• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Need Virus Help ASAP - FIXED

S

Serp86

Senior member
Trend PC Cillin detects an infected file in windows directory. It is named hellokitty.exe and it's description says "this is some nice stuff 😉"
Trend says that the worm is a WORM_SURNOVA.A and it cannot clean/quarantine it. When i went to delete it manually, an error saying permission denied: check if the disk is full or write protected appears. Has anyone ever experienced this before? Thanks
 
oh - it's ok - i just popped in a windows 98 startup disk and i was able to delete it - guess windows was using it then *shudder*.
 
I done a search on google.com and found the info below. There is a entry in the registry that you might want to get rid of it.


one or more files named Alles-ist-vorbei.exe, Desktop-shooting.exe, Hello-Kitty.exe, BigMac.exe, Hellokitty.exe, Cheese-Burger.exe or Blaargh.exe in the Windows folder, matching in size one of the values listed above;
- the registry entry HKLM\Software\Microsoft\CurrentVersion\Run\SuperNova referring one of the files above;
- a lot of copies of the virus (with different names, but all aprox. 40 / 44 / 48 KB in size) in the Windows Media folder (usually C:\Windows\Media or C:\WinNT\Media).

Technical description:

This is another worm that uses the KaZaA file sharing network to spread itself; it also tries to replicate via MSN Messenger. All three versions were written in Visual Basic.

When the user clicks OK, the virus copies itself in the Windows folder, using one of the following filenames:
Alles-ist-vorbei.exe
Desktop-shooting.exe
Hello-Kitty.exe
BigMac.exe
Hellokitty.exe (version A only)
Cheese-Burger.exe
Blaargh.exe (versions B and C only)

It will then attempt to send itself to the user's contacts in the MSN Messenger friends list; the instant message sent includes a text from this list:

Hehe, check this out 🙂
Funny, check it out (h)
LOL!! See this 😀
LOL!! Check this out 🙂

A text file with a random name (e.g. 19058880607.txt) is created in the Windows folder
The virus then enters an infinite loop; it keeps setting the values of the following registry entries:
- HKLM\Software\Microsoft\CurrentVersion\Run\SuperNova (the value of this key causes the copy of the virus in the Windows folder to be launched at every Windows start-up);

- HKCU\Software\Kazaa\LocalContent\Dir0 (this entry is set up to add the Windows Media folder to the list of Kazaa-shared folders);

- HKCU\Software\Kazaa\LocalContent\DisableSharing = 0 (the value of this entry is set to 0 in order to enable sharing of files with other Kazaa users).

The reason why it sets the registry entries above repeatedly is to prevent the user from changing them in an attempt to stop the worm's actions.

Invoke task manager (by pressing CTRL+ALT+DEL once in Windows 95/98/ME, or CTRL+SHIFT+ESC in Windows NT/2000/XP) and terminate the process (or processes) corresponding to the filenames listed in the Symptoms section; doing this, or starting Windows in safe mode, will then allow you to remove (using REGEDIT) the malicious registry entries described above. You should also remove all the copies of the virus in the Windows Media folder; these are all EXE files, and they have sizes of 40960, 45056 or 49152 bytes.

 
You must log in or register to reply here.

TRENDING THREADS

Back
Top