On 27 Oct 2003 12:08:16 -0800, yosponge@yahoo.com (sponge) wrote:
>default <R75/5@defaulter.net> wrote in message news:<o5dqpvgoum7bk7pqt7g0qm4h3d2ft64tn3@4ax.com>. ..
>> I acquired this pig from a usenet site somewhere. Was doing
>> housekeeping and trashing old files found a Quick Time Icon and double
>> clicked it - wrong move.
>>
>> The firewall caught it trying to phone out on a restricted port - one
>> with an alarm setting on it so I knew about it about two hours after
>> double clicking on it.
>>
>> It tries to phone a site in the UK or Netherlands. The executable is
>> a hidden file that starts from the registry. It disables regedit and
>> disables msconfig. Even after changing the attributes on the file
>> properties it won't allow you to delete the executable. No way to fix
>> it . . .
>>
>> File hidden, masquerades as a screen saver with an scr extension, the
>> registry calls it a winsock2, and it kills the means to remove it.
>>
>> To cure it I searched on Google and found some 244 hits on the usenet
>> sites and 4 on web sites (none of the virus prog vendors). I
>> downloaded TaskInfo2003. That let me shut down the program
>> (crl/alt/del didn't show it running). With the program terminated, I
>> was able to clear the executable and run regedit and repair the
>> registry. (Hijack This, may have also fixed the registry - I didn't
>> try it)
>>
>> I'm indebted to the folks that solved this problem and posted their
>> findings. AdAware and Spybot do not find it. From some of the usenet
>> posts neither do Norton or McAfee (but norton is supposed to have a
>> program to do it if you are their customer and can download it)
>
>Ugh, Norton's is horrible.
>
>I suggest submitting it to:
>http://vil.nai.com/vil/submit-sample.asp and emailing
>info@kasperskylab.co.uk (without the trojan). You also email the folks
>at SpyBot and Ad-Aware; if they want a sample, they'll ask for the
>executable.
>
>Sponge
>Sponge's Secure Solutions
>www.geocities.com/yosponge
>My new email: yosponge2 att yahoo dott com
OOPS, good point. Like a dummy I removed every vestige of the damn
thing. I should have just quarantined it. I can set up a "want"
filter and catch it when it pops up again.
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----
Reply With Quote