OT: Swen Virus

Cheers to everyone who offered me advice - in the end I got it sorted. What I did was a similar catastrophe-after-another story to an average day working on a car for me - it went as follows:

  1. Open one of the mail messages containing the attachment scripted to open itself (taking advantage of the weakness in OE5)
  2. See lots of MAPI32 exception fake windows open. Get suspicious and obviously don't type anything in to them.
  3. Have trouble downloading mail as it's taking absolutely ages.
  4. Log on to webmail (ntlworld) and realise the 105 messages are all 154k in size, and are a variety of "couldn't deliver" messages. These are genuine this time - they're there as a result of the virus sending itself to a whole load of non-existent addresses (or no longer existent) - these are clogging up my mailbox. I delete them all.
  5. I notice for a good day or two that I'm not getting any mail. Get a bit worried that the virus is accessing my mail (or someone else is, having pinched my password).
  6. Change email password on another computer. Still no mail, despite sending self lots of test messages.
  7. Send an email to my yahoo account to test that it's sending it properly from the webmail, which it is.
  8. Send an email to my ntl account from the yahoo account, and I get a rejection message as the ntlworld account is over its quota.
  9. Have trouble understanding why, as it's only got about 15k worth of mail there.
  10. Eventually realise that although I'd deleted the mail, it put it in a recycle bin type affair, which still means it's taking up space on the server.
  11. Delete it from the trash can / deleted items folder, then a whole load more appear.
  12. Attempted to delete the .bat and .exe files that load the virus - couldn't delete the executable as it was currently in use. Attempt to modify the registry using the repair.reg file, created as per the advice on Symantec's site, using the command "regedit -s \repair.reg", but as expected, this brought up an error.
  13. Rebooted to safe mode command prompt, and delete the executable (virus file). Booted into windows, and it then refused to run any programs as the virus wasn't present. Then booted into safe mode command prompt again and figured out how to modify the registry as the above command would have done in windows (slightly different from the DOS prompt - it's just "regedit \repair.reg".
  14. Loaded up windows, and it worked. Bingo.
  15. Then realised that there was another instance of the same virus still running (still getting loads of returned emails with the virus attached).
  16. Went into safe mode DOS prompt, deleted it, and now the problem's fizzled out. I hope.

Obviously I need to upgrade Outlook Express to the next version (or use the

*genuine* security update patches), but apart from this, am I definitely safe, or are there other files that are infected?

Or am I right in thinking that this virus doesn't actually *do* any damage other than modify the registry to cause a bit of havoc, and clog up people's mailboxes, meaning that genuine mail ends up getting rejected. Or does it infect any other files? Have I really completely got rid of it without having any proper anti-virus software??

If I am, then I'm quite chuffed.

Peter

Reply to
AstraVanMan
Loading thread data ...

Seriously Peter, don't you reckon that about £30 (Symantec AV) or a free download from AVG (Grisoft) would be a better use of your time?

JB

Reply to
JB

That does make sense, but I like a challenge, and I'm of the mindset that if you've done something once, it's a hell of a lot easier to do it a lot quicker the second time (reminds me of the first time I adjusted the handbrake shoes on a Carlton - took me about 2 hours all in all due to the Haynes manual not describing things correctly - a bit of lateral thinking about the way the adjuster screws and unscrews and I had it sorted - next time I needed to do it, on a different car, it took me about 15 minutes).

Peter

Reply to
AstraVanMan

Why not just run the Symantec virus removal tool for this virus? It would have saved you lots of bother.

formatting link
snipped-for-privacy@mm.removal.tool.html

Chris.

Reply to
Chris M

Time for an anti-virus prog. Try

formatting link
, cheap and effective.

Reply to
Dave

formatting link
snipped-for-privacy@mm.remova l.tool.html

Cheers for that - it did the trick in a few minutes. I ran it for a little while, and then realised I was still online, and the virus was possibly still sending itself out (I don't think I had got rid of it completely), so I cancelled the process, then it gave me a report saying how many files it had disinfected, how many registry entries it had deleted/modified, then I started it again, and it said the system was free from the virus, so whatever it did the first time was all that was needed.

So I'm guessing the virus infected some other executable files then?

What I don't get is that a company like Symantec gives a solution like this away for free!

Peter

Reply to
AstraVanMan

I'm of the mindset that prevention is better than cure. ;-)

Why not bite the bullet and download AVG free edition from Grisoft? It works well and will prevent future infections (and it's free!!).

Reply to
Michael Cotton

Suppose so, it's just that I've always been of the mindset to just be bloody careful with attachments, which I am and always have been. This time I got caught out because I'm using OE5 (on my desktop I had OE6, but the hard disk suddenly packed up one day and since I got my laptop I haven't got around to getting that back up and running), but I'm sure if I upgraded to OE6 then that would cure that age old security issue with outlook express. I've had hundreds of copies of this virus without even realising it, but I would have never opened these supposed attachments from Microsoft without checking out with Microsoft's website that they were genuine.

It's just that I take the view that the less things running that slow up the system, the better.

Blinkered view, I know.

Peter

Reply to
AstraVanMan

Had you got any other virus as well? How did you escape msblast of a couple of weeks ago? It comes in on port 135, nothing to do with email so being careful wouldn't have stopped it. Ahhh, just realised that you must have a firewall.

Reply to
rp

What would the symptoms have been?

Peter

Reply to
AstraVanMan

Sorry I can't help with that Peter, hopefully someone else can. I don't do virus/worms since I run OS/2 but I did get msblast knocking on my firewall and getting blacklisted at about 1 a minute. In fact there are

68 of them in my blacklist at the moment, all from freeserve modem users, they stay in there for twelve hours then get put back the next time they try.

I've only had one Swen, and I'm feeling left out, and that came from a friend of a friend after the first friend emailed me from his friends machine a couple of months ago.

Reply to
rp

IT's quietening down, got about 100 today, 260 yesterday, 400 odd sunday

Reply to
Tim S Kemp

It doesn't affect win95, 98 or Me - is that you?

cheers, clive

Reply to
Clive George

It didn't affect win95, 98 or you? :-)

Running win98, I wouldn't have got it.

Btw, was msblast the one that shut your PC down with something like a minute's notice? My brother had that one.

Peter

Reply to
AstraVanMan

I'm running OE 5.5 and haven't had any problems. One thing to learn is never ever open anything with attachments if it isn't from a source that you recognise (even then take care. right click and check properties before opening). Secondly spam trap your email address as it appears on newsgroups which is where a lot of the virus senders are trawling addresses from. Using Google Groups is a bad idea because your email addy can't be spam trapped (at least not easily). Thirdly as others have said use an antivirus package. Someone mentioned Grisoft which is what I'm using.

-- Malc

It's my war wound. I got it in Nam.

Cheltenham

Reply to
Malc

Couple of other things you can do: Set email to the highest security (restricted sites zone), and make sure that includes not running java, activeX, VBScript or anything. This means even if you do accidentally open something with one of these nasty attachments they won't run.

You can do google groups by setting up a hotmail or similar account, and using that to create your google account. You will need to reply to the google confirmation message, and from that you're home free. (Yes, xxxx-x is a real account. Well it was a couple of years ago, and is currently - it wasn't for a while as I didn't access it so it lapsed. I just don't read it).

Fortunately my car's been very well behaved, so I can't add any on topic info to this, sorry.

cheers, clive

Reply to
Clive George

MotorsForum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.