Re: I ran the exe file !!!!
From: LuckyStrike (LS_at_smokedamagedfurniture.youcandriveitawaytoday.com)
Date: 10/09/03
- Next message: Adde: "Re: Denied Search engine access!"
- Previous message: LuckyStrike: "Re: Address munging"
- In reply to: steve: "I ran the exe file !!!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 8 Oct 2003 20:55:31 -0600
Steve,
Unless you are running ME or XP it won't be possible to restore back to a
point before the virus infection. If it's been executed, and if you've
deleted files it is probably too late.You must get rid of the worm/virus.
IE6 helps for some things but you must apply the updates to it as well, and
from reliable sources only, otherwise there is no difference.
After removing it, NEVER, run a file purporting to be a patch, update or
otherwise from an email, or newsgroup spam message source again. These are
only genuine if obtained from MS Windows Updates or other reputable sources.
For the moment you should simply stick with MS windows Updates. Then you
should update with any needed patches from MS to prevent any kind of
re-infection.
You should also get the latest definitions for your AntiVirus Program,
update them regularly, and run the AV program.
The worm/virus has proven difficult to remove in some cases. Armed with
this, move onto your next project which lies before you with the info below.
Read well, and follow the instructions. Do not be hasty.
What You Should Know About the Swen Worm
http://www.microsoft.com/security/antivirus/swen.asp
F-Secure Virus Descriptions : Swen -detection- disinfection
http://www.europe.f-secure.com/v-descs/swen.shtml
How to Remove Swen.A worm virus
http://www.pchell.com/virus/swen.shtml
W32.Swen.A (at) mm
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html
W32.Swen.A mm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.removal.tool.html
MS Windows Updates
http://v4.windowsupdate.microsoft.com/en/default.asp
Follow these steps in removing the Swen.A worm.
1) Terminate the running program
Open the Windows Task Manager by either pressing CTRL+ALT+DEL on Win9x
machines or CTL+Shift+Tab and clicking on the Processes tab on WinNT/2000/XP
machines.
Locate the following worm, click on it and End Task or End Process
The worm will be randomly named file, as an alternative, sort the list by
the user and End task on each program running under the local user except
for Explorer and Systray
Close Task Manager
2) Reactivate the Registry and Reassociate files.
The worm disables the registry by adding the following value to it
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001
Because of this, you will be unable to open REGEDIT to fix the problems. If
you have Windows ME or Windows XP, you could run the System Restore
procedure and choose a date previous to the virus infection. Although as an
alternative, I have created a Visual Basic Script (.vbs) file that changes
the above registry value and fixes the file association problems caused by
the swen worm.
You can download the vbs file by clicking here. This is a Visual Basic
Scripting file, so you'll have to have the Windows Scripting Host installed.
You can download the following file to disable or reenable the Windows
Scripting Host.
noscript.exe
3) Download and run the Symantec Swen.A virus removal tool to
Terminate the W32.Swen.A@mm viral processes completely
Delete the W32.Swen.A@mm files.
Delete the dropped files for Kazaa, IRC and newsgroup propogation.
Delete the registry values that the worm added.
Special Note for Windows ME and Windows XP:
If the removal tool shows the files cannot be removed because they are in
the backed up RESTORE folder, then you'll have to:
Turn off System Restore
Reboot in Safe Mode
and run the removal tool again
4) Download the Security Patch for this exploit
The virus uses an old Microsoft Internet Vulnerability known as the
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment Exploit.
Some of the infected email messages that the worm sends contain this
vulnerability and can cause the worm attachment to execute automatically
upon preview of the infected email. More information on this vulnerability
can be found at:
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment Exploit
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp
5) Reboot the computer, update your antivirus software, and run a thorough
virus scan using your favorite antivirus program.
-- LuckyStrike LS@smokedamagedfurniture.youcandriveitawaytoday.com ------------------------------------------------------------------------- "steve" <steve.zeitler@rogers.com> wrote in message news:06f101c38e05$12fae8c0$a301280a@phx.gbl... > THis hoax microsoft email got me. > So far just some memory errors. > I am running IE 6.0, does that help?? > What to do to get rid of what ever this > has done?? Restore to past point??
- Next message: Adde: "Re: Denied Search engine access!"
- Previous message: LuckyStrike: "Re: Address munging"
- In reply to: steve: "I ran the exe file !!!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
