Friend is having a problem with possible Virus

[Chaotic42]

I'll admit I know little about AV software. I don't use it, as I'm in Debian most of the time.

Anyway, she got the KLez virus and had her AV software destroy it, or so she thought. Now her AV software won't start, I had her download another AV program, and it installed, but now it says that system.ini is missing when Windows 98 starts up. This just developed, so I haven't been over or anything.

I just thought I'd ask, is there a good way other than uninstalling to purge this stupid thing? Any advice?

Thanks in advance.

 

[Vad3r]

just fixed up that virus for a buddy 2 nights ago. Lucky for him, while Norton Antivirus couldn't clean/remove it, it did seem to keep it from doing it's damage. Read about it Here .
Also, this virus will "spoof" mails off to others without her knowledge. By spoof I mean, lets say she has "joe@here.com" in here address book, it will send itself out to others in her address book as "joe@here.com", as well as her email too.
Nasty one this is. Alot of fixing to do if it's active.

Oh, and have her disconnect herself from the net, that virus really like to reach out and touch someone

When this worm is executed, it does the following:

It copies itself to \%System%\Wink<random characters>.exe.

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It adds the value

Wink<random characters> %System%\Wink<random characters>.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or it creates the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

and inserts a value in that subkey so that the worm is executed when you start Windows.

The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes. The worm removes the startup registry keys used by antivirus products and deletes checksum database files including:

Anti-Vir.dat
Chklist.dat
Chklist.ms
Chklist.cps
Chklist.tav
Ivb.ntz
Smartchk.ms
Smartchk.cps
Avgqt.dat
Aguard.dat

Local and Network Drive copying:
The worm copies itself to local, mapped, and network drives as:
A random file name that has a double extension. For example, Filename.txt.exe.
A .rar archive that has a double extension. For example, Filename.txt.rar.

Email:
This worm searches the Windows address book, the ICQ database, and local files for email addresses. The worm sends an email message to these addresses with itself as an attachment. The worm contains its own SMTP engine and attempts to guess at available SMTP servers. For example, if the worm encounters the address user@abc123.com it will attempt to send email via the server smtp.abc123.com.

The subject line, message bodies, and attachment file names are random. The From address is randomly-chosen from email addresses that the worm finds on the infected computer.

The worm will search files that have the following extensions for email addresses:
mp8
.exe
.scr
.pif
.bat
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf

In addition to the worm attachment, the worm also may attach a random file from the computer. The file will have one of the following extensions:
mp8
.txt
.htm
.html
.wab
.asp
.doc
.rtf
.xls
.jpg
.cpp
.pas
.mpg
.mpeg
.bak
.mp3
.pdf

As a result, the email message would have 2 attachments, the first being the worm and the second being the randomly-selected file.

 

[Swampster]

Assuming she can boot to Windows, either regular or safe mode, have her do a search of all drives for wink*.* and write them down . . . then delete them.

Lets say for example she finds several files called Winkrpx.[x], but doesn't find one with an executable extension. Delete them and Reboot to the DOS prompt and type attrib winkrpx.exe -r -a -s -h <enter> and it should execute without an error message. That means if found such a file and changed its attribute, which was probably +r +h, and changed it. That is why the Windows search didn't find it. You can then then type del winkrpx.exe <enter> and it should say it deleted one file.

Now, reboot to Windows and run REGEDIT and do a search for the same file name without an extension and remove all mention of it. You can then do a full uninstall of any virus software on the system as it is corrupted anyway. Reboot the system and go back into REGEDIT and look for any traces of the virus program using a keyword search.

Once you are reasonably sure it is gone (Norton Anti-Virus, for example, has a terrible uninstall routine and misses MUCH), then check with explorer to make sure there are no leftovers on the hard drive as most uninstall programs don't remove files that have been modified since the installation. ALL TRACES MUST BE REMOVED.

Then, and only then, should she reinstall a good virus program (McAfee, Norton are examples), do a full update so she has the latest signature files, and do a full system scan. If you don't do the update, then it likely won't find Klez.h as it is fairly new compared to the release of the above mentioned virus programs.

Expect to find several dozen to several hundred files that have been corrupted by this virus. Write down the name and address of any EXE file as these will give you an idea of what programs you will have to reinstall.

It's a pain, but it can be done! Keep at it, and good luck!\\