Tech Support banner

Status
Not open for further replies.
1 - 2 of 2 Posts

·
Premium Member
Joined
·
1,611 Posts
Discussion Starter #1 (Edited)
WORM_WINEVAR.A has been around since november but now its spreading around. It usually shows up as an email attachement with randomly generated subject lines. Main thing it does is goes into registry and changes the owner and the org. entries. Second thing : it tries to shut down AV and firewall. Some things to look for : weird emails with 2 attachements to them.
One would be ending in .CEO which is the executable of the virus.
Other is malicious .HTML that goes into registry and creates following entries :

HKEY_CLASSES_ROOT\.ceo (Default) = exefile

HKEY_CLASSES_ROOT\.ceo Content Type = application/x msdownload

these entries basically tell windo$ to treat .CEO as .EXE extensions. When virus installs itself,
#1)it collects emails from *.html files and *.dbx and stores them in this reg. key :

HKEY_CLASSES_ROOT\Software\Microsoft\DataFactory

When it wants to send , it will use built in smtp engine and it will basically send a copy of itself to the list of recipients that it had gathered.

# 2 ) It tries to delete all files on the local folder if it finds folder called ANTIVIRUS. If it can delete files, it will display a weird message until it uses up all of the memory.

when I find a way do deal with this I will update this thread.

[edit] well boys and girls, here's what I've found :

basically all the AV instructions out there recommend that if you think that you're infected, do not reboot the pc , if you do, it will be much harder to remove it !

#1) if you have AV, update virus sig. files and do a full system scan. quarantine and delete everything that is associated with : W32.HLLW.Winevar, W32.FunLove.4099, or JS.Exception.Exploit.


#2) Go
here and download removal tool and follow the instructions on that page.

#3) Hit the registry.
Check all of the following keys :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run

for the following types of entries :

(Default) Win<several characters>.pif

Win<several characters> Win<several characters>.pif

and kids, I dont have to warn you : BE CAREFUL WHEN PLAYING WITH REGISTRY !!!!
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top