-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It looks a lot like the BadTrans Worm
I would suggest it is Badtrans.A but it could be Badtrans.B (less likely because the files you mention are send in the original and, although the .B version also sends them, it is less likely) If the worm replies to people sending E-Mail to you with the line: "Take a look at the attachment" Then you have A, if not, you have B. To disinfect your computer there are several ways of doing it. - From what I have heard: Badtrans.A sends all of your passwords to [EMAIL PROTECTED] Badtrans.B contains a full keylogger ** To get rid of this worm and trojan only: (This assumes you have no legitimate programs using the WIN.INI RUN= loader or the Windows NT HKCU Run= loader, this is normally true) Step 1. Delete the file: C:\WINDOWS\INETD.EXE Step 2. Delete the file: C:\WINDOWS\SYSTEM\KERN32.EXE (Or C:\WINDOWS\SYSTEM32\KERN32.EXE or C:\WINDOWS\KERN32.EXE) Step 3. Reboot your PC Step 4. Create a text file called DISB.TXT with this as contents: - --- CUT HERE --- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Kernel32" = "" [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] "RUN" = "" - --- CUT HERE --- Then rename it DISB.REG and double click it. Step 5. If you are running windows 95, 98 or ME, run "SYSEDIT" and open the "WIN.INI" file and make the line that says "run=C:\WINDOWS\INETD.EXE" say "run=" then save and exit. Step 6. Reboot again. Note: Step 5 is not necessary if you have Badtrans.B or if you have Windows NT, 2000 or XP. Also Note: If you have Badtrans.B you don't need the last 2 lines in the registry editing file (i.e., the one starting [HKEY_CURRENT...) ** To get rid of all the nasties: To get rid of it entirely, and any other such nasties that may also be there (if you have one...), get an anti-virus program and run it! I would recommend an Easy to use self-updating one for most people, but, F-Prot for DOS may be best if you are already infected with something and you are running Windows 95 or Windows 98. Then still get another real-time scanner, you don't have to be paranoid, you just need to get one that doesn't choke up your system and slow it down a lot, but it up-to-date and works. F-PROT is made by Frisk Software and is available at their WWW site free of charge for private use, it is at: http://www.comlex.is Trend PC-Cillin, Datafellows F-Secure, Symantec Norton Antivirus and McAfee Anti-Virus are all other well known, good, anti-virus products for differing environments. BadTrans is not destructive to your data, but it does send out your passwords. - -- Benjamin Holmes Getronics, Brisbane, AUSTRALIA. > -----Original Message----- > From: Daniel Pope [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, 23 January 2002 9:49 AM > To: [EMAIL PROTECTED] > Subject: I've been hurt by an e-mail virus ! What virus is it ? > > > Dear All, > An e-mail virus hurt my computer (don't be scared I'm > using yahoo.com for this message). > > Some of my friends compainted to me that any time they > send an e-mail to me they received almost instantly an > attachment having .pif extension. > There are 3 different files attached (only one per > each reply) called: readme.txt.pif, card.pif or > fun.pif.(indeed the replies apear in my send box) > When I send an e-mail to my friends they get it with > no attachment or other problems. > No other evil action has been taken apparently > yet(fortunately??) on my computer but I'm scared. > Can someone tell me what virus is it and how can I > clean up my computer ? > > Thank you in advance ! > Daniel > > PS I'm using Windows98 and Outlook Express. > > > > > > > __________________________________________________ > Do You Yahoo!? > Send FREE video emails in Yahoo! Mail! > http://promo.yahoo.com/videomail/ > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> Comment: Pee Gee Peeeeee! iQA/AwUBPFECzXLvuelW5gClEQJ48QCgxCCvRF5+kFyzOf5T8vS1sD02kbkAoJZp dFwdnt2crc1MqH5K7EOUwUkP =oKwU -----END PGP SIGNATURE-----
