Re: Email virus with .SCR attachement, take-2.

Subject: Re: Email virus with .SCR attachement, take-2.
From: L* C*
Date: Wed, 05 Dec 2001 08:39:47 -0600
Content-disposition: inline
List-archive: <http://www.hort.net/lists/pumpkins/> (Web Archive)

Hello everybody. 
 
NOTE: This is a HTML email. Select View and then HTML.

Please do not open emails with .SCR files as attachments. 

The current big virus out there is Goner.scr or Pentagoner.scr 

Please see the following 

W32/Goner@MM Help CenterDescription - What virus is this?This is a HIGH
RISK virus that spread via Microsoft Outlook and can be spread via ICQ.
This is a mass mailing worm that attempts to send itself to all entries
in the Outlook Address book. The virus will arrive with the following
email message: 
Subject: Hi 
Body: 
How are you ? 
When I saw this screen saver, I immediately thought about you 
I am in a harry, I promise you will love it! 
Attachment: GONE.SCR 
Running this attachment infects the local system. 

When run, the worm displays a message box entitled, "About" 
 
After a short time another windows entitled "Error" is displayed: 
Payload - What can this virus do?If you run the attachment, the worm
copies itself into SYSTEM in the %WinDir% folder and adds the following
registry key in order to get started upon boot: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\C:\%WINDIR%\SYSTEM\gone.scr=C:\%WINDIR%\SYSTEM\gone.scr 
The worm also attempts to delete the following files: 
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallICON.EXE
FRW.EXE
VSHWIN32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXEDETECTION AND REMOVAL 
- How can I detect and remove this virus? McAfee.com VirusScan and
Clinic users, 
 click here to update ActiveShield. Retail McAfee VirusScan users, 
 click here to get the Extra DAT. <!-- click hereScan Your System for
Infected Files McAfee.com VirusScan Online and Clinic users, click here
to perform a Scan. If W32/Goner@mm is found, use the delete option to
remove it. Manual Removal Instructions
WINDOWS 95/98/ME 
Restart Windows in Safe Mode (reboot your computer, just before the
large WINDOWS startup screen comes up, hit the F5 key). You can
recognize that you're in Safe Mode by the text Safe Mode in the 4
corners of the desktop.
Click START | FIND | Files or Folders ... 
Type Gone.scr and hit ENTER 
Delete GONE.SCR (if present) 
Click START | RUN, type REGEDIT and hit ENTER 
Click the (+) next to HKEY_LOCAL_MACHINE 
Click the (+) next to SOFTWARE 
Click the (+) next to MICROSOFT 
Click the (+) next to WINDOWS 
Click the (+) next to CURRENTVERSION 
Click RUN 
Click on C:\WINDOWS\SYSTEM\gone.scr on the right and hit DELETE on the
keyboard 
Restart the computer 
Additional Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files
automatically to the C:\_Restore folder. This means that an infected
file could be stored there as a backup file, and VirusScan will be
unable to delete these files. These instructions explain how to remove
the infected files from the C:\_Restore folder. 
Disabling the Restore Utility 
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse
the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5
remove the check mark next to "Disable System Restore". The infected
file's are removed and the System Restore is once again active. 
Rene Kokenberg 
IT Manager 
Apotex Fermentation Inc. 
(204-989-6721) 

---------------------------------------------------------------------
Pumpkin-growing FAQ: http://www.hort.net/lists/pumpkins/search.cgi
To sign-off this list, send email to majordomo@mallorn.com with the
message text UNSUBSCRIBE PUMPKINS

Prev by Date: Re: Solo Mist Blower
Next by Date: wanted: 712 kuhn.....
Previous by thread: Solo Mist Blower
Next by thread: wanted: 712 kuhn.....

Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index