Sharechat Logo

Forum Archive Index - November 2001

Please note usage of the Forum is subject to the Terms & Conditions.

 
Messages by Date [ Next by Date Previous by Date ]
Messages by Thread [ Next by Thread Previous by Thread ]
Post to the Forum [ New message Reply to this message ]
Printable version
 

Re: [sharechat] Nicks readme file has a virus in it dont open


From: Will Bryant <will@sharechat.co.nz>
Date: Tue, 27 Nov 2001 13:39:43 +1300


Nortons has been unable to repair or quarantine it.
Can any experts help with what to do now?
Update your virus signatures and I think it should be able to deal with it automatically.

Can file c/windows/system/kernel32.exe be deleted without stuffing the system? ie. how important is it?
Yes you can, just be careful not to confuse it with kernel32.dll which is a "real" system file (there is no file called "kernel32.exe" on a normal system AFAIK, they just named it that in the hopes ppl would think it was a system file).

Andrew Cottingham kindly sent me the following information, if your antivirus program cannot remove it the detail at the end may be of use to you.  YMMV.

 A problem with Outlook Express that I wrote about recently has now been
used to help spread a virus. You may have seen on the news that the
BadtransII virus is spreading. This is not a major virus, it is not too
damaging to a system and is easy to remove. The problem is how the virus
arrives. BadtransII arrives via an email with a IFRAME security breach.
There may or may not be an attachment visible. When you select the email to
read the IFRAME code forces Outlook Express to run the virus regardless of
you running the attachment or not. Nasty. Just by looking at the email -
infection.

 Quite a nasty one. I have spent yesterday (and night) looking at a copy and
thinking about options.

Microsoft have posted a notice about this type of "bug" at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp and it would
appear that this is limited to Internet Explorer 5.01 and 5.5 (Outlook
Express comes with IE and is so affected also). IE5.01 running service pack
2 does not appear to be affected, nor does Internet Explorer 6

Internet Explorer 5.01 Service Pack 2:
http://www.microsoft.com/windows/ie/downloads/recommended/ie501sp2/default.a
sp
Internet Explorer 5.01 Patch:
http://www.microsoft.com/windows/ie/downloads/critical/q295106/default.asp
Internet Explorer 5.5 Patch:
http://www.microsoft.com/windows/ie/downloads/critical/q299618/default.asp
Internet Explorer 6 Download:
http://www.microsoft.com/windows/ie/default.asp

 First of all, to keep yourself safe now:

Live-update your anti-virus. Norton 2000, 2001 and AVP need to have been
updated in the past 24-36 hours to detect the virus.

1) Disable the preview pane in Outlook Express by going into your inbox and
clicking on VIEW and then LAYOUT.... Remove the tick from SHOW PREVIEW PANE
and then click APPLY and OK
2) Most of the emails seen with the virus in appear to be arount the 42k
size mark. Right click on an email message and select PROPERTIES and it will
show you the size of the message.
3) While you are in properties click the DETAIL tab and then MESSAGE SOURCE.
Infected messages have a section of code in them that contains IFRAME.
4) Delete any infected emails without opening them
5) Another way is to download your email and then exit Outlook Express
without reading it. Your email folder lives in a subdirectory off
WINDOWS/APPLICATION DATA/IDENTITIES Simply navigate to WINDOWS, right click
on APPLICATION DATA and your antivirus should have an option in the little
popup menu that lets you scan the subdirectory containing your email for the
virus. Be warned however, most antivirus software cannot delete email
virus's out of this folder. You will need to go back into Outlook Express
and delete them without opening them.

People running over networks should get their local computer nerd to setup a
filter to delete all .scr and .pif attachments

If you do get infected with the virus (or already are)

The BadtransII virus installes several files on you computer. They can be:

windows/system/kernel32.exe (virus)
windows/system/kdll.dll (keyboard logger)
windows/system/cp_25389.nls (keyboard log file)

it will also set itself up in your registry with the following value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Kernel3
2=kernel32.exe

to remove the virus reboot in safe mode, delete the files and the registry
key. You may also need to clear your Internet Explorer Cache from where it
spawned itself. Do this by selecting the TOOLS menu and the INTERNET
OPTIONS... in Internet Explorer. Click on the SETTINGS for temporary
internet files and set the cache size to 1mb. Click OK then click DELETE
FILES. Return to SETTINGS and reset the cache size to its previous value.
Click OK and then OK again.



_______________________________________________________________________
Will Bryant                                 ShareChat technical manager
will@sharechat.co.nz                        http://www.sharechat.co.nz/

References

 
Messages by Date [ Next by Date: [sharechat] virus james.goodman
Previous by Date: [sharechat] Worm nickk ]
Messages by Thread [ Next by Thread: Re: Re: [sharechat] Nicks readme file has a virus in it dont open G Stolwyk
Previous by Thread: Re: [sharechat] Nicks readme file has a virus in it dont open Chris Tse ]
Post to the Forum [ New message Reply to this message ]