Joined
·
1,611 Posts
WORM_WINEVAR.A has been around since november but now its spreading around. It usually shows up as an email attachement with randomly generated subject lines. Main thing it does is goes into registry and changes the owner and the org. entries. Second thing : it tries to shut down AV and firewall. Some things to look for : weird emails with 2 attachements to them.
One would be ending in .CEO which is the executable of the virus.
Other is malicious .HTML that goes into registry and creates following entries :
HKEY_CLASSES_ROOT\.ceo (Default) = exefile
HKEY_CLASSES_ROOT\.ceo Content Type = application/x msdownload
these entries basically tell windo$ to treat .CEO as .EXE extensions. When virus installs itself,
#1)it collects emails from *.html files and *.dbx and stores them in this reg. key :
HKEY_CLASSES_ROOT\Software\Microsoft\DataFactory
When it wants to send , it will use built in smtp engine and it will basically send a copy of itself to the list of recipients that it had gathered.
# 2 ) It tries to delete all files on the local folder if it finds folder called ANTIVIRUS. If it can delete files, it will display a weird message until it uses up all of the memory.
when I find a way do deal with this I will update this thread.
[edit] well boys and girls, here's what I've found :
basically all the AV instructions out there recommend that if you think that you're infected, do not reboot the pc , if you do, it will be much harder to remove it !
#1) if you have AV, update virus sig. files and do a full system scan. quarantine and delete everything that is associated with : W32.HLLW.Winevar, W32.FunLove.4099, or JS.Exception.Exploit.
#2) Go
here and download removal tool and follow the instructions on that page.
#3) Hit the registry.
Check all of the following keys :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
for the following types of entries :
(Default) Win<several characters>.pif
Win<several characters> Win<several characters>.pif
and kids, I dont have to warn you : BE CAREFUL WHEN PLAYING WITH REGISTRY !!!!
One would be ending in .CEO which is the executable of the virus.
Other is malicious .HTML that goes into registry and creates following entries :
HKEY_CLASSES_ROOT\.ceo (Default) = exefile
HKEY_CLASSES_ROOT\.ceo Content Type = application/x msdownload
these entries basically tell windo$ to treat .CEO as .EXE extensions. When virus installs itself,
#1)it collects emails from *.html files and *.dbx and stores them in this reg. key :
HKEY_CLASSES_ROOT\Software\Microsoft\DataFactory
When it wants to send , it will use built in smtp engine and it will basically send a copy of itself to the list of recipients that it had gathered.
# 2 ) It tries to delete all files on the local folder if it finds folder called ANTIVIRUS. If it can delete files, it will display a weird message until it uses up all of the memory.
when I find a way do deal with this I will update this thread.
[edit] well boys and girls, here's what I've found :
basically all the AV instructions out there recommend that if you think that you're infected, do not reboot the pc , if you do, it will be much harder to remove it !
#1) if you have AV, update virus sig. files and do a full system scan. quarantine and delete everything that is associated with : W32.HLLW.Winevar, W32.FunLove.4099, or JS.Exception.Exploit.
#2) Go
here and download removal tool and follow the instructions on that page.
#3) Hit the registry.
Check all of the following keys :
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
for the following types of entries :
(Default) Win<several characters>.pif
Win<several characters> Win<several characters>.pif
and kids, I dont have to warn you : BE CAREFUL WHEN PLAYING WITH REGISTRY !!!!
