Virus/Worm?

[nettinetti]

Hi all. I recently got a virus/worm from Kazaa after trying to open a picture. It first manifested as a worm-like thing corrupting parts of the screen, which later disappeared. Now every time I boot up I get error messages saying that programs are causing errors and that my resources are dangerously low.
I can start up fine in safe mode and everything seems to be fine, but I can't access any of my com ports or my CD player (which might be unrelated).

I've run PC Door Guard, Norton 2002 (without the latest definitions) and Bull Guard. Norton found one infected file which I removed, but I still can't access my com ports and I'm still getting error messages on startup in normal mode. I've read a lot fo the advice here, but until I can identify exactly what the virus is I'm not sure what action to take? In the interim I'm following the advice you all gave in the 'file aclled pipes' thread, as it does seem to be attacking my exe files. I've downloaded some of the files, like cleaner etc that I'll run today, but does anyone recognise what the virus is so I can tackle it properly?

Any help woule be gratefully appreciated!
Kind regards,
Ian Harling

 

[FatesWebb]

VBS/Neer
is the closest virus I know of... here is its info

VBS/Neer Corporate User : Low
Home User : Low

Trojan Information
Discovery Date: 07/09/2001
Origin: Unknown
Length: 1,581
Type: Trojan
SubType: VBScript worm
Minimum DAT:
Release Date: 4148
07/18/2001
Minimum Engine: 4.0.70
Description Added: 07/16/2001
Description Modified: 07/16/2001 4:36 PM (PT)

Trojan Characteristics:
This VBScript trojan simply creates hundreds of copies of itself. When run, it copies itself to the WINDOWS and WINDOWS SYSTEM directories and creates the following registry key values to load itself at startup.
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\start win dlls=%SysDir%\WinXP.dll .vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\load icons=%WinDir%WinME.dll .vbs

During the first time the script is executed, so many copies are created and executed that system resources are overtaxed, causing the system to display error messages and ultimately crash. These copies are created in the WINDOWS SYSTEM directory and use a random 30 character name with a .VBS extension.

Symptoms
Presence of several hundred VBS files in the SYSTEM directory.

Method Of Infection
Executing this trojan causes this script to drop many copies of itself.

Removal Instructions
All Windows Users:
Use current engine and DAT files for detection and removal.
Manual Removal Instructions

Delete the registry key(s) as mentioned above
Information on deleting registry keys
Restart the computer
Delete the files mentioned above
Additional Windows ME/XP removal considerations

Aliases
Name
VBS.Entice.B (NAV)
VBS.Pyrite (AVP)
VBS.WinXP.B (AVX)
VBS/Pioneer (Panda)


FatesWebb

if you do what I suggested it is not my fault...

 

[2ffat]

It could also be a variant on the Benjamin worm which is know to work in Kazaa.
James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that I am now qualified
to do anything with nothing.

 

[nettinetti]

Thanks to both of you for getting back to me so quickly, I'll check out what you say. One thing I don't understnnd though - you said: All Windows Users:
Use current engine and DAT files for detection and removal.

I'm not sure what you mean by the 'current engine and DAT files', can yu explain?

Kind regards,
Ian

 

[FatesWebb]

true, benjamin spreads through kazaa specifically, whereas other viruses can use kazaa as a medium for spreading benjamin uses kazaa as its main way of spreading.. so if you use kazaa, and especially if you have downloaded a file that has the words full downloader in the name. you most likely have benjamin, or one of the porn dialer viruses. these "full downloader" files are very common on kazaa and even morpheus, and most if not all of them are virii....
here is info on benjamin too

W32/Benjamin.worm Corporate User : Low-Profiled
Home User : Low-Profiled




Internet Worm Information
Discovery Date: 05/16/2002
Origin: Germany?
Length: varies
Type: Internet Worm
SubType: Win32
Minimum DAT:
Release Date: 4204
05/22/2002
Minimum Engine: 4.1.50
Description Added: 05/20/2002
Description Modified: 05/22/2002 11:30 AM (PT)

Internet Worm Characteristics:
This threat is considered a Low-Profiled risk as it is not wide-spread and has gotten media attention.
When this worm is run, it copies itself to %WINDIR%\SYSTEM\EXPLORER.SCR, where %WINDIR% is the directory Windows is installed in. Then it adds the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\SystemService=%WINDIR%\SYSTEM\EXPLORER.SCR
To spread, the worm requires that the Kazaa software is installed on the machine. It creates a directory called %WINDIR%\TEMP\SYS32, and changes the Kazaa settings so that remote users can download from this directory. Then it copies itself to that directory under many different names which other users may search for. The size of these files can vary since the worm pads them with garbage bytes. This method of spreading is comparable to the VBS/GWV worm.

Symptoms
Presence of EXPLORER.SCR and registry key pointing to it.
Presence of %WINDIR%\TEMP\SYS32 and many files inside.

Method Of Infection
Since this worm offers itself over the Kazaa network under names that users may find tempting, users who are not infected may download and run the worm from infected machines, and thus spread the worm themselves.

Removal Instructions
All Users:
Use current engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations

Aliases
Name
BackDoor-AEG
TROJ_FILLHDD.A (Trend)
Trojan.Filler (MkS_vir)
W32.Benjamin.Worm (NAV)
W32/Kazoa (Panda)
Win32.Worm.Benjamin.A (Softwin)
Win32/Benjamin.worm (RAV)
Win32/Kazaa.Benjamin worm (ESET)
Worm.Kazaa.Benjamin (AVP)


FatesWebb

if you do what I suggested it is not my fault...

 

[SteveTheGeek]

nettinetti,
The DATs are the virus 'signatures' that your installed antivirus software uses to compare your files against to see if they are infected. You need to update these regularly (monthly at the absolute minimum, and I know people that update daily) or else the antivirus software will not recognize new viruses.
The engine is essentially the antivirus software itself; there will occasionally be patches or upgrades available that hopefully improve the scanner's effectiveness, or at least fix known bugs.
-Steve

 

[nettinetti]

Hi, thanks again, but now I've checked out both definitions you gave they don't seem to apply. Anyway, I have more information that might help identify it:

PC Guard found a vrus: windows/system/chktrust.exe -- I deleted this.

I also used a program called edit-wi to look at registy settings and found that where it was meant to just be run= and load=, it actually said run=hpfsched -- which I again deleted.

Now to a part I realy don't understand; I used PC Guards, 'Netstat' utility which took me to a readout where it should, I believe, normally contain a list of TCP and VDP entries under the headings: 'active onnections', 'proto local address', 'foreign address' and 'state'. All that was in the list were tens of empty entries that kept endlessly scrolling by. Obviously this is wrong, but how do I put it right?

All com ports are definitely disabled, something which isn't mentioned in any virus definition I've seen so far. Does the above ring any bells with anyone?

Kind regards,
Ian

 

[Kento]

"Now every time I boot up I get error messages saying that programs are causing errors and that my resources are dangerously low."

What are the errors? But it's probably the klez virus. Search here for klez and download and run their removal tool:

http://www.symantec.com/avcenter/vinfodb.html

 

[nettinetti]

Hi again. Well, I've tried endless definitions and antidotes now and nothing I've done helps and nothing I've read so far is remotely like this 'virus'. Okay, so now I have no choice but to re-format I think - but will it actually get rid of the virus if it's somewhere in the registry?

The other thing I was wondering: I have a c and d drive - if I were to re-format the main c drive and re-install windows, could I avoid wiping the data off the D drive? Do I have to disconnect the D before I re-format to isolate it from the de-install prog'?

As far as I can tell the virus hasn't affected the D, so I *might* be safe from re-infection. What do you all think?

Regards,
Ian

 

[2ffat]

The problem is that even though it "looks" like your D: drive is not affected, it might be hiding there in a hidden directory or someplace. You could try it but realize that you may have to format it, too. Another potential problem is that when you wipe out your registry, you lose info on the programs installed on the D: drive so you may have to re-install the programs anyway. :-(
James P. Cottingham

I am the Unknown lead by the Unknowing.
I have done so much with so little
for so long that they think I am now
qualified to do anything with nothing.

 

[FatesWebb]

you can search the registry for the file that it is complaining about, and delete it from the run or run services in there and that will squash the error......

hklm/software/microsoft/windows/current version/run
hklm/software/microsoft/windows/current version/runservices

the printer port looks like you might have to reinstall it. you can do that from in the device manager, by just removing the lpt1 and rebooting, you might also delete and reinstall your printer from start settings printers...


FatesWebb

if you do what I suggested it is not my fault...

 

[nettinetti]

Hmmmm...thanks a lot to both of you for this. I'll give it a shot and let you know what occurs! Things can't get much worse...can they...?

kind regards,
Ian

 

[Kento]

1. As i've asked once and won't ask again, what are the errors???

2. Did you run the klez removal tool and did it find the klez virus?

3. What all is checked under the startup tab in msconfig? (click start--run--type msconfig--ok) Is there an entry showing a wink.xxx file where xxx are random letters?

4. what operating system do you have?

 

[nettinetti]

1. As i've asked once and won't ask again, what are the errors???

The errors caused happened on normal bootup and were so varied it was impossible and pointless to write them all down. It was simply any software that tried to load in would cause a system error message with a memory location. These locations and errors changed daily. After about five actions (either me or the computer trying to launch a prog) the error messages would lock up the system. But, as I said before you sent this message, I decided to reformat my C drive (not the D) and everything is fine now, with no reccurences.

2. Did you run the klez removal tool and did it find the klez virus?

Yes I ran it, but it found nothing.

3. What all is checked under the startup tab in msconfig? (click start--run--type msconfig--ok) Is there an entry showing a wink.xxx file where xxx are random letters?

No wink.xxx files were found.

4. what operating system do you have?

Win 95. I checked and ran about a dozen fixes and read tens of virus/worm defninitions, but none of them gave the effects or created the files that the definitions stated. I suppose it must have been a new version, but hopefully it should be gone now...

Regards,
Ian