-
June 14th, 2003, 02:01 PM
#1
Member
Windows File Protection
Dear Friends
iam getting the following message in event viewer
File replacement was attempted on the protected system file c:\program files\outlook express\msimn.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.0.2919.6700.
is there any virus, if so advice me how to remove
regards
prem
-
June 14th, 2003, 02:35 PM
#2
Yes, you have BugBear.B.
Go to www.symantec.com and download the removal tool.
Boot your machine in safe mode.
Run the cleaner
Boot in normal mode
Install a virus scanner then update the DAT file to prevent future infections.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
June 14th, 2003, 02:46 PM
#3
This is you Outlook Express Mail Program. Check which version should be in use against which version of Windows you are running. On XP Pro the OE version on my machine is 6.00.2800.1106 with a file size of 56.0KB. Can't tell if you have a virus or not, as you do not say if you are running any AV software, and if so what are the result's of any scan
Computer says no
(Carol Beer)
-
June 14th, 2003, 03:11 PM
#4
Member
I am not using any AV softwares now,
and when i view process list there are repeated instance of tftp.exe and cmd.exe, and with netstat i found lot of outbound connections to various ip's port 80
-
June 14th, 2003, 04:07 PM
#5
Never having had the misfortune to have any serious virus's as I have usually prevented them with good AV measures, and therefore do not have a great deal of experience in this area but, as you say you have no AV protection, I suggest you take the advice given by the horse13 and then check the results
As a matter of interest,exactly where on Event Viewer does this message appear, ie in which folder, application, security, or system, and is it an information, error or warning message? Better still let's see a screen dump
Computer says no
(Carol Beer)
-
June 14th, 2003, 06:48 PM
#6
Trust me, you have bugbear.b. Notice that your app is listed as one of the ones infected on the app list about half way down the page. I have put it in boldface for you for clarity.
Virus Name : W32.Bugbear.B
W32.Bugbear.B is spreading at an alarming rate. We have received many reports of this worm.
- This is a new variant of W32.Bugbear worm.
- Drops PWS.Hooker which is used for steeling passwords.
- Spreads through shared network drives.
- Also has Backdoor capabilities.
- The worm will also attempt to terminate the processes of various antivirus and firewall programs. Fortunately Quick Heal is not included in this list.
The Detection of this worm has been provided in the udpate released on 5th June 2003.
This worm arrives through emails as attchment file. The email makes use of the " Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability to autoexecute on a vulnerable system. This helps the worm get executed even if the user has not executed the attachment file. All users who are using Outlook Express and have not applied this patch then kindly apply the same immediately.
The email may have subject form one of the following:
Hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
wow!
fantastic
click on this!
Market Update Report
empty account
My eBay ads
Cows
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
News
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
Re:
$150 FREE Bonus!
Your News Alert
Hi!
Get 8 FREE issues - no risk!
Greets!
For the attachment filename, the worm uses filenames in the My Documents folder location, which have one of the following extensions:
.reg
.ini
.bat
.diz
.txt
.cpp
.html
.htm
.jpeg
.jpg
.gif
.cpl
.dll
.vxd
.sys
.com
.exe
.bmp
The attachment file may have two extensions, the second extension is
.scr, .pif, or .exe.
In addition, the filename can consist of one of the following words:
readme ,Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data
Please note that the virus can spoof the From and Reply To fields in the emails it sends.
When the infected attachment is run it does following details:
It copies itself in the infected system with random letters chosen by the worm. For Example:
C:\Windows\Start Menu\Programs\Startup\Cyye.exe
when it runs on a Windows 95/98/Me-based system.
C:\Documents and Settings\\Start Menu\Programs\Startup\Cti.exe
when it runs on a Windows NT/2000/XP-based system.
xxx.EXE (usually 72192 bytes) in the Startup folder
and
zzzzzzz.DLL (usually 5632 bytes) in the System folder
It infects files of several popular applications and system tools. The following files in Program Files and Windows folders are infected:
%ProgramFilesDir%\winzip\winzip32.exe
%ProgramFilesDir%\kazaa\kazaa.exe
%ProgramFilesDir%\ICQ\Icq.exe
%ProgramFilesDir%\DAP\DAP.exe
%ProgramFilesDir%\Winamp\winamp.exe
%ProgramFilesDir%\AIM95\aim.exe
%ProgramFilesDir%\Lavasoft\Ad-aware 6\Ad-aware.exe
%ProgramFilesDir%\Trillian\Trillian.exe
%ProgramFilesDir%\Zone Labs\ZoneAlarm\ZoneAlarm.exe
%ProgramFilesDir%\StreamCast\Morpheus\Morpheus.exe
%ProgramFilesDir%\QuickTime\QuickTimePlayer.exe
%ProgramFilesDir%\WS_FTP\WS_FTP95.exe
%ProgramFilesDir%\MSN Messenger\msnmsgr.exe
%ProgramFilesDir%\ACDSee32\ACDSee32.exe
%ProgramFilesDir%\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
%ProgramFilesDir%\CuteFTP\cutftp32.exe
%ProgramFilesDir%\Far\Far.exe
%ProgramFilesDir%\Outlook Express\msimn.exe
%ProgramFilesDir%\Real\RealPlayer\realplay.exe
%ProgramFilesDir%\Windows Media Player\mplayer2.exe
%ProgramFilesDir%\WinRAR\WinRAR.exe
%ProgramFilesDir%\adobe\acrobat 5.0\reader\acrord32.exe
%ProgramFilesDir%\Internet Explorer\iexplore.exe
%WinDir%\winhelp.exe
%WinDir%\notepad.exe
%WinDir%\hh.exe
%WinDir%\mplayer.exe
%WinDir%\regedit.exe
%WinDir%\scandskw.exe
where %ProgramFilesDir% is a Program Files directory and %WinDir% is Windows directory. The EXE file is an executable copy of the virus. The DLL is a keystroke logging tool which is used by the virus when it is activated. The keylogging component of W32.Bugbear-B (the DLL) hooks the keyboard input so that it records keystrokes to memory.
It then attempts to kill antivirus process running and starts with Mass mailing by extracting Email address from current user's email address and SMTP server from the registry key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts.
It also drops and Backdoor which Quick Heal will detect as W32.Hooker and remove it successfully.
It then uses its own SMTP engine to send itself to all email addresses it finds.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
June 14th, 2003, 07:33 PM
#7
Thanks thehorse13, I never pay much attention as I'm rarely troubled, but now I'll be watching out for the little bugger. BTW, can't you post that as a tut? -- Just a thought.
Computer says no
(Carol Beer)
-
June 14th, 2003, 09:12 PM
#8
Member
Hi thehorse13,
Thanx for the info. Its really explained.
-------------------------------------------------------------------------------
Hello premshamo, why U are not using any av.? U know the importance.
This time it was BugBear.B. but anytime U may face any DEAR_BEAR for yr computer to love. Be prepared.
--------------------------------------------------------------------------------
Rg
(-:IF U R A HACKER TRY TO BE ON POINT,IT SAVES TIME:-)
-
June 15th, 2003, 02:36 AM
#9
Sorry jm,
Since this information was gathered elsewhere and not written by me, I wouldn't post it as a tutorial.
Hope the info helped out none the less.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
June 15th, 2003, 03:10 AM
#10
Well prem, I've said it before and I'll say it again....being online without AV software is as dangerous as being addicted to prostitutes and allergic to condoms. It's only a matter of time before you get some sort of infection. Head over to www.grisoft.com and download the free version of AVG.
/me walks away singing "before you get between the thighs, don't forget to condomize..."
Al
It isn't paranoia when you KNOW they're out to get you...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|