Unsolicited email from guardian.com


pacouk 15 2
31 Jan 2006 1:20PM
Hi all here is some info on the file from Total Business/Trader if executed it runs the following process..

csrnvrt.exe

and adds the following two entries into the registry

'DriverModule' with value 'csrnvrt.exe'

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

these enteries from the registry should be deleted..

Also it copies itself to C:\Windows\system32\csrnvrt.exe

delete this too,

Regards

Ian

Join ePHOTOzine for free and remove these adverts.

Burgy_Tog 16 634 United Kingdom
31 Jan 2006 11:34PM

Quote:About as much use as a chocolate teapot!


Why would they do anything else, they have stated that it is a nothing to do with them, the URL doesn't even point to their website. They are a newspaper not an IT company specialising in Anti-Virus.

If anyone falls for this virus, they deserve everything they get.
dougv 16 8.4k 3 England
31 Jan 2006 11:55PM

Quote:Why would they do anything else, they have stated that it is a nothing to do with them


Yes, but something along the lines of "Thank you for bringing this to our attention" and "We take these matters very seriously" would have been better.
It wouldn't have helped, but from their response the impression they give is that they couldn't care less.

Doug ;o)
deviant 16 3.1k 1 United Kingdom
1 Feb 2006 1:04AM
There is actually a 414 website I discovered which I suspect is connected to this scam. It was overtly pretending to be the real Guardian Newspaper. It was complete with proper articles and adverts mostly lifted from the Guardian in the UK.

I suspected it was fake as the spelling was all correct and every add banner was really a phishing scam to get money from you. Add to that the fact the address was in Lagos and you can be sure it's not a good thing. The Lagos phishing scams are notorious by any standards.

Site has now been taken down but was dangerous even to browse as it was laden with tricks and traps triggered by simply viewing the site. Moral of the story if you suspect an email don't even follow the links to check. Delete it and empty the recycle bin.

D
deviant 16 3.1k 1 United Kingdom
1 Feb 2006 1:06AM
Unless you are a Mac user in which case you are immune because of magic (Java) beans.
alfpics Plus
18 370 4 England
1 Feb 2006 1:28AM
Had the Campus Life one plus another recently - deleted both straight away.
Question - IF one did try to open the attached ZIP file, would anti-virus software pick it up before it did any damage? (I have Norton)

Andy
User_Removed 16 3.3k Russian Federation
1 Feb 2006 1:33AM
Not sure.
Depends on how new the virus is, and how up-to-date your antivirus is.

Tell you what... You give it a go and see what happens!
;o)
deviant 16 3.1k 1 United Kingdom
1 Feb 2006 1:35AM
Depends on what flavour you get did some tests today and all but one picked up the win32.IRC-backboor bit but only two spotted the DRM rootkit. By tomorrow it'll be all of them up to date I'm sure.

I did post earlier in thread a quick check for the rootkit if you need to use it.

D
deviant 16 3.1k 1 United Kingdom
1 Feb 2006 1:43AM

Quote:Pete: These things happen all the time...spam/viruses... and are not connected with us or our products.


To back this up I'd add it's easy enough to pick up all email addresses from just about any web based mail server if you monitor the right web traffic for long enough and know what you are doing. It's done as a matter of routine by spammers. Not something I'd connect with the epz site at all.
D
alfpics Plus
18 370 4 England
1 Feb 2006 1:52AM

Quote:Tell you what... You give it a go and see what happens!


Err, I don't think so...! I asked the question partly in case of my kids receiving one and opening it without question!

Also, thanks deviant - have made note of that

Andy
ziggy 18 202 England
1 Feb 2006 8:09AM
Hi all...followed pacouk's advice and edited the registry to remove Driver Module from two places.
Ahh...forgot to check no more entries.
Could not delete the file in windows\system32 because it was in use; so restarted machine in safe mode command prompt and then used old dos commands to find the file and delete it. Checked and found a further entry in C:\Windows\Prefetch but slightly different as (lower case) CSRNVRT.EXE-14779D42.pf...deleted that as well.
Just hope there are no other new files...maybe I should check for any other files created at the same time.
PS This is Windows XP.
Norton internet Security did not stop it...I'll have to pass this by them.
Good luck to any more of you who fell into the same trap...it certainly makes one distrustful. Many thanks to pacouk
Roger
paulsteds 16 123 England
1 Feb 2006 2:18PM
Well I never open unknown mail attachments....well not until 5 mins ago. The reason, I had mailed a photo of a client to their printer and was waiting for a reply. Now what do I do???????
Paul
PS Jamie used my EPZ email add....
jimbo_t 17 959 England
2 Feb 2006 1:50AM
You lot think you have problems, I keep getting emails from bloody Nikon!!!

Jim (disgruntled Canon owner)
digicammad 17 22.0k 39 United Kingdom
2 Feb 2006 1:54AM
Nikon missionaries, spreading the good word. :0)
Neil_Wardle 17 101
2 Feb 2006 1:57AM

Quote:the good word

Canon

Sign In

You must be a member to leave a comment.

ePHOTOzine, the web's friendliest photography community.

Join For Free

Upload photos, chat with photographers, win prizes and much more.