Jump to content

Archived

This topic is now archived and is closed to further replies.

Carlton

2 Infected Files

Recommended Posts

I'm fixing up someones Win98SE machine. Lo and behold, they've never done a virus scan. I did it for them with Norton and found two infected files. Don't remember the names but they were classified as annoying worms.

 

Norton was unable to fix so I quarrantined them. What next? Just Delete them?

 

Thanks,

Carlton

Share this post


Link to post
Share on other sites

I checked the log file for the virus scan,

 

Both files are infected with the w32.annoying.worm virus.

 

Carlton

Share this post


Link to post
Share on other sites

Yes, delete the infected files that were quarantined. Then temporarily disable the Norton and run one of the online virus scanners to make double sure the machine is virus free. I think there's a pinned thread here that lists some. I know of HouseCall by Trend Micro, Panda Active Scan, and the Pit's own AV checker. Find the right thread or just Google.

 

 

It's the "Free Tools..." thread pinned up top. :)

Share this post


Link to post
Share on other sites

Thanks for the help. Once I found the virus name, I found this at Symantec.

 

Activation

When activated, this worm registers its process to the system as MsgSprd.

 

It next creates the value

 

MSN Messenger %download location%\PIC1324.exe

 

in the registry key

 

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\Run

 

and displays the following message:

 

 

 

It remains active (silently), waiting for contacts to send you messages by MSN messenger.

 

Contact

When a contact is made by MSN Messenger, this worm waits a few seconds and sends the following message to the contact:

 

hey, want me to send my new pic?

i took it yesterday

 

If the contact responds with any of the following key words in their message:

 

yes

sure

yea

guess

send

there

maybe

ok cool

 

it sends itself to that contact along with the message

 

alright, here ya go

i hope you like it

 

Other information

This worm contains the following text inside itself:

 

I come in piece. My name is Jerry.

The purpose of me is to spread. I'm not annoying, nor dangerous.

 

 

 

 

 

 

 

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

 

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

 

 

To remove this worm, you must:

 

Terminate the application registered as MsgSprd.

Delete infected files.

Remove the registry value that was added by the worm.

 

To terminate the application:

Press Ctrl+Alt+Delete one time.

If you are running Windows NT/2000, click Task Manager.

In the list box (on the Applications tab if you are running Windows NT/2000) select MsgSprd.

Click End Task.

 

To delete infected files:

Run LiveUpdate to make sure that you have the most recent virus definitions.

Start Norton AntiVirus (NAV), and run a full system scan. Be sure that NAV is configured to scan all files.

Delete all files that are detected as W32.Annoying.Worm.

 

To edit the registry:

 

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys specified. Please see the document How to back up the Windows registry before you proceed.

 

Click Start, and click Run. The Run dialog box appears.

Type regedit and then click OK. The Registry Editor opens.

Navigate to the following key:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\Run

 

In the right pane, delete the following value:

 

MSN Messenger %download location%\PIC1324.exe

 

Click Registry, and then click Exit.

Share this post


Link to post
Share on other sites

×
×
  • Create New...