Worm.SomeFool.P

Discussion in 'malware problems & news' started by attitude1_3, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. attitude1_3

    attitude1_3 Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    9
    I am in need of help with this nasty worm. I was notified by my ISP that I have this worm and it is attaching itsself to mail. It is locking my P.C. up and seems to be taking over. I have downloaded the highjack this program but need help with it..Can you help me contain this worm before it is to late? o_O
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  3. Sandish

    Sandish Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    51
    Just to make things easier - Worm.SomeFool.P is a variant of the Netsky worm. Usually it doesn´t attach itself to your mail. It comes with a own SMTP engine. The warning you got doesn´t mean you are infected - SomeFool/NetSky fakes the sender address. Try to download the stinger from McAfee and scan your system after restarting in safe mode.
     
  4. Guset

    Guset Guest

    http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html

    It is a version of Netsky. You can get a removal tool at symantech by follow the above link.

    Morten
     
  5. maurnenstr

    maurnenstr Guest

    I have a message that an e-mail I sent was reported to be : Worm.SomeFool.P I have an aple Mac Ibook. I have not a clue what to do with this...any suggestions? Thanks.
     
  6. Particle

    Particle Guest

    I too have had a security warning emailed to me saying that I may be infected with this worm. Having run a full system scan with Norton AV, McAffe Stinger and the symantec Netsky fixer I've come up with nothing on my computer! I suppose this is good news, but how can this be if someone apparently got it from me?

    Also my FxNetsky scan log says:

    Symantec W32.Netsky FixTool 1.0.11

    C:\System Volume Information: (not scanned)
    E:\System Volume Information: (not scanned)
    W32.Netsky has not been found on your computer.

    Why does it say (not scanned)? Does anyone know?
     
  7. Chief ADFP

    Chief ADFP Registered Member

    Joined:
    May 11, 2004
    Posts:
    37
    Location:
    U.S.A Fla
    -----Original Message-----
    From: postmaster@kadik******.com.tr [mailto:postmaster@kadikoyh********.com.tr]
    Sent: Tuesday, August 24, 2004 2:55 AM
    To: chiefadf@s*******.net
    Subject: virus found in sent message "Re: text"

    Attention: chiefadf@so*********.net

    A virus was found in an Email message you sent.
    This Email scanner intercepted it and stopped the entire message
    reaching its destination.
    The virus was reported to be:
    Worm.SomeFool.P

    Please update your virus scanner or contact your IT support
    personnel as soon as possible as you may have a virus on your system.

    Your message was sent with the following envelope:

    MAIL FROM: chiefadf@s******.net
    RCPT TO: ulasnikbay@ku******.com

    ... and with the following headers:

    MAILFROM: chiefadf@so*******.net
    Received: from dsl81-215-33063.adsl.ttnet.net.tr (HELO kuzeyyildizi.com) (81.215.129.39)
    by biruni.kadikoy*******.com.tr with SMTP; 24 Aug 2004 06:55:15 -0000
    From: chiefadf@so*****.net
    To: ulasnikbay@kuz******.com
    Subject: Re: text
    Date: Tue, 24 Aug 2004 09:48:24 +0300
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
    X-Priority: 3
    X-MSMail-Priority: Normal

    =============Got told the same thing==========================

    Here my copy of HiJackThis.txt:


    Removed section containing HijackThis Log - I am afraid we no longer allow the posting of unsolicited HijackThis logs as per our Posting Policy stated in this Announcement. - snap


    ===================End of the Report=========================
    By the way ran the remove tool all so as said above post it did not see it?
     
    Last edited by a moderator: Aug 24, 2004
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
     Usually what happens is a virus on an infected computer sends emails, from email addresses found on that computer. The addresses come from such things as “Forwards”, where people don’t remove the previous email address(s), this can be seen when an email arrives and you can see who the email has come from and/or who it is going to, usually a very big list of people. The virus on the infected computer then picks one email address to be the fake sender, and sends copies of itself (the virus) to other email addresses found on the same infected computer, as though it was coming from you.

     Understand this VERY CLEARLY; You have NOT sent the infected email, a virus on an infected computer has harvested and used your email address as the sending address, to forward infected emails. Provided your system is set up and maintained with appropriate security software.

     The virus or Trojan didn't use the real email address of the computer's owner because any undeliverable email that bounced directly back to that computer would tip the owner that they had a problem.

     Again, to be clear, it is extremely unlikely your computer has sent the email. Provided your system is set up and maintained with appropriate security software.

    Hope this helps...

    Cheers :D
     
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
    I believe it is a variation of Netsky, and as such you are safe to ignore it, the netsky/mydoom/bagle variations only affect Windows based systems. Address spoofing is common with all of these worms.
     
  10. Guset

    Guset Guest

    Just as a side note. I did a search for Netsky on ClamAV's database. It seems that the list of Worm.SomeFool.? is almost interchangeable with the W32.Netsky.? list with regard to variants. ClamAV also does not have Netsky listed as a defined virus in their DB. I'm taking a wild guess here, but it seems to me that ClamAV sees SomeFool as such a close Netsky variant, that it sees them as one and the same and has deviated only in the naming.

    See Also:

    SomeFool Search on ClamAV:
    http://clamav-du.securesites.net/cg...ity&.cgifields=search-type&.cgifields=display

    Netsky Search on ClamAV:
    http://clamav-du.securesites.net/cg...ity&.cgifields=search-type&.cgifields=display
     
  11. oneover

    oneover Guest

    Is there a way to trace which is the infected computer since the sender's address is faked or spoofed?
     
  12. dfdsf

    dfdsf Guest

    I have exactly that problem! What can I do?

     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    To be 100% sure that your system is clean you can you take the following steps:


    Step 1. Install Zone Alarm (free) – Firewall with visual outgoing alerts to see what is trying to access the internet.
    http://www.zonelabs.com


    Step 2. Download Stinger available here: do NOT run this YET.
    http://vil.nai.com/vil/stinger/


    Step 3. Turn OFF System Restore, this process depends on your operating system:


    Windows XP Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on the "System Restore"
    4. Place a tick in "Turn off System Restore on all Drives"
    5. Click OK
    6. Close and restart your system.


    OR


    Windows ME Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on "Performance"
    4. Click "File system"
    5. Click "Troubleshooting"
    6. Check "Disable system restore"
    7. Click on OK
    8. Close and restart your system.


    Step 4. Delete your TEMP files by doing the following: open up Internet Explorer> Tools> Internet Options> General TAB> Temporary Internet Files> Delete Files> Delete All Offline Content.


    Step 5. Restart your system again in “SAFE MODE” by pressing/tapping F8 while booting up


    Step 6. Run a scan with your current Anti-virus program – MAKE SURE IT IS FULLY UP TO DATE with the latest virus signatures.


    Step 7. Run a scan with “Stinger” the program you downloaded above.


    Step 8. Reboot your system into normal mode.


    Step 9. Run a further online scan found here: http://housecall.trendmicro.com/


    When everything is clean, it is recommended that you turn System Restore back on.


    Step 10. Install update and run the LATEST Spybot Search and Destroy (free) – Spyware removal and protection, with registry monitor.
    http://beam.to/spybotsd


    Step 11. Install update and run the LATEST Adaware (free) – Spyware removal. What Spybot Search and Destroy doesn’t pick up, this will.
    http://www.lavasoftusa.com


    Step 12. Install and run CWShredder available here:
    https://www.wilderssecurity.com/showthread.php?t=14086


    Step 13. Make sure your Windows is FULLY up-to-date by doing the following: While on the Internet, Click on Internet Explorer (the Blue “e”), Click on Tools (on the bar at the top of your screen in Internet Explorer), Click on Windows Update. This will take you to the Microsoft Windows Update page where you need to follow the on screen prompts, starting with “Scan for Updates”. Install ALL “Critical Updates” and “Service Packs”.

    WEEKLY – check this is “Up to Date”.



    REPEAT ALL THE ABOVE STEPS, this time EVERYTHING should come up clean…



    IF the above does NOT fix your problem please download and run Hijack This found here:

    https://www.wilderssecurity.com/showthread.php?t=12516


    and post your log at one of the forums found here:

    http://a-sap.org/


    Keep in mind the following quote:


    For the most part what I have suggested fixes the greater majority of problems out there...


    When your system is clean you may want to take a look here:

    https://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25

    for further discussion on security and how to make your system that much stronger.


    and here for more discussions:

    https://www.wilderssecurity.com/showthread.php?t=43117


    Hope this helps…

    Let us know how you go…

    Cheers :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.