me aint i a cutey virus

Hey computer guru's

I have my dat files up to date in my scan engine. I have scanned at antivirus.com. These cannot detect the virus that is on my computer running windows 98.

The file name is me aint a cutie.jpg.exe

So beware if ya see it anywhere.

This thing has disabled ctrl alt delete function that allows you to cancel programs. It seems to be making empty folders in my c drive as an attempt to fill up memory.

I have tried deleting it, but I can't because it is a running program. Any help is appreciated.

boot up to safe mode then do a search for it and delete it.
check registry and startup.

You might exit windows to the command prompt and then delete it that way.

yeah.. make a boot disk for win98.. boot to dos and delete the file..

i made a tut here how to make ur boot disk manually.. hehehe u can look for it in the tutorials section..

somehow the bootdisk made in windows automatically isnt as reliable as i wanted it to be.. so i made my own boot disk..

Thanks. I've tried the delete thing and this thing is written so when I restart after deleting I can't open any programs once in the desktop of windows 98. SO i had to do a system restore and get the virus back. ugh

This likely means there is a 'hook' into the registry, check out your registry keys for something that doesn't looks like it belongs. (specifically)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce

you have to modify the Registry first. I don't remember the path but it's the same one that SubSeven uses for the "unknown" option

ok..so i should delete that stuff from the registry. then reboot at the dos prompt and try deleteing the file?

Quote:

---

Originally posted here by whammy_guy
ok..so i should delete that stuff from the registry. then reboot at the dos prompt and try deleteing the file?

---

BE VERY CAREFUL HERE....don't delete it all...just the line that contains the filename you're after...as for my other post someone that remembers the right path will be along :)

Don't delete the Reg. Keys. Have a look for anything that doesn't look like it belongs.

eg. something referring to cutie.jpg.exe

If you find something, come back and let us know.

I found some stuff in the keys that has the same name as my virus.

If you want i can email the virus to you if you like toying around. I've already emailed it to mcafee and trend to look at.

thanks for the help

Chris

Thanks for the offer, but I am having enough fun with Viruses today. As an FYI, there is a new Hoax going around (which some of my users have fallen for) You can get information on this Hoax at: http://securityresponse.symantec.com...file.hoax.html

Cheers

Did you try to run from the user.dat and system.dat backups? These might not have the registry entries in them. I've rebooted systems multiple time and found the registry hadn't been back up.

Quote:

---

Originally posted here by DjM
Thanks for the offer, but I am having enough fun with Viruses today. As an FYI, there is a new Hoax going around (which some of my users have fallen for) You can get information on this Hoax at: http://securityresponse.symantec.com...file.hoax.html

Cheers

---

GREAT!!!!!!!! as if we don't have enough crap to deal with people HAVE to spread hoaxes around :mad:

Quote:

---

Originally posted here by whammy_guy
I found some stuff in the keys that has the same name as my virus.

If you want i can email the virus to you if you like toying around. I've already emailed it to mcafee and trend to look at.

thanks for the help

Chris

---

Send it over to [email protected] I'll see if I can pick it up and analyse the sucker

if antivirus scanners can't detect it, how do you know its there? its probably just a fake virus. you probably have Windows Me or XP where there are system restore files. if the infected file is located in C:\_RESTORE than it is in the system restore folder (when you try to delete the file it will say something like Cannot Delete (infected file name) because it resides on a write protected media. You have to disable system restore to delete these file(s). do you have Windows ME or XP? If so, is the infected file in the C:\_RESTORE folder (I will tell you how to disable system restore)? I have had to do this to get rid of the NetBus trojan from my system.

ohh also you might want to download an antivirus program to keep your computer clean (or if you already have one, a better one). You can download F-prot AntiVirus (good at detecting and cleaning viruses) for free at http://www.f-prot.com/ or you can download a trial version of McAfee VirusScan at http://www.nai.com/

Ryan, he already said he was running windows 98, the restore issue does not come into play.

you can also try Http://housecall.antivirus.com and see if that will detect it

oops sorry I didn't read it that good! :)

I picked up the file and opened it in Notepad. The results were quite interesting. For one, this worm appears to be written in VB. It also appears to make changes to the Registry in the following Keys:

H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M I C R O S O F T \ W I N D O W S \ C U R R E N T V E R S I O N \ R U N S E R V I C E S \

H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M I C R O S O F T \ W I N D O W S \ C U R R E N T V E R S I O N \ R U N \

H K E Y _ C L A S S E S _ R O O T \ e x e f i l e \ s h e l l \ o p e n \ c o m m a n d \
. e x e

C:\Windows\System.ini is also mentioned

Here are more interesting strings:

C o m p a n y N a m e W i z a r d - P r o d u c t i o n s

P r o d u c t N a m e H e l l

F i l e V e r s i o n 1 . 0 0

F i l e V e r s i o n 1 . 0 0

P r o d u c t V e r s i o n 1 . 0 0

I n t e r n a l N a m e H e l l

O r i g i n a l F i l e n a m e H e l l . e x e

__vbaFPFix __vbaAryUnlock __vbaAryLock __vbaRedim __vbaVarAnd __vbaVarCmpLt __vbaLateMemCallLd __vbaVarOr __vbaFixstrConstruct __vbaRecAnsiToUni __vbaRecUniToAnsi __vbaFpI4 __vbaInputFile __vbaAryConstruct2 __vbaObjVar __vbaFileCloseAll __vbaAryDestruct __vbaI2Abs __vbaUI1I2 __vbaGenerateBoundsError __vbaI4Str __vbaStrI2 __vbaPut4 __vbaFpR4 __vbaVarLateMemSt __vbaVarLateMemCallLd __vbaVarDiv __vbaLateMemCall __vbaLateMemSt __vbaStrI4 __vbaVarCmpEq __vbaFileClose __vb
o f & s u p p o r t e d s o c k e t s . , W i n d o w s S o c k e t s e r r o r __vbaStrUI1 – W i n s o c k . d l l i s n o t r e s p o n d i n g . M a k e s u r e y o u a r e c o n n e c t e d t o t h e i n t e r n e t .  S o c k e t e r r o r  o c c u r r e d  i n C l e a n u p  0 0 :  0 0 & _ O s c a r _ B u d d y L i s t W i n  E d i t  _ O s c a r _ I c o n B t n  0      __vbaFPFix __vbaAryUnlock __vbaAryLock __vbaRedim __vbaVarAnd __vbaVarCmpLt __vbaLateMemCallLd __vbaVarOr __vbaFixstrConstruct __vbaRecAnsiToUni __vbaRecUniToAnsi __vbaFpI4 __vbaInputFile __vbaAryConstruct2 __vbaObjVar __vbaFileCloseAll __vbaAryDestruct __vbaI2Abs __vbaUI1I2 __vbaGenerateBoundsError __vbaI4Str __vbaStrI2 __vbaPut4 __vbaFpR4 __vbaVarLateMemSt __vbaVarLateMemCallLd __vbaVarDiv __vbaLateMemCall __vbaLateMemSt __vbaStrI4 __vbaVarCmpEq __vbaFileClose __vbaGet4 __vbaVarTstGt __vbaFileOpen __vbaLsetFixstr __vbaStrFixstr __vbaLsetFixstrFree __vbaR8IntI2 __vbaVarTstGe __vbaFPInt __vbaVargVarMove __vbaVarTstNe __vbaVarNot __vbaInStr  W s c r i p t . S h e l l __vbaI2Str __vbaInStrVar __vbaExitProc __vbaLateIdCall __vbaPrintObj __vbaVarSub __vbaLateIdSt €G@ 4¹@ __

It also appears to make refernces to the AIM sever name (oscar) and the AIM buddy list

it might be a trojan, which it seems so..

sounds like wut happened to my sisters computer.

Thats wut it prolly is. A lil script kiddy tryin to be cool and sendin
binded trojans =(

*sighs* damn trojans.

Quote:

---

Originally posted here by fr0z3n
it might be a trojan, which it seems so..

sounds like wut happened to my sisters computer.

Thats wut it prolly is. A lil script kiddy tryin to be cool and sendin
binded trojans =(

*sighs* damn trojans.

---

'

Speaking of Binded Trojans...

today I get this file via MSN Messenger: log_frontgirl[1].jpg no doule extention or anything....open it up and it has a pic that sorta looks like Britney but ten I get told that she didn't send it....worm....run housecall on it and it finds BO2K and gets rid of it.