July 22nd, 2002, 09:16 AM
anyone heard of worm.runouce?
does anyone know worm.runouce?and how to kill it?
i used norton virus scanning and killed it,but the next time it appeared again,and its no use to end the virus course,what can i do(i dont want to reinstall the system)?? thx!
July 22nd, 2002, 09:51 AM
Most worms you should be able to get rid of after playing in your registry. BTW. MSInfo provides a wealth of information about your machine, including running programs, start-up programs, etc. It tells you the exact location of the file as well.
Here's an extract from http://www.sophos.com/virusinfo/analyses/w32chira.html
W32/Chir-A is an internet worm that tries to spread via email by sending itself to email addresses found in the Windows address book.
The email will have the following characteristics:
Sender address: <username>@hotmail.com or firstname.lastname@example.org
Subject line: Hi,i am <username>
Attached file: p.exe
The worm attempts to exploit a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. Microsoft has issued a patch which secures against this vulnerability which can be downloaded from Microsoft Security Bulletin MS01-027. (This patch was released to fix a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.)
When run the worm copies itself into the Windows system folder as runouce.exe (not runonce.exe) and sets the following registry entry so that the worm will be automatically started when Windows starts up:
C:\<Windows system folder>\runouce.exe
The worm also creates several EML files with the name <computername>.eml on network drives. These EML files contain a base64-encoded copy of the worm.
July 22nd, 2002, 12:20 PM
Here is a link to a Symantec write-up on renouce: