|
|
|
|||||||
| Home | Forums | Register | Rules & FAQ | Members List | Arcade | Search | Today's Posts | Mark Forums Read |
| Security Anything involving computer security goes here. |
Other UNIX.COM Threads You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| How to open WinZip file in linux | wagmare | UNIX for Dummies Questions & Answers | 2 | 04-28-2008 02:48 AM |
| winzip compatible command | topgear1000cc | UNIX for Dummies Questions & Answers | 1 | 02-27-2008 12:25 PM |
| gzip compatibility with WinZip/PKZIP | kanu_kanu | Shell Programming and Scripting | 3 | 02-26-2008 07:16 AM |
| Calling Winzip from perl script | MobileUser | Shell Programming and Scripting | 5 | 04-04-2007 12:51 AM |
| Help Virus Attack Windows Oracle Patches. | S.Vishwanath | Windows & DOS: Issues & Discussions | 3 | 10-01-2005 11:19 PM |
 |
|
|
Submit Tools | LinkBack | Thread Tools | Search this Thread | Display Modes |
01-22-2006
|
|||
|
|||
|
winzip.exe virus attack
HI All,
I am using win 2000 and win 98 system, my system has got attacked with "winzip.exe" virus. please help me in recovering from this problem. I am not able to open any sites which has norton/antivirus/ etc and also not able to run norton anti virus. please help me thanks satish 
|
| Forum Sponsor | ||
|
|
|
02-05-2006
|
|||
|
|||
This worm spreads via the Internet as an attachment to infected messages and via open network resources.
It sends itself to email addresses harvested from the victim computer. The worm itself is a PE EXE file written in Visual Basic, packed using UPX. The packed file is approximately 95KB in size, and the unpacked file is approximately 176KB in size. Installation Once launched, masking its main functionality, the worm creates and opens a ZIP archive in the Windows system directory. The ZIP archive has the name as the original executable file, e.g. %System%\Sample.zip When installing, the worm copies itself to the Windows root, system and start up directories under the following names: %System%\New WinZip File.exe %System%\scanregw.exe %System%\Update.exe %System%\Winzip.exe %System%\WINZIP_TMP.EXE %User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe %Windir%\rundll16.exe The worm then registers itself in the system registry, ensuring it will be launched each time Windows is rebooted on the victim machine: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry"="scanregw.exe /scan" The worm also modifies the following registry keys: [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "WebView"="0" "ShowSuperHidden"="0" Propagation via email The worm harvests addresses from files with the following extensions: dbx eml htm imh mbx msf msg nws oft txt vc It also scans files if the names contain the following strings: content temporary When sending infected messages, the worm attempts to establish a direct connection to the recipient's SMTP server. Infected messages Message subject: *Hot Movie* A Great Video Arab sex DSC-00465.jpg eBook.pdf Fuckin Kama Sutra pics Fw: Fw: DSC-00465.jpg Fw: Funny  Fw: Picturs Fw: Real show Fw: SeX.mpg Fw: Sexy Fwd: Crazy illegal Sex! Fwd: image.jpg Fwd: Photo give me a kiss Miss Lebanon 2006 My photos Part 1 of 6 Video clipe Photos Re: Re: Sex Video School girl fantasies gone bad The Best Videoclip Ever You Must View This Videoclipe! Message body: ----- forwarded message ----- >> forwarded message forwarded message attached. Fuckin Kama Sutra pics hello, i send the file. Bye Hot XXX Yahoo Groups how are you? i send the details. i attached the details. Thank you. i just any one see my photos. It's Free Note: forwarded message attached. You Must View This Videoclip! Please see the file. Re: Sex Video ready to be FUCKED  The Best Videoclip Ever VIDEOS! FREE! (US$ 0,00) What? Attachment name: 007.pif 04.pif 3.92315089702606E02.UUE 677.pif Attachments[001].B64 document.pif DSC-00465.Pif DSC-00465.pIf eBook.PIF eBook.Uu image04.pif New_Document_file.pif Original Message.B64 photo.pif School.pif SeX.mim WinZip.BHX Word_Document.hqx Word_Document.uu Propagation via open network resources The worm copies itself to the following network resources as Winzip_TMP.exe: ADMIN$ C$ Other If the worm detects any of the registry values listed below on the victim machine, it will delete them: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] APVXDWIN avast! AVG7_CC AVG7_EMC AVG7_Run AVG_CC Avgserv9.exe AVGW BearShare defwatch DownloadAccelerator kaspersky KAVPersonal50 McAfeeVirusScanService NAV Agent OfficeScanNT Monitor PCCClient.exe pccguide.exe PCCIOMON.exe PccPfw Pop3trap.exe rtvscn95 ScanInicio SSDPSRV TM Outbreak Agent tmproxy Vet Alert VetTray vptray NPROTECT ccApp ScriptBlocking MCUpdateExe VirusScan Online MCAgentExe VSOCheckTask McRegWiz CleanUp MPFExe MSKAGENTEXE MSKDetectorExe McVsRte The worm also terminates active applications if the application name contains one of the following strings: kaspersky mcafee norton removal scan symantec trend micro virus fix It will delete all files from the following folders: %ProgramFiles%\DAP\*.dll %ProgramFiles%\BearShare\*.dll %ProgramFiles%\Symantec\LiveUpdate\*.* %ProgramFiles%\Symantec\Common Files\Symantec Shared\*.* %ProgramFiles%\Norton AntiVirus\*.exe %ProgramFiles%\Alwil Software\Avast4\*.exe %ProgramFiles%\McAfee.com\VSO\*.exe %ProgramFiles%\McAfee.com\Agent\*.* %ProgramFiles%\McAfee.com\shared\*.* %ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe %ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe %ProgramFiles%\Trend Micro\Internet Security\*.exe %ProgramFiles%\NavNT\*.exe %ProgramFiles%\Morpheus\*.dll %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe %ProgramFiles%\Grisoft\AVG7\*.dll %ProgramFiles%\TREND MICRO\OfficeScan\*.dll %ProgramFiles%\Trend Micro\OfficeScan Client\*.exe %ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar All of this actions make the victim machine more vulnerable to subsequent attacks. It may also download updates to itself via the Internet, without the knowledge or consent of the user. It will also block the mouse and the keyboard. On the 3rd of each month, 30 minutes after the victim computer is rebooted, the worm will rewrite files with the following extensions: .doc .xls .mdb .mde .ppt .pps .zip .rar .psd .dmp Files corrupted by the worm contain the following text: DATA Error [47 0F 94 93 F4 F5] Removal instructions Reboot your computer in Safe Mode - press and hold F8 while the machine is rebooting and choose Safe Mode from the menu when it appears. In Task Manager, terminate any process with one of the following names: rundll16.exe scanregw.exe Update.exe Winzip.exe WINZIP_TMP.EXE New WinZip File.exe WinZip Quick Pick.exe Manually delete the following files from the Windows root and system directories, and the system registry: %Windir%\rundll16.exe %System%\scanregw.exe %System%\Update.exe %System%\Winzip.exe %System%\WINZIP_TMP.EXE %System%\New WinZip File.exe %User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe Delete the following value from the system registry: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "scanregw.exe /scan" Reboot your computer and check you have deleted all infected messages from all mail folders. If any applications have been damanged (in most cases this will be antivirus solutions and firewall programs) you will need to re-install them. Perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus) AT HERE http://www.viruslist.com/en/viruses/...virusid=109064
|
|||
| Google UNIX.COM |
Linear Mode
