Re: w32.jeefo!!!
From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: 06/26/05
- Previous message: David H. Lipman: "Re: w32.jeefo!!!"
- In reply to: Abhishek: "w32.jeefo!!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Jun 2005 18:42:58 +0200
On Sun, 26 Jun 2005 09:18:03 +0530, "Abhishek"
<abhishek_442@hotmail.com> wrote:
>hi all out there . my name is Abhishek. there is a virus in my system called
>w32.jeefo. but my antivirus could not able to clean the file . though its
>been quarantined. i update my antivirus too. but it also could not do for
>me.
Could not update? That suggests active malware has clobbered it.
Jeefo.A or Jeefo.B?
Jeefo.A I'm well familiar with - it's a toughie, because it has a
face-hgger effect making it difficult to clean from outside the OS.
http://www.sophos.com/virusinfo/analyses/w32jeefoa.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.jeefo.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100277
My general approach is to first detect and rename-away from outside
the OS, then (having deactivated it, so that it is not running in
Windows) I F8 into Safe Mode (Cmd Only, if NT/2000/XP) and then from
there, I run the free Jeefo killer from www.sophos.com i.e...
http://www.sophos.com/support/disinfection/jeefoa.html
If NTFS, then I can't do the first step, and it can get hairy, even
when using the Jeefo killer from Bart's... from a log of such:
<paste>
Trend's PC-cillin missed this, and Trend SysClean detects but cannot
clean it (it's a face-hugger, i.e. creates dependencies)
Cleaned using Sophos JeefoGUI (run off CDR), finds active plus 128
infected or dropped files, incl. newly-added AdAware etc.
Repeat scan finds Creative's CTWAV32.EXE still infected, cannot clean
or delete as "in use"
Bart boot from CDRW drive, run JeefoGUI from other CD drive… finds 317
infected files (esp. in SR data), fixes 289
Bart JeefoGUI repeat scan…can't clean CTWAV32.EXE, scan gets very slow
thereafter
Bart Cmd can't delete CTWAV32.EXE either as it is "in use" -> button
reset to restart Bart
Bart Cmd Ren "C:\Program Files\Creative\CTSnd\Program\CTWav32.exe"
CTWAV32.VXE - OK
Bart Cmd Ren "C:\Program Files\Creative\CTSnd\Program\CTWav32.exe"
CTWAV32.VXE - not found (as expected)
Bart JeefoGUI repeat scan finds several Jeefo in SR data, cannot clean
all, runs briskly though; finds 32, fixes 27
Bart JeefoGUI repeat scan finds several Jeefo in SR data, cannot
clean, still running briskly, finds 5, fixes 0
Bart Cmd Rd "C:\System Volume Information" /S /Q fails to delete
exactly 5 files as "in use" -> button reset to restart Bart
Bart Cmd Rd "C:\System Volume Information" /S /Q - OK
Bart Cmd Rd "C:\System Volume Information" /S /Q - not found (as
expected)
Bart JeefoGUI repeat scan finds nil - OK
Bart-booted SysClean likely missed Jeefo due to inability to "see" HD
installation's registry
This is a good example of why we need a proper maintenance OS for
NTFS.
Check scan of USB stick contents is OK
Note: Jeefo.A spreads via email, or via infected code files (hence
avoid infectable code in data and backup sets)
</paste>
>i use nav 2003. plz suggest me what should i do. thanks for ur help in
>advance.
If it's active, then one might want to approach this formally. Many
malware kill resident av, and even if Jeefo doesn't (I haven't re-read
the descs to see), others may. Jeefo's not new, so if the av missed
it, it's not up to much... OTOH, maybe it didn't miss it, and caught
it at the primary entrance. The incoming Jeefo attackment will be
100% malware, so there's nothing to "clean" (stupid dated terminology)
>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -
- Previous message: David H. Lipman: "Re: w32.jeefo!!!"
- In reply to: Abhishek: "w32.jeefo!!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
