hanisimo

Dear Sir or Madam,

A new computer worm is attacking the computers around the world, the
serious problem is the most of the anti viruses cannot detect & clean
it... also the removal tool was not available on the Internet... other
serious problem presents when some of current anti viruses detect this
virus as other kind of virus (Worm 32 family) ... and usually these
antivirus delete the whole infected file (exe & autorun.inf ... ext)...

This virus infects computer, for instance by:

- Infecting the local hard disk drivers & executable applications

- Carrying himself on a removable medium such as a floppy disk, CD, or
USB drive.

- Sending himself over a local network or the Internet. This virus can
spread to other computers by infecting files on a network file system
or a file system that is accessed by another computer.

- Adding keys into Windows registry

This virus is mixture between worms, virus and maybe Trojan; he is a
self-replicating computer program, attaches itself to existing
programs in the infected PC (modify files on a targeted computer). It
confused with computer worms. He can spread itself to other computers
without needing to be transferred as part of a host. And usually this
mixture of a computer worm and virus may be a Trojan horse too...

This virus blurring the line between viruses and worms (maybe Trojan
too) actually it is self-replicating Malware.

Description:
Nobody sure yet about the name of this new virus... Saturday, November
03, 2007 I submitted the virus exe file to "Virustotal" (Virustotal is
a service that analyzes suspicious files and facilitates the quick
detection of viruses, worms, Trojans, and all kinds of Malware
detected by antivirus engines) and I got these results:

Antivirus Result

AVG Worm/Generic.DKD

BitDefender Win32.Worm.P2P.VBT

CAT-QuickHeal Worm.AutoRun.tk

F-Secure Virus.Win32.AutoRun.tk

Ikarus Win32.Worm.P2P.VBT

Kaspersky Virus.Win32.AutoRun.tk

Panda Suspicious file

Sophos W32/Dawin-A

VBA32 Virus.Win32.AutoRun.tk

The manger antivirus engines give different name for this virus
(Malware); I think that means two things:

1- There is no specific name of this virus

2- Each antivirus engine handles this virus in a different way. And
does not detect the latest version of him (detects him as other kind
of virus - Worm 32 family)

Technical Details:

When executed, the virus drops file / component (a copy of itself)
"KB915865.exe" in all physical drives. That includes too all removable
drives, such as flash disks. It creates the folder "\MSOCache
\90000804-6000-11D3-8CFE-0150048383C9\" in drives it affects, and
drops a copy of itself as "KB915865.exe" This folder is set to Hidden
and System.

\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

Also it drops an AUTORUN.INF file to automatically execute dropped
copies when the drives are accessed. The said file contains the
following strings:

[AutoRun]

open=.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .

shellexecute=.\MSOCache
\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .

shell\Open\command=.\MSOCache
\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe .

shell=Open

open=.

This virus creates registry entries to enable its automatic execution
at every system startup.

Platform:

This worm affects systems running on Windows 98, ME, NT, 2000, XP, and
Server 2003.

Solution:
I wrote a specific removal tool for this virus (e-nil! Virus Cleaner),
it is free and available on my blog:

http://www.e-nil.com/blogs/?page_id=32


For more information or details please do not hesitation to contact me

Best regards and have a nice day,
Hani Simo

Pegasus \(MVP\)

<snip>

> Solution:
> I wrote a specific removal tool for this virus (e-nil! Virus Cleaner),
> it is free and available on my blog:

I am highly suspcious when an unknown person offers a solution
that might in fact cause a problem in the first place. Better to stick
to a known product with a solid reputation.

Malke

hanisimo wrote:
> Dear Sir or Madam,
>
> A new computer worm is attacking the computers around the world, the
> serious problem is the most of the anti viruses cannot detect & clean
> it... also the removal tool was not available on the Internet... other
> serious problem presents when some of current anti viruses detect this
> virus as other kind of virus (Worm 32 family) ... and usually these
> antivirus delete the whole infected file (exe & autorun.inf ... ext)...

(snip multipost)

I responded to this in the other newsgroup to which you posted. Please
don't multipost; it makes more work for everyone and will get you *less*
help, not more. See this for why:

http://en.wikipedia.org/wiki/Crossposting

If you have forgotten where you posted or can't find your post, use
Google Groups Advanced Search and search for your name.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

HEMI-Powered

Pegasus (MVP) added these comments in the current discussion du
jour ...

> <snip>
>
>> Solution:
>> I wrote a specific removal tool for this virus (e-nil! Virus
>> Cleaner), it is free and available on my blog:
>
> I am highly suspcious when an unknown person offers a solution
> that might in fact cause a problem in the first place. Better
> to stick to a known product with a solid reputation.
>
yes, beware of Greeks bearing gifts! what an opportunity to plant
malware on gullible people's PCs by giving away free detection
utilties. all too many people never got the message that if
something is too good to be true, and sometimes that is the case
for "free" stuff, then it proably is too good to be true.

--
HP, aka Jerry

Plato

hanisimo wrote:
>
> A new computer worm is attacking the computers around the world, the

Then, for the first step, dont download it. Second step is do not
install it. Problem solved...







--
http://www.bootdisk.com/

hanisimo

Dear all,

Sorry for the repetition "multipost" but when I created this removal
tool I was very excited & I wanted to share it ASAP

I am not SPAMER, I wanted to share this tool to stop the Malware that
effected my PC,

I know I am "unknown person", but that doesn't means I cannot help the
others

anyway Thanks all and have a nice day
Hani