigMG device: ISAPNP\ESS0003_DEV0000\FFFFFFFF: Status=8000620, Problem=20
ConfigMG device: ISAPNP\ESS0003_DEV0001\FFFFFFFF
ConfigMG device: ISAPNP\ESS0003_DEV0001\FFFFFFFF: Status=8000620, Problem=20
ConfigMG device: ISAPNP\ESS0003_DEV0002\FFFFFFFF
ConfigMG device: ISAPNP\ESS0003_DEV0002\FFFFFFFF: Status=8000620, Problem=20
ConfigMG device: PCI\VEN_8086&DEV_7111&SUBSYS_00000000&REV_01\BUS_00&DEV_02&FUNC_01
ConfigMG device: PCI\VEN_8086&DEV_7111&SUBSYS_00000000&REV_01\BUS_00&DEV_02&FUNC_01: Status=8000620, Problem=1a
RegAvoidRes: VEN_8086&DEV_7111&SUBSYS_00000000&REV_01\0000
IO=1f0-1f7(3ff:400:0),3f6-3f6(3ff:400:0),170-177(3ff:400:0),376-376(3ff:400:0),f000-f00f(ffff:ffff:0)
IRQ=14,15
ConfigMG device: PCI\VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\BUS_00&DEV_02&FUNC_02
ConfigMG device: PCI\VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\BUS_00&DEV_02&FUNC_02: Status=8000620, Problem=1f
RegAvoidRes: VEN_8086&DEV_7112&SUBSYS_00000000&REV_01\0000
IO=c000-c01f(ffff:ffff:0)
ConfigMG device: PCI\VEN_8086&DEV_7113&SUBSYS_00000000&REV_01\BUS_00&DEV_02&FUNC_03
ConfigMG device: PCI\VEN_1092&DEV_6120&SUBSYS_00000000&REV_00\BUS_00&DEV_0D&FUNC_00
ConfigMG device: PCI\VEN_1092&DEV_6120&SUBSYS_00000000&REV_00\BUS_00&DEV_0D&FUNC_00: Status=8000620, Problem=20
RegAvoidRes: S3C0101\0000
IO=c400-c43f(ffff:ffff:0),c800-c807(ffff:ffff:0),cc00-cc03(ffff:ffff:0),d000-d003(ffff:ffff:0),d400-d403(ffff:ffff:0)
ConfigMG device: BIOS\*PNP0F13\09
ConfigMG device: BIOS\*PNP0F13\09: Status=8000620, Problem=12
RegAvoidRes: *PNP0F13\0000
IRQ=12
ConfigMG device: BIOS\*PNP0C02\0A
RegAvoidRes: *PNP0C02\0000
IO=208-20f(ffff:0:0)
ConfigMG device: BIOS\*PNP0501\0B
ConfigMG device: BIOS\*PNP0501\0B: Status=8000620, Problem=20
RegAvoidRes: *PNP0501\0000
IO=3f8-3ff(ffff:0:0)
IRQ=4
ConfigMG device: BIOS\*PNP0700\0C
ConfigMG device: BIOS\*PNP0700\0C: Status=18006ea6, Problem=e
RegAvoidRes: *PNP0700\0000
IO=3f2-3f5(ffff:0:0)
IRQ=6
DMA=2
ConfigMG device: BIOS\*PNP0400\0D
ConfigMG device: BIOS\*PNP0400\0D: Status=8000620, Problem=20
RegAvoidRes: *PNP0400\0000
IO=378-37f(ffff:0:0)
IRQ=7
ConfigMG device: ROOT\*PNP0C05\0000
ConfigMG device: skip ForceHWVerify device ROOT\*PNP0C05\0000
ConfigMG device: ROOT\NET\0000
ConfigMG device: NETWORK\NETBEUI\0000
ConfigMG device: NETWORK\VREDIR\0000
ConfigMG device: NETWORK\NWLINK\0000
ConfigMG device: NETWORK\NWREDIR\0000
ConfigMG device: NETWORK\VREDIR\0001
ConfigMG device: NETWORK\MSTCP\0000
ConfigMG device: NETWORK\VREDIR\0002
ConfigMG device: ROOT\PROCESSOR_UPDATE\0000
ConfigMG device: ROOT\SWENUM\0000
Checking for: System Board
Detected: *PNP0C01\0000 = [2] System board
Checking for: Advanced Power Management Support
Detected: *PNP0C05\0000 = [3] Advanced Power Management support
VerifyHW: manual device Net\0000: Dial-Up Adapter
VerifyHW: manual device Processor_Update\0000: Processor support
VerifyHW: manual device SwEnum\0000: Plug and Play Software Device Enumerator
Number of verify functions called = 3
Devices verified: 2

So just what is this?

Mike.

JeffT

Looks like a virus to me. If you run your virus scan it will catch it and kill it, or lock it away for you.

mustang

Not necessarily: this may be a diagnostic program. This one looks similar to Norton's old SysInfo type programs. The exe runs and 'dumps' what it finds in a system scan to the text file. The jury is still out, but being paranoid is smart.

Mustang
Who has built Motherboards

invisible

Some of the guy's in the think tank are suggesting this site to help you with this, the service is free too.

It's called Ad-aware 5.82

http://www.lavasoft.de

FAQ

http://www.lavasoft.de/faq.html

Back again in a minute, I'm just going to check something out, will hopefully be back with further information.

Celtic Mark

Bendrr

bttt

Thanks.

I started this thread because the virus(?) is on an ex-jw email list. This list has some good content, but also has some spam and messages of questionable content. There's quite a few html messages in which the html is carried as an attachment. Now it's getting messages with .exe files so someone on the list is up to no good.
I'm going to try and track down who runs it and let them know.

Next time one of the messages shows up with an attachment I'm going to scan it with Norton and I'll let y'all know the results.
(Yes I have Norton, I just don't have it run automatically)

Mike.

Quotes

From the SARC website regarding the KLEZ virus:
http://www.sarc.com/avcenter/venc/data/w32.klez.h@mm.html

Releases confidential info: Worm randomly chooses a file from the machine to send along with the worm to recipients. So files with the extensions: ".mp8" or ".txt" or ".htm" or ".html" or ".wab" or ".asp" or ".doc" or ".rtf" or ".xls" or ".jpg" or ".cpp" or ".pas" or ".mpg" or ".mpeg" or ".bak" or ".mp3" or ".pdf" would be attached to e-mail messages along with the viral attachment.

The file you have shown above DETLOG.TXT seems vaguely familiar as a the hardware detection log from the installation of software (maybe the installation of Windows).

In other words, the contents of the file is a read herring, but it is consistent with the KLEZ virus to see a random file attached.

BTW, SARC has a *FREE* online virus scanner. They also have *FREE* removal tools for certain virii (including KLEZ). http://www.sarc.com/

===========================
For interesting Watchtower Society literature quotes, complete with references but without any editorial, check out: http://Quotes.JehovahsWitnesses.com

slipnslidemaster

Very likely that it's Klez.

Slipnslidemaster:"One half of the world cannot understand the pleasures of the other."
- Jane Austen

UADNA - Unseen Apostate Directorate of North America

Viruses on XJW-central mailing list?

Bendrr

JeffT

mustang

invisible

Bendrr

Quotes

slipnslidemaster

Share this