tlhIngan-Hol Archive: Thu May 03 21:47:18 2001
[Date Prev][Date Next][Thread Prev][Thread Next]
Virus
I was infected by a virus which I received from another list. Someone on
that list posted instructions for removing it.
The effect of opening the attachment is that an error message appears (if
you saw the message, then you have the virus), then the next time you boot
your system, the virus sends copies of itself in a reply to every unanswered
message in your Inbox.
Here are the instructions I received for removing the virus. I seem to have
accomplished it but, if not, DO NOT OPEN any attachment which comes with a
message that says "look to the attachment."
~Bradley / Pagh-le'
~ ~ ~
My apologies for the length of this post, but here's the relevant text on
the virus you're dealing with:
Damage:
a.. Payload:
a.. Large scale e-mailing: It replies to all unread messages in the
message folders within the default MAPI email program.
b.. Compromises security settings: It drops a backdoor Trojan.
Technical description:
When the worm is executed, it drops the backdoor Trojan Hkk32.exe in the
\Windows folder, and then executes it. It then copies itself into the
Windows folder as inetd.exe, adds a run= line to the Win.ini, and displays
the following message:
"File data corrupt: probably due to bad data transmission or bad disk
access"
The next time that the computer is rebooted, the worm will wait for 5
minutes, then it will use MAPI to find all unread email messages and reply
to all of them. The worm will attach itself to the email, using one of the
following file names:
Pics.ZIP.scr
images.pif
README.TXT.pif
New_Napster_Site.DOC.scr
news_doc.scr
hamster.ZIP.scr
YOU_are_FAT!.TXT.pif
searchURL.scr
SETUP.pif
Card.pif
Me_nude.AVI.pif
Sorry_about_yesterday.DOC.pif
s3msong.MP3.pif
docs.scr
Humor.TXT.pif
fun.pif
Removal instructions:
Because W32.Badtrans.13312@m... affects different operating systems in
different ways, how you remove this worm depends on your operating system.
Follow the instructions in the order given.
To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent virus
definitions.
2. Start Norton AntiVirus (NAV), and then run a full system scan, making
sure that NAV is set to scan all files.
3. Delete any files detected as W32.Badtrans.13312@m... What you do next
depends on whether NAV was able to delete files that it detected as infected
with W32.Badtrans.13312@m...:
a.. If NAV was able to delete all files that it detected as infected, do
one of the following:
a.. If you are using Windows 95/98/Me, skip to the section To edit the
Win.ini file.
b.. If you are using Windows NT/2000, and NAV was able to delete all
infected files, you are finished.
b.. If NAV was not able to delete all files that it detected as
infected, go on to the next section and see the instructions for your
operating system:
How to remove files that cannot be deleted by NAV
Follow the instructions for your operating system only if NAV could not
delete files that it detected as infected, W32.Badtrans.13312@m...
a.. Windows 95/98/Me:
1. Restart the computer in Safe mode. For instructions on how to restart
in Safe mode, see the document How to restart Windows 9x or Windows Me in
Safe Mode.
2. Run the scan again and delete any files detected as
W32.Badtrans.13312@m...
3. When the scan is finished, go on to the section To edit the Win.ini
file.
b.. Windows NT with FAT32/FAT16:
1. Restart the computer in VGA mode and run the scan again.
2. Delete any files detected as W32.Badtrans.13312@m...
3. Restart the computer to complete the removal procedure.
c.. Windows 2000 with FAT32/FAT16:
1. Restart the computer in Safe mode. For instructions on how to restart
in Safe mode, see the document How to start Windows 2000 in Safe Mode.
2. Run the scan again and delete any files detected as
W32.Badtrans.13312@m...
3. Restart the computer to complete the removal procedure.
d.. Windows NT/2000 with NTFS:
Removal on Windows NT/2000 with NTFS is a bit more complex, as you first
must edit the registry.
CAUTION: We strongly recommend that you back up the system registry before
making any changes. Incorrect changes to the registry could result in
permanent data loss or corrupted files. Please make sure you modify only the
keys specified.
Please see the document How to back up the Windows registry before
proceeding. This document is available from the Symantec Fax-on-Demand
system. In the U.S. and Canada, call (541) 984-2490, select option 2, and
then request document 927002.
1. Click Start, and then click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
4. In the right pane, delete the following value:
Kernel32 KERN32.EXE
5. Click Registry and then click Exit to save the changes.
6. Navigate to the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
7. In the right pane, delete the following value:
run <path>\Inetd.exe
8. Exit the Registry editor.
9. Restart the computer.
10. Run the scan again and delete any files detected as
W32.Badtrans.13312@m... This completes the removal procedure for users of
Windows NT/2000 with NTFS
To edit the Win.ini file:
If you are running Windows 95/98/Me, you must also do the following:
1. Click Start, and then click Run.
2. Type the following and then click OK:
edit c:\windows\win.ini
NOTE: If you have installed Windows to a different location, make the
appropriate substitution.
3. In the [windows] section, locate the run= line. It will look similar to
the following:
run=c:\windows\inetd.exe
4. Remove the text to the right of the = sign, so that the line now reads:
run=
5. Save your changes and exit the System Configuration Editor.