Re: New virus worm alert ....

From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 05/27/05

• Next message: Malke: "Re: Outlook Express 6"
• Previous message: Raiye: "Re: New virus worm alert ...."
• In reply to: Raiye: "Re: New virus worm alert ...."
• Next in thread: David H. Lipman: "Re: New virus worm alert ...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 27 May 2005 08:26:40 -0400

From: "Raiye" <raiye.beresford@remove.this.ntlworld.com>

| This is a report processed by VirusTotal on 05/27/2005 at 13:58:11 (CET)
| after scanning the file "File.zip" file.
|
| Antivirus Version Update Result
| AntiVir 6.30.0.15 05.27.2005 no virus found
| AVG 718 05.27.2005 no virus found
| Avira 6.30.0.15 05.27.2005 no virus found
| BitDefender 7.0 05.27.2005 Win32.Dod.A@mm
| ClamAV devel-20050501 05.27.2005 no virus found
| DrWeb 4.32b 05.27.2005 no virus found
| eTrust-Iris 7.1.194.0 05.26.2005 Win32/Mugly.M!Worm
| eTrust-Vet 11.9.1.0 05.27.2005 Win32.Mugly.L!ZIP
| Fortinet 2.27.0.0 05.27.2005 W32/Mugly.M-mm
| Ikarus 2.32 05.27.2005 no virus found
| Kaspersky 4.0.2.24 05.27.2005 Email-Worm.Win32.Wurmark.l
| McAfee 4500 05.26.2005 W32/Mugly.m@MM
| NOD32v2 1.1110 05.27.2005 Win32/Wurmark.L
| Norman 5.70.10 05.23.2005 no virus found
| Panda 8.02.00 05.27.2005 W32/Mugly.M.worm
| Sybari 7.5.1314 05.27.2005 no virus found
| Symantec 8.0 05.27.2005 W32.Picrate.C@mm
| VBA32 3.10.3 05.27.2005 Email-Worm.Win32.Wurmark.l
|

Well there 'ya go. It is the W32/Mugly worm .M variant.
http://vil.nai.com/vil/content/v_130470.htm
http://vil.nai.com/vil/content/v_131359.htm

The worm is not new, the .M variant may be.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.

* * * Please report back your results * * *

-- 
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

• Next message: Malke: "Re: Outlook Express 6"
• Previous message: Raiye: "Re: New virus worm alert ...."
• In reply to: Raiye: "Re: New virus worm alert ...."
• Next in thread: David H. Lipman: "Re: New virus worm alert ...."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Backdoor.Trojan virus ... | files infected with a Trojan virus, but was unable to quarantine or delete ... DOS disk boot images can be obtained from; ... Execute; CLEAN.EXE ... It is suggested that you move the report out of c:\mcafee before performing another scan. ... (microsoft.public.windowsxp.security_admin) Re: virtual drives on a single ntfs partition ... Just use antivirus [e.g. keep it installed and running in the ... If you do suspect you have a virus that antivirus is not catching, ... boot with a known virus-free boot disk to fdisk, ... >>drives exceeding your real hard drive space. ... (microsoft.public.windowsxp.security_admin) Re: Virus Detected Cannot get rid of! ... | My free AVG virus program alerted me to a virus and said ... | I have turned off restore, run Adaware, Spybot and AVG ... DOS disk boot images can be obtained from; ... Execute; CLEAN.EXE ... (microsoft.public.windowsxp.general) Re: applications are opening in wordpad ... You've probably found Symantec's online virus scanner, ... > in wordpad when windows loaded. ... I will reinstall xp using the boot disc program I ... To be effective, antivirus software must be ... (microsoft.public.windowsxp.newusers) Re: virusscanner ... The simple fact is that a virus written for Linux could not run under ... Unlike with Windows, you could not just click on a virus and allow it to ... execute because you cannot automatically save something with execute ... (alt.os.linux.suse)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint