default <R75/5@defaulter.net> wrote in message news:<o5dqpvgoum7bk7pqt7g0qm4h3d2ft64tn3@4ax.com>. ..
> I acquired this pig from a usenet site somewhere. Was doing
> housekeeping and trashing old files found a Quick Time Icon and double
> clicked it - wrong move.
>
> The firewall caught it trying to phone out on a restricted port - one
> with an alarm setting on it so I knew about it about two hours after
> double clicking on it.
>
> It tries to phone a site in the UK or Netherlands. The executable is
> a hidden file that starts from the registry. It disables regedit and
> disables msconfig. Even after changing the attributes on the file
> properties it won't allow you to delete the executable. No way to fix
> it . . .
>
> File hidden, masquerades as a screen saver with an scr extension, the
> registry calls it a winsock2, and it kills the means to remove it.
>
> To cure it I searched on Google and found some 244 hits on the usenet
> sites and 4 on web sites (none of the virus prog vendors). I
> downloaded TaskInfo2003. That let me shut down the program
> (crl/alt/del didn't show it running). With the program terminated, I
> was able to clear the executable and run regedit and repair the
> registry. (Hijack This, may have also fixed the registry - I didn't
> try it)
>
> I'm indebted to the folks that solved this problem and posted their
> findings. AdAware and Spybot do not find it. From some of the usenet
> posts neither do Norton or McAfee (but norton is supposed to have a
> program to do it if you are their customer and can download it)
Ugh, Norton's is horrible.
I suggest submitting it to:
http://vil.nai.com/vil/submit-sample.asp and emailing
info@kasperskylab.co.uk (without the trojan). You also email the folks
at SpyBot and Ad-Aware; if they want a sample, they'll ask for the
executable.
Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 att yahoo dott com
Reply With Quote