VIRUS ALERT

cannonalldex · #1 07-15-2003, 06:21 AM

Just thought I would mention, I use one computer for my server and only my server, no email ect. may want to search your hard drive for *.eml files, if you have multiple files with that ext you been infected. Like I said, I only use this computer for emu related stuff for running server and nothing else. so this virus came from one of the databases, zip files, or what ever program, but definatley related to running a server. Just FYI. Good luck.

Merth · #2 07-15-2003, 06:29 AM

Need more info. Where did you get your files from? How do you know it's a virus? What led you to believe *.eml files are related to the virus?

I have some serious doubts that the virus is a direct result of EQEMu - unless you got your binaries from an untrustworthy source. Database scripts (*.sql) will NOT contain a virus.

burthold · #3 07-15-2003, 07:27 AM

*.eml files are emails to be sent out. It could be any number of viruses and if your server is connected to the network that other machines are on it could be that another machine was infected and spread the *.eml files to your server. Don't throw out virus warnings unless you have proof. It only serves to make others worry without cause.

Wes

cannonalldex · #4 07-15-2003, 07:47 AM

to be exact, its the worm.spybot.gen and the computer that has this is on its own connection and doesnt even have email setup on it. this computer has been used for eqemu purposes ONLY. as far as what files ive use , well

ive used all of the editors, which i dont think any contain spybot gen. because i also used these editors on another computer. i would assume its in one of the database zips, or somehow transferred through the mysql program. seems that most of the instances of the worm are in the mysql folders. this would lead me to believe it has something to do with either an sql file and or a zip that contained this virus.

i was simply trying to be a nice guy and let you know about this issue. what kind of "proof" do you want? do a search on your computer, if you dont have it fine, dont worry about it. next time i will keep my issues to myself i guess.

dcl · #5 07-15-2003, 08:11 AM

Hmm... that's odd, the W32.Spybot.worm (which I assume is similar since I found nothing about worm.spybot.gen on any antivirus site) is a worm that's spread over Kazaa... Nothing to do with MySQL as far as I can tell. However, it could be a different worm that is relatively unknown.

Merth · #6 07-15-2003, 08:12 AM

Virus code only makes it onto your machine through an executable of some sort. This rules out database scripts. There are many forms of executables, but if your claim about running strictly the emu and nothing else is fact, one of these is the source of your virus:

zone.exe
world.exe
mysqld-nt.exe
winmysqladmin.exe
(WhateverEmuAdminTool.exe)
(Operating System install)

Tell me where you obtained each and every one of these, and we can pinpoint the source of your virus. If you have downloaded *any* other executables, you'll have to include that on the list of candidates.

I doubt the above listed programs are the only things that do exist or have existed on your machine. For example, you claimed to have been infected with a virus. How do you know this? Did you use a virus scanner? A virus scanner is an executable that can carry a virus, yet it is not in the list above.

Quote:

so this virus came from one of the databases, zip files, or what ever program, but definatley related to running a server

That's a pretty big accusation. Please don't be offended when we take them very seriously.

dcl · #7 07-15-2003, 08:16 AM

Scratch what I said earlier.... W32/Spybot.worm.gen is a worm people get using P2P programs.

Check out:

http://vil.mcafee.com/dispVirus.asp?virus_k=100282

Are you sure no one on that machine is using a P2P App?

a_Guest03 · #8 07-15-2003, 08:39 AM

Perhaps the wonderful, everpresent eqfix.zip has a few bugs.

Aside from legal and ethical reasons, this is the other reason not to gank files.

cannonalldex · #9 07-15-2003, 08:46 AM

im not saying it was any of these for sure, i simply said

Quote:

I use one computer for my server and only my server, no email ect.

Quote:

I only use this computer for emu related stuff for running server and nothing else.

Quote:

so this virus came from one of the databases, zip files, or what ever program, but definatley related to running a server.

no need to get offensive, for all i know someone could of broke into my house and slipped a disk with the virus in my computer and ran it i guess. i didnt mean to cause a big flame cannon here, cause he dont know what he's talking about kinda thing. i been using computers for 15 years and do have some knowlege of how they work, but i have no clue when it comes to viruses or bugs ect. or coding for all that matter. i just know that

1. I reformatted and installed windows xp approx three weeks ago.
2. I downloaded all the files for running a server.
3. I installed and ran Everquest.
4. I intalled and ran eqemu.
5. Installed and ran all the programs associated with a server, was up for three weeks.
6. Downloaded just about every zip file I could find that had to do with making a database.
7. Never used email or even set up email on the computer.

and from what i hear you dont have to actually even open an exe file to infect your computer and executed at boot up. but like i said previous, i have no idea how it works.

and at this point i wouldnt mind one bit if you deleted this whole thread and just forgot about it.

sorry for wasting my time and yours.

Merth · #10 07-15-2003, 08:48 AM

Quote:

you forgot this part in your "quote"

Check my message again - it's in there. In fact, it's the part that concerned me the most.

cannonalldex · #11 07-15-2003, 10:02 AM

interesting, before i would be able to log into this forum without signing in (using cookies i assume). also i went to mcafee website to investigate a little more, i see that apparently something was set in my cookies that is not allowing me to log into mcafee. saying that my account is not activated, please activate account we sent an email to smuckyou@noneofyourbusiness.com. obviously this isnt my email. and not only that, i have no email setup on my computer.

BlissBoi · #12 07-15-2003, 11:59 AM

Ok look, If u use kazaa use norton antivirus and spybot ware, it can be safe as anything if u got the right tools... Dont be a f00l!

DeletedUser · #13 07-16-2003, 02:15 AM

I just tested this... I installed windows xp on a duron 600 over the last 16 hours with mysql-4 and the latest eqemu from sourceforge. I then installed Inoculate (From Computer Associates), upgraded it to the latest dat file and scanned every file on the machine. There was no virus on it...

cannonalldex · #14 07-16-2003, 11:06 AM

i had someone working on some .qst files for me, they emailed me the files in zip, i loaded the zips on a disk and put them on my computer. i think the zip file got infected and there for when i put the zip files on my computer it ran the virus. i think i got rid of it, scanned computer and says no viruses. i went and checked my daughters computer, sure enough there was the source of the virus. readme.exe . oh well. just thought i would let you all know.

Glasswalker · #15 07-17-2003, 07:00 AM

Just as a note, I know a fair bit about virii and worms... I am a certified network / computer security specialist.

All of the worms that use the .eml files to carry a java or vbscript based payload can spread many ways...

Two of the most common is through peer to peer protocols, OR through holes in open ports in the OS you run...

If you are running a windows server, that is your problem right there... Windows (all windows OS) come with inherant holes in the windows file sharing system. Win2K and XP both come out of the box with an administration version of file sharing enabled (using null sessions) and such worms exploit this to be able to "deposit" their files on your hard drive. You don't need to run anything, it does not come from any program... Simply having a computer on a lan (or internet) that has windows will make you vulnerable...

Most low end router and firewall boxes block out the open ports... (also in XP you can turn on the internet connection firewall)

Also, update your OS to the latest patches using the automatic update wizard.

These .eml files will autorun whenever windows detects them in a folder that you open... and if they are not poorly written, the scripts will fire off without you even knowing it happened... This is one of the wonderous things about windows security (or lack there of)

Anyway, just to save the misconception... This virus DID NOT come from the eqemu files... (unless you may have downloaded them from an unreliable source other than this homepage)

It is spread through networking protocols, and the .eml files can only harm a windows machine... These worms are useless against a linux box (they can still eat up valuable bandwidth and cause network slowdown, they just can't "infect" a linux machine...)

I hope that clears things up a bit...

If you want to look into it more, get a firewall of some kind (hardware or software) and then go on the web and look up windows null sessions... and read about how to disable the related exploits...

Also disabling any file and printer sharing on your system helps as well... (or simply setting all shares to read only)

Anywhoo...

Hope that helps.

- Glasswalker