Path: utzoo!news-server.csri.toronto.edu!rutgers!mcnc!decwrl!uunet!seas.gwu.edu!iqbal From: iqbal@seas.gwu.edu (Iqbal Qazi) Newsgroups: comp.windows.ms Subject: Re: ***WARNING*** possible windows virus in the cica uploads directory Summary: Weird things happened to me also!!!! Message-ID: <2856@sparko.gwu.edu> Date: 13 Mar 91 21:50:45 GMT References: <2610@travis.csd.harris.com> Reply-To: iqbal@seas.gwu.edu () Organization: The George Washington University, Washington D.C. Lines: 67 In article <2610@travis.csd.harris.com> leoh@hardy.hdw.csd.harris.com (Leo Hinds) writes: > > >Hopefully I am crying wolf, but the following is what happened to me right now: > >1) I downloaded from the cica uploads directory a file called yourway.zip > >2) tried to run it from windows, It popped up a dialog box saying something > about your win.ini file has been modified, and asking where datafiles are > kept. I did not tell it a location but hit the OK button ... result, UAE. > >3) I copied win.ini to the location I had "yourway" as the data location (a > networked drive) & tried to run it again, this time specifying the complete > path where yourway was located & hit the ok button, again UAE ... but his > time windows was also hung. > >4) warm-boot pc & reenter win ... looks funny ... try & edit win.ini ... > contents are gone & replaced with: > > YourWay Ha Ha Ha! text strings> > > >Is this just a fluke or a "windows virus"? ... the YourWay Ha Ha Ha! leads me >to believe the latter ... but I am open to suggestions. I also downloaded yourway.zip from the upload directory, ran it, next thing I know: UAE. I think, all right, another silly memory problem or somethink like that. After clicking "OK" I notice THERE WERE NO WINDOWS AT ALL ON MY SCREEN!!!. I.e. I could move my mouse around the screen, but all I could see was my .bmp on the screen. Screenpeace, Curses, PM Window were all gone. Doubleclicking on the background (nothing else to click on :-( ) got me the Task Manager -- a few times. It came up empty. I tried all sorts of keyboard things (ALT-F4, ALT-SPACE, CRTL-SPACE, etc) which did nothing. So I reboot. Fire up windows again, and I GOT NO GROUPS. I get the PM window (Screenpeace and Curses get loaded normally), the PM window opens up and is totally empty. All my groups (Games, Util, etc) are gone. I get out of windows and look at my PROGMAN.INI, and there's all kinds of garbage. I didn't see any "ha..ha" messages though. So I rebuild my PROGMAN.INI (after making a dummy group to get the format right (do YOU know the format?)). Then everything is fine. At least my *.GRP files were intact. Note this was happening at 4am and I didn't even think of the virus possibility until I read the above article. The moral of this story is: Backup those important WIN files (*.ini, *.prj maybe), and don't download from the upload directory. I assume that someone at cica checks these programs?? Iqbal iqbal@sparko.gwu.edu