Cheers to everyone who offered me advice - in the end I got it sorted. What I did was a similar catastrophe-after-another story to an average day working on a car for me - it went as follows:
- Open one of the mail messages containing the attachment scripted to open itself (taking advantage of the weakness in OE5)
- See lots of MAPI32 exception fake windows open. Get suspicious and obviously don't type anything in to them.
- Have trouble downloading mail as it's taking absolutely ages.
- Log on to webmail (ntlworld) and realise the 105 messages are all 154k in size, and are a variety of "couldn't deliver" messages. These are genuine this time - they're there as a result of the virus sending itself to a whole load of non-existent addresses (or no longer existent) - these are clogging up my mailbox. I delete them all.
- I notice for a good day or two that I'm not getting any mail. Get a bit worried that the virus is accessing my mail (or someone else is, having pinched my password).
- Change email password on another computer. Still no mail, despite sending self lots of test messages.
- Send an email to my yahoo account to test that it's sending it properly from the webmail, which it is.
- Send an email to my ntl account from the yahoo account, and I get a rejection message as the ntlworld account is over its quota.
- Have trouble understanding why, as it's only got about 15k worth of mail there.
- Eventually realise that although I'd deleted the mail, it put it in a recycle bin type affair, which still means it's taking up space on the server.
- Delete it from the trash can / deleted items folder, then a whole load more appear.
- Attempted to delete the .bat and .exe files that load the virus - couldn't delete the executable as it was currently in use. Attempt to modify the registry using the repair.reg file, created as per the advice on Symantec's site, using the command "regedit -s \repair.reg", but as expected, this brought up an error.
- Rebooted to safe mode command prompt, and delete the executable (virus file). Booted into windows, and it then refused to run any programs as the virus wasn't present. Then booted into safe mode command prompt again and figured out how to modify the registry as the above command would have done in windows (slightly different from the DOS prompt - it's just "regedit \repair.reg".
- Loaded up windows, and it worked. Bingo.
- Then realised that there was another instance of the same virus still running (still getting loads of returned emails with the virus attached).
- Went into safe mode DOS prompt, deleted it, and now the problem's fizzled out. I hope.
Obviously I need to upgrade Outlook Express to the next version (or use the
*genuine* security update patches), but apart from this, am I definitely safe, or are there other files that are infected?Or am I right in thinking that this virus doesn't actually *do* any damage other than modify the registry to cause a bit of havoc, and clog up people's mailboxes, meaning that genuine mail ends up getting rejected. Or does it infect any other files? Have I really completely got rid of it without having any proper anti-virus software??
If I am, then I'm quite chuffed.
Peter