Eohio.Net Online

Quick Help for viruses
Blackworm - Win32.Nyxem.E@mm
Free removal tool
Free Virus scan of your computer


Blackworm - Win32.Nyxem.E@mm

Win32.Nyxem.E@mm is also known as Grew.a, Grew.b, Blackmal.e, Nyxem.e, Nyxem.d, Mywife.d, Tearec.a, Blackworm, Email-Worm.Win32.Nyxem.e, W32/Nyxem-D, W32/MyWife.d@MM, and CME-24. It is an extremely dangerous and rapidly spreading Internet worm, which spreads by e-mail via messages with infected attachments and through unprotected network shares. The user can accidentally infect a computer by opening a malicious e-mail attachment or running an infected executable file. Get more information and a Free removal tool here.

CIA/FBI & Paris Hilton Virus E-Mails

There is a new virus that is sending out e-mails purporting to be from the FBI or CIA. They claim that you went to an illegal website and that you need to open an attached file to answer some questions. DO NOT OPEN THE FILE! It is a virus. There is another virus spreading that has something about Paris Hilton in the subject line. You do not want to open the attachment to that one either. We strongly encourage all of our customers to use virus protection software and you should update the virus definitions at least once per week to be safe.

Sasser Worm

The W32.Sasser.Worm has recently become an aggressive threat on the internet. Customers infected with this worm will experience difficulty shutting down or restarting their computer and slow browsing. You can trick the worm to stop the restarts by resetting your computer clock back one year in time. Virus details available at Norton .
UPDATE: Official Microsoft Worm Removal Tool Link:
UPDATE: For free Sasser and MSBlaster worm fixes.


A variant of the W32/MyDoom (W32/Novarg.A) virus has been identified that infects Microsoft Windows systems. This variant is called W32/MyDoom.B. Like its predecessor, W32/MyDoom.B propagates via email and P2P networks and requires that a user intentionally run an executable file in order to infect a system.
W32/MyDoom.B may be designed to cease functioning on March 1, 2004.

Mydoom or Mydoom.A

There have been reports of a new mass-mailing virus known as W32/Novarg.A, W32/Shimg, or W32/Mydoom that has been reported to open a backdoor to the compromised system and possibly launch a denial-of-service attack at a fixed time in the future. Description

The W32/Novarg.A virus attempts to do the following:
* Modify various Windows registry values so that the virus is run again upon reboot
* Open a listening TCP port in the range of 3127-3198, suggesting remote access capabilities
* Install a copy of itself in the C:\Program Files\KaZaA\My Shared Folder\ folder, which will be available for download by KaZaA users

The virus arrives as an email message with a 22,528-byte attachment that has a random filename with a file extension of .cmd, .pif, .scr, .exe, or .bat. The attachment may also arrive as a ZIP archive.

Virus Alert From eohio.net Virus Report Center
- An e-mail has been seen that indicates it is from the Eohio Virus department. This is NOT from Eohio.net and should be deleted. Here is the body of one such e-mail:

Virus Alert
From: eohio.net's Internet Virus Department
We have detected a possible computer virus on your computer, You must open the details of the report within 24 hours our we will be forced to shut down your internet service.
Please Click Below Then Press "open" To View The Report If you do not open this report in 24 hours we will suspend your internet service If nothing apears on your virus report please dis-regard this message
Click Here Now

This is NOT from Eohio and should be deleted.

RPC Exploit - This affects Windows NT 4, Windows 2000, and Windows XP. This is a problem where the computer gets an error with RPC and says it will reboot in 60 seconds.

Windows 95/98/Me computers, which don't run an RPC service or have a TFTP client (default setting), are not at risk.

This is not a problem on our end! - This is a flaw in the Microsoft Windows Operating system that was recently found. Eohio has worked to find solutions for our customers and below is some information to help you deal with the problem. This is a virus that is taking advantage of a Microsoft security issue that is affecting users with Microsoft XP, 2000, and NT. This virus is spread by simply being connected to the Internet. It is not distributed via E-mail.

The virus has been named any of the following names: W32/Lovsan.worm, W32.Blaster.Worm, WORM_MSBLAST.A, Win32.Poza, Worm/Lovsan.A, W32/Blaster-A, Blaster, and probably many more names are and will be used. The virus is a worm that uses the internet to exploit the DCOM vulnerability in the RPC (Remote Procedure Call) service. The DCOM vulnerability was first reported by Microsoft in mid-July. This worm does not use E-mail to spread.

There has been variants of the original virus showing up starting Wed. the 13th. The original virus used a file named Msblast.exe. The variant virus can exist on your computer with the original blaster, so that you will have 2 or more viruses to clean off. There are several file names associated with the variant viruses including:

    Blaster variants
  • index.exe
  • root32.exe
  • teekids.exe
  • others maybe added

Targeted computers include the following Microsoft operating systems:

  • Windows NT 4.0
  • Windows NT 4.0 Terminal Services Edition
  • Windows XP
  • Windows Server 2003

(On Windows XP the exploit can accidentally cause the remote RPC service to terminate. This causes the Windows XP machine to reboot).

On finding a vulnerable computer system, the worm causes the remote machine to acquire a copy of the worm using TFTP, which is saved as msblast.exe in the Windows system folder.

On the 16th August 2003, one month after the security patch was posted, the worm is programmed to launch a distributed denial-of-service attack on windowsupdate.com, which may severely impact the speed of your computer if it is attacking the Microsoft web site while your trying to surf the net.

Additionally the worm creates the following registry entry so as to run on system start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update

The worm contains the following text, which does not get displayed:

I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!


Fix for Windows XP/2000 RPC Exploit
Fix for Windows XP | Fix for Windows 2000


Fixing Windows:

If you have windows XP you need to turn on the firewall option in the control panel. It is located in your [network connections], dialup network properties under the [Advanced] tab. This should stop the disconnection before you can update and may stop the rebooting problem. If the computer is still rebooting before you can get the necessary updates and virus cleaning done, you can click on [Start] [All Programs] [ Accessories] [Command Prompt]and then type [shutdown -a] do not type the brackets[ ] and there is a space before the -a. This has been known to stop the rebooting problem.

If you have Windows 2000 then you can take steps to block the affected ports so that your computer can be patched. Here are some modified instructions from the Microsoft article HOW TO: Configure TCP/IP Filtering in Windows 2000.

This will keep the machine from rebooting continuously. You then need to go to the Microsoft Windows Update web site and download the patch for this exploit.

This should correct the problem from re-occurring in the future.

Windows Update is at:

Due to heavy traffic and the possibility of an attack on the Microsoft update web site we have put the updates on our local server for your convince.

XP update
Windows 2000 update
Windows NT 4.0 update (must have SP6)


Virus Removal Tools:

Do the windows update FIRST then clean the virus. If you do it in reverse you are likely to get the virus back. You can download the virus removal tools at the following sites:

Network Associates
Trend Micro
Computer Associates


More Information:

From Microsoft:
Microsoft incident information page
Microsoft Security Bulletin MS03-026
For Microsoft Product Support Services within the United States and Canada, call toll-free (866) PCSAFETY (727-2338)

From Symantec:
Virus description and clean-up tool program

Symantec Security Response http://securityresponse.symantec.com/avcenter/security/Content/8205.html

Mblaster variations including TEEKID.EXE

CERT® Advisory :
Exploitation of Vulnerabilities in Microsoft RPC Interface
CERT Advisory CA-2003-19
CERT Advisory CA-2003-20

Once you get the patch/update on your computer be sure to then remove the virus/s from it also. The update needs done first to prevent it being re-infected. Always be sure your virus program definitions are kept updated. In times of outbreaks of new viruses it may be necessary to update daily.

If you have problems with this or need additional help contact your computer manufacturer or computer repair person. If you need the update and are unable to get it on line you can call Eohio.net at 740-942-4484 or stop in the store and we will make a disk with the update from Microsoft on it for you.

Eohio has taken steps to block some of the attempts to get into your computer but this will not block all. Be sure you have your computer updated as recommended by Microsoft and the Manufacturer and have an updated anti virus program running on your computer at all times.

Virus - admin@eohio.net

There is another virus and it is sending out mail with the return address as admin@eohio.net. This is NOT from eohio and is a virus. If you receive an e-mail that says it is from admin@eohio.net do not open it or it's attachment. If you have got it and opened it you can learn more about the virus and get a removal tool from Symantec:

W32.Mimail.A@mm Virus

Your billing will continue to come from billing@eohio.net. Contact our help desk if you have any questions.





Main Page

Copyright © 1996 Eastern Ohio Internet, LLC. all rights reserved