I am surprised to receive so many copies of a virus through email from some of the furum members since last night. This virus/worm is always about 28.3KB and with ".pif" or ".scr" extensions. It is about 533 lines base64 coded attachment.

If you are going to download any attachment from any forums, please make sure you have some sort of virus protection or know what you are doing.

I got the damm thing last night makes interesting if not frustrating story to relate.

I had just concluded a transaction with someone over an auction and recieved an email from the guy telling me that he had deposited the amount in my bank account when within another 30 seconds I get another email from what appears to be the same email address so I go to message and it has no message but has attachments 1x text file 0k and 1 by file called pics.docs.scr usually I wouldn't touch something like this but I thought it might be relevant to the transaction I just completed.

Anyway stupid me :mad: double clicked the file after saving it to documents folder and the file dissapeared, I knew then that something was weird, my next bit of stupidity was that I didn't have my virus software installed......... no excuse for that and that I allowed my firewall to allow a file access to the net kernel32.exe it was late the file sounded like part of windows and I didn't think much of it until I started getting some more emails advising of virus alerts and failed delivery of email.

Now confirmed I had a virus I clicked the link in one of the virus alert emails to find information on what I had, which eventually I found was Worm_Badtrans.B I then went to an online virus scan site and the stupid program found nothing after doing scan.

Anyway I visited several sites and got info on the worm and how to remove it

This is what is recommended you do:

Find and delete a file in your system folder called cp_25389.nls

click start run, type regedit and in your registry go to HKEY_LOCAL-MACHINE>software>Microsoft>Windows>CurrentVersion>Runonce and there will be a registry value kernel32.exe you are supposed to delete this key and then rescan your system with virus software (now installed) and it will find 2 files called kernel32.exe and kdll.dll and your virus software is supposed to be able to delete them or quarantine them except it can't move them.
:mad:

None of the information I found from several virus software sites worked and is incorrect......... I could go back to the registry and the deleted key would be back there again and also the .nls file would be recreated. Also you could NOT go to windows system folder and manually delete the files as windows has them in use and will not let you, this is why virus software couldn't do anything with them.

After many frustrating attempts and without thanks to useless virus software or advice this is how I got rid of it......

I use windows ME which of course has no access to DOS so using a windows 98 startup disc reboot your computer into true dos using the floppy and then from A:\ prompt go to C:\ prompt and then type CD windows to goto windows directory, and once there type CD system to goto system directory, then type del kernel32.exe and do same again for other file del kdll.dll
reboot computer into windows and then delete the .nls file and the registry key as outlined in before. the worm is now gone.:)

What virus software was I using? PC-cillin and it couldn't do nothing.

:mad:
Hope this helps others. :)

Forgot to mention what this worm actually does:

It goes through your address book and the temp internet cache folder and harvests email addresses it then sends out email to all addresses it finds in what appears to be your email address but it isn't it actually isn't as it has an underslash in front of it _

This is how the virus was delivered to me by a person and an address I thought I knew, the underslash is NOT obvious.
Thus the worm gets sent out and spreads, and it can even come back to you if the email goes to someone that was in your address book and that person in turn has you in theirs.

If you have a firewall then block access to kernel32.exe to stop email from this worm going out.

The reason you cannot delete the registry key and the .nls file first is because kernel32.exe and kdll.dll are constantly running and has checks to see if they exist.......... if they don't then it recreates them befoe your eyes. in fact in my early attempts to delete the reg key I would delete key and then do a search for anymore examples of it and it would find same key again in same place.
Why some people use their brilliance to cause anachy and such is beyond me.

Looks like the Outlook Express is always the culprit. There have been so many viruses spreaded by it. I suggest to use some other email software instead. It is really not worth it. Despite most of the people know that not to click on the attachment, but by the numbers of emails containing this virus I received since last night, it is not the case.:(

I am using a free (perhaps the only true free virus software at the moment) anti-virus software downloaded from: http://www.grisoft.com/html/us_index.html

It does email checking as well including incoming and out going emails. The only draw back is the virus definition database is not updated as often as some of the commercial ones. It does not bother me as much as I am a very light user when comes to downloading stuff (no much other than new Linux releases:)). Also I have never used Outlook Express, not even once! That would have saved me a lot of trouble.

It was definately my fault in that I clicked the file, but in the way I recieved this I believed it genuinely had something to do with the transaction that had just been done and the guy providing some receipt or something.
This particular worm doesn't need for you to click the file if you are in outlook express to actually work and will execute anyway through a security flaw that microsoft have issued a patch for, all you need do is go to that arrived message and it's too late.

If you were to click the attachment from another email program you would still get the worm but you would have to click file.

There is so much misinformation about this worm at the moment including from the antivirus companies who are all contradicting themselves over the procedure to remove it and reading some of the fixes I have had to laugh as it appears it is too early for them to totally have a fix yet, especially one that their software undertakes. It seems this particular worm version has only been in existance a few days so an immediate pattern file update is needed to detect it properly.

Oh well we live and learn. I've been into computers for many years and this has been the first time infected so I have been lucky but my complacency finally caught up with me.

Things have been sort of slow on the boards:

Bump :|

http://www.grisoft.com/html/us_index.html[/URL]


Link doesn't work for me :cry:

Link doesn't work for me :cry:May have a little something to do with the fact that the post is 7 years old.

27-11-2001, 09:05 PM

AVG (http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?tag=lst-2) seems to be the best free anti virus software out there ATM.

May have a little something to do with the fact that the post is 7 years old.


AVG (http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?tag=lst-2) seems to be the best free anti virus software out there ATM.


Yep, that'll do it.:o


******runs & hides in embarresment:o:o******


Thanks for playing ;)

May have a little something to do with the fact that the post is 7 years old.


Funny that:p

Yep, that'll do it.:o


******runs & hides in embarresment:o:o******


Thanks for playing ;);) .

Oh wow, this actually reminds me, because last time the antivirus said it had been 300+ days, or something really long, since a scan. I have to do all that Windows maintanence stuff on my wife's computer today before I forget.

Oh wow, this actually reminds me, because last time the antivirus said it had been 300+ days, or something really long, since a scan. I have to do all that Windows maintanence stuff on my wife's computer today before I forget.

why dont u just get it to do it automatically .. once a week or somthing.

why dont u just get it to do it automatically .. once a week or somthing.or whenever it wants to... whenever it finds updates.

or whenever it wants to... whenever it finds updates.

i thought they auto do that anyways. my virus protections auto update without telling me. why should i need to.


i just meant the scanning of the system bit every week.

Crap I still forgot.

I have to run the virus scan and various spyware and malware things. I had it automatic scanning way on back but it confused my wife when it found things so she'd just close it out.

AVG will prompt you to set a time for a daily scan when you install it.

try FreeBSD and there is an easier version by the name of FreeDesktop. Non-Windows and non-Linux.

Yeah I must have turned off the daily scan. I back up her work regularly and have a tarball of her system in a sane state from when i first set it up and got done with most of her software installs.

Isn't BSD kind of weak when it comes to device drivers though? Out of curiosity on that as well though, would it run my current apps if I compiled a kernel using the existing system and rebooted? Would it crap out with init or somewhere running init scripts? Why do you reckon it's better than Linux? Is the kernel the only differance?

I don't think I could use it, but I'm still curious about it. I'de need nvidia and ipw3945 drivers as well as acpi support for my laptop. I'm sure there's lots of things I wouldn't have thought of yet as well.


I forgot to mention, my wife actually likes Linux better and I installed a partition running ubuntu way on back. The problem was the 1% incompatability of Openoffice vs. MS Office. MS Office 2000 and 20003 are easily installed in WINE I've found recently. The other thing is that I don't know if a web cam driver exists for what she uses when she talks to her family. I should play with it one of these days, but I'de have to upgrade to a newer version for her and I remember that it was an enormous pain in the arse to get a stable suspend to ram experience out of the machine. Still though, given the two options she never boots into Linux. She likes the eye candy I think, but for some reason Vista scares the crap out of her. Kind of funny that someone who can barely work a computer outside of MSN, office, and a photo viewer, shows interest in learning something more foreign than what she currently uses.

MD
well i just set it up on one machine to try it out. There are still limitations as for drivers though what i have seems to be ok. FreeDesktop will supposedly also run Linux apps. i thought i would give it a punt as it was a variant of *nix rather than a variant of Linux in the hope that it would be more secure amongst other things especially as Linux becomes more popular and, thus, more of a target for the nasty snits. But no special reason really.

try FreeBSD and there is an easier version by the name of FreeDesktop. Non-Windows and non-Linux.Its a bit like buying a mac to rid yourself of spyware...

But then your stuck with using a Mac.