Preserved Topic: A dirty virus

I was wondering if anyone had come across this one, no amount of searches at google.com or symantec's virus encyclopedia could find. It was first called src.scr, my sister got an email from a Mailer Daemon thing with it attatched and decided it would be in everyones best interest to run it straight away !! it was 87kb, it put itself in win/system as winked.exe, once I deleted it from the registry, this somehow triggered it to write itself there again and rename it to winkps.exe (Photoshop and Nortan Antivirus where unable to run, everything else was fine untill it crashed the computer after about 5 minutes.), once I deleted from the registry real quick , turned off the computer booted into good ol' DOS and deleted there, and at the same time found that another file of the same size was called winkcpp.exe , so I deleted this too. And now everything seems to be okay(I had to reinstall Nortan but no PS), but going by how smart this virus seemed , I dont think Ive seen the last of it.

any ideas ? suggestions

Check http://www.sophos.com/ and see if they have it listed in there. I'll check back tomorrow and see if you've found anything - right now it's time for me to go to bed.

That would be the Klez virus my friend. Check out Symantec for a removal tool. There have been a few variations of this virus and they have one removal tool that will check for all variations.

quote:

---

from Symantec
It adds the value

Wink[random characters] %System%\Wink[random characters].exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

or it creates the registry key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

and inserts a value in that subkey so that the worm is executed when you start Windows.

---

Link

Later,
C:\


~Binary is best~

Yes, Klez is the dirty bastard that disables your AV programs as well as your Task Manager... That dirty, dirty bastard...

This site has real good info on it as well as a cleaner tool that works fantastically. Good luck!

Yeah, the thing that tipped me off was the "winked.exe". Seems that it renames itself as WINK then something else (like the description says)

Don't know why they call it Klez? Should call it W32.Wink, don't you think?
Where the hell do they come up with these name?

Remember the names that they used during the Gulf War stuff? Desert Fox, Desert Sheild, Desert Storm. Anyway, good luck Hugh. After cleaning it up you'll be fine. I've had a couple of virus'.

Later,
C:\


~Binary is best~

Hey thanks for the help ! Cprompt: I knew about the registry version up the Startup dir or run= in the win.ini. And when I delete the key there, it puts itself there again after a few seconds. Thanks for the name of it, thats helps loads !
I didnt know about:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wink[random characters]

what does that dir(I suppose it is a directory ?) do ?

It also seems to fiddle with net settings. It wont let Rnaap close, Im not sure what that is, but I know its needed to connect to the net.

I'll look for removal proggies, and report back.. again thanks for the help.

Its great when sites have broken links isnt it http://securityresponse.symantec.com/avcenter/FixKlez.com

Hugh, that link worked for me. It starts a download of the removal tool.

Are you using the same computer to download the removal tool that has the virus?

Oh, and that Service that it copies itself to is so that the virus is ran everytime that Windows boots up.

Later,
C:\


~Binary is best~

[This message has been edited by CPrompt (edited 08-28-2002).]

No, I cant connect to the net at home, or not for long anyway and I dont really want to due to the nature of the virus with it emailing itself to everyone. Im in a net cafe(I work here), still wont download for me, I'll try a different machine


edit:

Mmh, it worked fine on a different machine, thats just weird. I'll try it when I get home.

[This message has been edited by Hugh (edited 08-28-2002).]

HOORAY !

need i say more ?

thanks everyone, God I love this place!

Is the virus really dirty?

InSiDeR: Yes it is very dirty. I calls those 900 sex numbers from your computer. It also continuiously downloads porn pics from various websites.



Later,
C:\


~Binary is best~

Hugh: Glad that you got it out of there.

I just noticed something, you are in Dublin? Is that close to Doolin? There is the big Linux fest thingy going on pretty soon there. I'd love to go, well I'd love to come to Ireland anytime, but for a Linux fest ! WEEEEEE!!!!!!!!!!!!

Later,
C:\


~Binary is best~

Sound like insider's sorta Virus then

About dirty..
got some BSOD's in win98 (yech)
got some more BSOD's
then my computer realy froze and even the powerbutton did not do anything,
pulled the plug and restart my mchine into dos
Then i run scandisk and there were some faults..
Rebooted and win98 works fine for about 5min and collapses.
I decided to reinstall windows fromt the spare partition.
This helped for about 20 min. then i had to start all over.
Tried it 2 more time while renaming the windows directoty.
No help (ofcourse)
Then i cleanded the windos dir and all of the win files even the hidden, system and read-only files.
This also was no help..!
While trying the last (and desporate) attempt, windows start complaining about an bad registry.
After the reboot, those BOSD's return at an alarming rate.

My theory here is some virus did damage to the registry from both my original windows dir and from the spare setup parttiton. But maybe there was some other thing goin on... but i do doubt about that.

Someone know if there are some good virus tools running from dos???


Powered by Curiousity
~First Member From the RAT-DEFENSE team~