Re: W32.Spybot.Worm

anonymous_at_discussions.microsoft.com
Date: 01/28/04 

Date: Wed, 28 Jan 2004 03:39:06 -0800

Hi David,

Thank you very much for your help!

Unfortunately, the boot disk solution did not work.
However, I was able to rename the _Restore folder by
simply opening the MS-DOS prompt. I then deleted the
RESTORE.OLD folder as per your instructions.

This was not the end of the issue, however...upon
restarting, I would get the same warning from NAV about
detecting W32.Spybot.Worm.

So, I decided to do some research, and came upon this page:

http://www.net-integration.net/zeroscripts/spybot.html

It suggests unplugging all internet connections (I am on
cable) for a few minutes, reconnecting, then rebooting.

Well, imagine my surprise when I disconnected/reconnected,
and had no virus warning on restart! But it didn't end
there....I then had to perform a free virus scan at
Trend Micro in order to identify the name and location of
the infected files.

What I discovered thereafter is very interesting:

Trend Micro detected 7 infected files. The virus is
DUMARU.Z, and not W32.Spybot.Worm. I found out that, at
this time NAV only DETECTS Dumaru as Spybot (which is
probably why I had trouble removing it with your solution).

Two of the 7 infected files were called BKDR.IROFFER12.B
and ADW.RULEDOR.C. Interestingly enough, these aren't
listed anywhere in the sarc.com database! They are malware
and adware respectively. The malware is downloaded
by DUMARU when it infects a computer. The adware was
something downloaded and installed without
my consent (probably a popup in some sp*m message I
received), which really burns my ***!

=================================
4 DUMARU FILES TO WATCH OUT FOR
=================================
l32x.exe (in C:\\Windows\System)

vxd32v.exe (in C:\\Windows\System)

dllxw.exe (in C:\\Windows\StartMenu\Programs\StartUp, of
all places!)

scvhosts.exe (in C:\\Windows\System)

=================================
2 ADWARE FILES TO WATCH OUT FOR
=================================
aaaPO26.exe.(in C:\\Windows\ClearSearch)

nvidia32.exe (in C:\\Windows\)

Loader.exe (in C:\\Windows\ClearSearch)
=================================

The DUMARU files act in concert to obtain and send
confidential information to an anonymous IRC server. They
log your keystrokes, know which sites you visit, and get
god only knows what other kind of personal info. This is a
doozy!

I would advise anyone to *be careful of what files you
allow Norton Personal Firewall to bypass!* I remember (a
couple of days before getting the virus) allowing
NPF to allow internet access to certain .exe programs. The
only reason I allowed access was because, when attempting
to manually block the connection, NPF would say "denying
access can stop your programs from working properly" or
something to that effect.

More advice: if you know your computer is infected,
refrain from logging into email, bank, messenger and
similar accounts until you are sure your PC is clean.

Also, it was kind of interesting to note that I didn't
receive any "IP address 123.xx.xxx blocked for 30 minutes"
alerts before disconnecting my internet!

To conclude this novel, I'm not sure how safe I feel with
Norton running, and may decide to switch AV programs very
shortly. However, I still maintain that sarc.com is THE
best source of info when it comes to reading about and
removing viruses...you really can learn a lot!

Here are some links I discovered on my travels - hope they
help someone:

More info on DUMARU can be found at:
http://sarc.com/avcenter/venc/data/w32.dumaru.z@mm.html

More info on ADW.RULEDOR can be found at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=ADW_RULEDOR.C

More info on IROFFER can be found at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=BKDR_IROFFER12.B

Free Trend Micro Online Virus Scan:
http://housecall.trendmicro.com/housecall/start_corp.asp

Removal of these infections involves editing the registry,
ending processes in the Task Manager, and editing the
sys.ini file. But with a little time, luck and patience,
it's possible ;) I am now clean....knock on wood!