leoh@hardy.hdw.csd.harris.com (Leo Hinds) (03/14/91)
Hopefully I am crying wolf, but the following is what happened to me right now: 1) I downloaded from the cica uploads directory a file called yourway.zip 2) tried to run it from windows, It popped up a dialog box saying something about your win.ini file has been modified, and asking where datafiles are kept. I did not tell it a location but hit the OK button ... result, UAE. 3) I copied win.ini to the location I had "yourway" as the data location (a networked drive) & tried to run it again, this time specifying the complete path where yourway was located & hit the ok button, again UAE ... but his time windows was also hung. 4) warm-boot pc & reenter win ... looks funny ... try & edit win.ini ... contents are gone & replaced with: <binary garbage> YourWay Ha Ha Ha! <binary garbage mixed with some text strings> Is this just a fluke or a "windows virus"? ... the YourWay Ha Ha Ha! leads me to believe the latter ... but I am open to suggestions. leoh@hdw.csd.harris.com Leo Hinds (305)973-5229 Gfx ... gfx ... :-) whfg orpnhfr V "ebg"grq zl fvtangher svyr lbh guvax V nz n creireg ?!!!!!!? ... znlor arkg gvzr
akm@cs.uoregon.edu (Anant Kartik Mithal) (03/14/91)
In article <2610@travis.csd.harris.com> leoh@hardy.hdw.csd.harris.com (Leo Hinds) writes: >Hopefully I am crying wolf, but the following is what happened to me right now: >1) I downloaded from the cica uploads directory a file called yourway.zip > >2) tried to run it from windows, It popped up a dialog box saying something > about your win.ini file has been modified, and asking where datafiles are > kept. I did not tell it a location but hit the OK button ... result, UAE. Yourway did this for me too. I had extracted it to e:\temp, and gave it this as a location. I *believe* that it keeps a line in win.ini indicating where it's data files are. >3) I copied win.ini to the location I had "yourway" as the data location (a > networked drive) & tried to run it again, this time specifying the complete > path where yourway was located & hit the ok button, again UAE ... but his > time windows was also hung. This seems to imply that you had *two* win.ini files, which doesn't sound good to me. On the other hand, I know absolutely nothing about running windows from a network, so this might be a reasonable thing to do. >4) warm-boot pc & reenter win ... looks funny ... try & edit win.ini ... > contents are gone & replaced with: > <binary garbage> YourWay Ha Ha Ha! <binary garbage mixed with some > text strings> If I understand correctly, you had two win.inis. Which one got trashed? >Is this just a fluke or a "windows virus"? ... the YourWay Ha Ha Ha! leads me >to believe the latter ... but I am open to suggestions. I must agree that if I had that sort of thing in my win.ini, I would agree entirely with you. My win.ini (after playing with Yourway for about 20 minutes before deleting it, has: [YourWay] DATA=e:\temp in it. I *believe* that yourway is a commerical product, of which this is a demo version. I think I recall seeing a picture of it in PCWeek or InfoWorld. I *hope* I am right... Don't think that virus scanning software runs for windows programs as yet... kartik -- Anant Kartik Mithal akm@cs.uoregon.edu Research Assistant, (503)346-4408 (msgs) Department of Computer Science, (503)346-3989 (direct) University of Oregon, Eugene, OR 97403-1202
iqbal@seas.gwu.edu (Iqbal Qazi) (03/14/91)
In article <2610@travis.csd.harris.com> leoh@hardy.hdw.csd.harris.com (Leo Hinds) writes: > > >Hopefully I am crying wolf, but the following is what happened to me right now: > >1) I downloaded from the cica uploads directory a file called yourway.zip > >2) tried to run it from windows, It popped up a dialog box saying something > about your win.ini file has been modified, and asking where datafiles are > kept. I did not tell it a location but hit the OK button ... result, UAE. > >3) I copied win.ini to the location I had "yourway" as the data location (a > networked drive) & tried to run it again, this time specifying the complete > path where yourway was located & hit the ok button, again UAE ... but his > time windows was also hung. > >4) warm-boot pc & reenter win ... looks funny ... try & edit win.ini ... > contents are gone & replaced with: > > <binary garbage> YourWay Ha Ha Ha! <binary garbage mixed with some > text strings> > > >Is this just a fluke or a "windows virus"? ... the YourWay Ha Ha Ha! leads me >to believe the latter ... but I am open to suggestions. I also downloaded yourway.zip from the upload directory, ran it, next thing I know: UAE. I think, all right, another silly memory problem or somethink like that. After clicking "OK" I notice THERE WERE NO WINDOWS AT ALL ON MY SCREEN!!!. I.e. I could move my mouse around the screen, but all I could see was my .bmp on the screen. Screenpeace, Curses, PM Window were all gone. Doubleclicking on the background (nothing else to click on :-( ) got me the Task Manager -- a few times. It came up empty. I tried all sorts of keyboard things (ALT-F4, ALT-SPACE, CRTL-SPACE, etc) which did nothing. So I reboot. Fire up windows again, and I GOT NO GROUPS. I get the PM window (Screenpeace and Curses get loaded normally), the PM window opens up and is totally empty. All my groups (Games, Util, etc) are gone. I get out of windows and look at my PROGMAN.INI, and there's all kinds of garbage. I didn't see any "ha..ha" messages though. So I rebuild my PROGMAN.INI (after making a dummy group to get the format right (do YOU know the format?)). Then everything is fine. At least my *.GRP files were intact. Note this was happening at 4am and I didn't even think of the virus possibility until I read the above article. The moral of this story is: Backup those important WIN files (*.ini, *.prj maybe), and don't download from the upload directory. I assume that someone at cica checks these programs?? Iqbal iqbal@sparko.gwu.edu
leoh@hardy.hdw.csd.harris.com (Leo Hinds) (03/14/91)
In article <2856@sparko.gwu.edu> iqbal@seas.gwu.edu () writes: >In article <2610@travis.csd.harris.com> leoh@hardy.hdw.csd.harris.com (Leo Hinds) writes: >>Hopefully I am crying wolf, but the following is what happened to me right now: >>1) I downloaded from the cica uploads directory a file called yourway.zip >> <binary garbage> YourWay Ha Ha Ha! <binary garbage mixed with some >> text strings> >>Is this just a fluke or a "windows virus"? ... the YourWay Ha Ha Ha! leads me >>to believe the latter ... but I am open to suggestions. > After clicking "OK" I notice THERE WERE NO WINDOWS AT ALL ON MY >SCREEN!!!. I.e. I could move my mouse around the screen, but all I >could see was my .bmp on the screen. I did a strings on the exe and got an 800 number & called them ... It turns out that this demo program was targeted before (about 6 months ago) and that the developer had sent out messages to remove the infected version from circulation. The developers are going to send me a disk with the clean copy ... if there is interest, I can upload it to cica when I get it ... It would appear as though someone saved a copy & is doing it all over again. I wonder if the people @ cica have any records of who uploaded the file, or at least the system they FTPed in from ... leoh@hdw.csd.harris.com Leo Hinds (305)973-5229 Gfx ... gfx ... :-) whfg orpnhfr V "ebg"grq zl fvtangher svyr lbh guvax V nz n creireg ?!!!!!!? ... znlor arkg gvzr
rtdickerson@lescsse.uucp (russel dickerson) (03/14/91)
This sounds like a Trojan. No need to use the *V* word and scare everyone silly. -- Russell Dickerson Internet: dickerson@vf.jsc.nasa.gov Lockheed (LESC), A22 UUCP: lobster!lescsse!rtdickerson SSE System Project X Windows & Motif on Apollo/PC/Mac Space Station Freedom Phone +1 713 283 5193
leoh@hardy.hdw.csd.harris.com (Leo Hinds) (03/14/91)
In article <1991Mar13.210331.5957@cs.uoregon.edu> akm@cs.uoregon.edu (Anant Kartik Mithal) writes: >This seems to imply that you had *two* win.ini files, which doesn't >sound good to me. On the other hand, I know absolutely nothing about >running windows from a network, so this might be a reasonable thing to >do. Not knowing what this program was going to do I copied the win.ini file (luckily I did !) into the YourWay directory, JUST for the purposes of trying out the program. >If I understand correctly, you had two win.inis. Which one got trashed? The one in the windows directory >I *believe* that yourway is a commerical product, of which this is a >demo version. I think I recall seeing a picture of it in PCWeek or >InfoWorld. There is a commercial version ($120) and a demo/testdrive version. The demo version is what did it to me. leoh@hdw.csd.harris.com Leo Hinds (305)973-5229 Gfx ... gfx ... :-) whfg orpnhfr V "ebg"grq zl fvtangher svyr lbh guvax V nz n creireg ?!!!!!!? ... znlor arkg gvzr
jmorriso@ee.ubc.ca (John Paul Morrison) (03/15/91)
In article <2610@travis.csd.harris.com>, leoh@hardy.hdw.csd.harris.com (Leo Hinds) writes: > > > Hopefully I am crying wolf, but the following is what happened to me right now > > 3) I copied win.ini to the location I had "yourway" as the data location (a > networked drive) & tried to run it again, this time specifying the complete > path where yourway was located & hit the ok button, again UAE ... but his > time windows was also hung. > > 4) warm-boot pc & reenter win ... looks funny ... try & edit win.ini ... > contents are gone & replaced with: > > <binary garbage> YourWay Ha Ha Ha! <binary garbage mixed with some > text strings> I don't think you can rule out a virus, but you also can't rule out crappy programming!! I remember a bug ridden program called click (or something) that was posted to cica, way back last August. I had to hunt around with Norton Utilities (Bless him!!) to pull out the severely ravaged WIN.INI file. Lesson: back up WIN.INI and SYSTEM.INI! they are some of the most important files! A SYSTEM.INI file is a strange, subtle thing that can take months to evolve into the "perfect setup" John Paul Morrison