Virus Tech-it

I generally will only put up virus fixes here, if I have had to deal with the virus on someone else's computer before and Norton or McAfee Anti-Virus does not contain it and delete it for you. So some of this information maybe out of date, since Norton and McAfee do their best to stop viruses and their virus definitions get up dated constantly. I will also be placing Anti-Virus and Firewall information here, that does not belong elsewhere.

Home Up Browser Tech Email Tech Modem Tech OS Tech Virus Tech

Bugsfix.exe Love Virus

(top)

Your homepage keeps going to the following address, no matter how many time you change it (note that is does not have to be this address): shsggw237461234iuwthg/WIN/BUGSFIX.exe

This is the love virus....that then tries to download a program that is a password stealing trojan- thus bugsfix.exe.

Once you updated McAfees or Norton that should take care of it and you will be able to change your homepage fine.

MTX Virus

(top)

INFO: MTX is an attachment found on an email with a variety of subject lines. The attachment is of filetype PIF (program information file, most popular as what Windows creates when a DOS program is added as a desktop shortcut), also under a variety of filenames and the .PIF extention may be hidden. When the file is launched, it renames WSOCK32.DLL to WSOCK32.MTX then edits WININIT.INI to point back to the viral file -- thus unlike Happy99, the renamed file *cannot* be renamed back to DLL and still work. A Registry entry is put into the Run group and several files are planted on the computer.

FIXING:

1 - Double-click My Computer, select View, Options, turn on Show All Files.

2 - Have the customer purge infected emails. This is a PIF so it does not automatically run due to Window Scripting Host, and you will see the attachment. And don't forget to empty the trash bin!

3 - Start, Find, Files/Folders, and delete the following:

IE_PACK.EXE

MTX_.EXE

WIN32.DLL

WSOCK32.MTX

Then do a find for WININIT -- if you find a WININIT.INI (you can ignore EXE or BAK), see #5

4 - Start, Run. "RegEdit" and get rid of this key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

key in question: "SystemBackup"="C:\WINDOWS\MTX_.EXE"

5 - If they have WININIT.INI then... Run, "Edit"

Open up the WININIT.INI file wherever it is located and change the reference to WSOCK32.MTX back to .DLL, save.

6 - extract a new WSOCK32.DLL off CD/CABs

Win98 info: Use System File Checker (Start, Run, "SFC")

7 - Now you can reboot. System should be clean now.

8 - First thing, have the customer get online and either download a virus checker or update their program's definitions files to get & keep clean! DAT updates which detect: McAfee after 4095, Norton after 9/5/00.

TROJ_MSINIT.A Virus

(top)

TROJ_MSINIT.A is a new Trojan virus, this network-enabled worm spreads copies of itself through open network shares. It modiifes the registry such that it is executed whenever Windows starts up. It slows down the loading of Windows and disables the infected system's connection to the network.

Upon execution, this worm creates the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\windows\
CurrentVersion\RunServices\msinit = <location and filename of executed file>

Example of <location and filename of executed file>:
\RunServices\msinit = “c:\if\dnetc.exe”

This registry entry points to the previously executed program so that the worm is run every time Windows starts up and stays in memory unnoticed. The filename may vary since it can be easily renamed and the worm uses the filename of the file that was executed.

When it is installed in the infected system, the worm is capable of scanning random IP addresses over NetBIOS for computers with a shared c:\ drive that contains the Windows folder.

The worm then drops the files "DNETC.EXE" and "DNETC.INI" in the "c:\Windows\system" directory of the remote computer. The file "DNETC.EXE" is an encryption-cracking program downloaded from a website. The worm also modifies the registry of the remote computer for it to run the worm on Windows startup. The registry entry modified is shown below for the remote computer:

HKEY_LOCAL_MACHINE\Software\Microsoft\windows\
CurentVersion\RunServices\msinit = "c:\windows\system\dnetc.exe”

here's the removal:

  1. Click START|RUN
    Type REGEDIT and hit ENTER key
  2. In the left panel, click the "+" to the left of the following:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    In the right panel, search for any of the registry key that contains the data value of "msinit = <location and filename of executed file> or msinit = "c:\Windows\System\DNETC.EXE".
  3. In the right window, highlight the registry key that loads the file and press the DELETE key. Answer YES to delete the entry.
  4. Exit registry.
  5. Click START|SHUTDOWN. Choose "Restart” and click OK.
  6. Restart computer.
  7. Scan your system with Trend antivirus and delete all files detected as TROJ_MSINIT.A.  Although I doubt Mcafee and Norton's detect this yet, so try this software out www.antivirus.com, its trend micros :)

This page was last updated on Sunday, December 03, 2000 .

If you have any comments, suggestions or questions Email: [email protected] or [email protected]