Virus Update

[StRiDeR]

Troj/Uproot-A (first discovered on 2nd January 2003)
Aliases
Backdoor.UpRootKit, Backdoor.Uprootkit, Backdoor.Uprootkit.cli

Type
Trojan

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
At the time of writing Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.


Description
Troj/UpRoot-A is a backdoor Trojan for Windows 2000/XP that allows a malicious user remote access to the system. The Trojan can use the ICMP as well as the TCP or UDP protocols on configurable ports for communication.
In order to run automatically when Windows starts up the Trojan copies itself to the Windows system folder as uprootkit.exe and registers itself as the service process uprootkit.


Recovery

Trojans infect computers, but do not infect files. They can simply be identified and deleted. However, they often make registry or startup file changes so that they are executed on boot-up. Check the virus analysis for details of such behaviour.

1. Removing Trojans in Windows 95/98/Me
To remove the Trojan

Check the virus analysis for details on the Trojan and its removal.
Go to Start|Programs|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
Select the 'Immediate' tab.
Go to Options|Configuration... select the 'Action' tab, tick 'Infected files', select 'Delete' then click 'OK'.
Click the 'Go' button on the toolbar to start the scan.
Delete the files. Run another scan to check it has gone.
Go back to Options|Configuration... select the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
Reboot and run a final scan to be certain it has gone.
If the Trojan cannot be removed because the files are held open by the operating system:

Reboot the computer from a clean startup or system disk.
Delete the Trojan files manually or using the DOS instructions.
2. Removing Trojans in Windows NT/2000/XP/2003
To remove the Trojan

Check the virus analysis for details on the Trojan and its removal.
Close down all programs.
Go to Start|Programs|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
Select the 'Immediate' tab.
Go to Options|Configuration... select the 'Action' tab, tick 'Infected files', select 'Delete' then click 'OK'.
Click the 'Go' button on the toolbar to start the scan.
Delete the files. Run another scan to check it has gone.
Go back to Options|Configuration... select the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
Reboot and run a final scan to be certain it has gone.
If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.

Windows 2000/XP/2003
Download the most recent virus identity (IDE) files and save them to floppy disk. Write-protect the floppy disk.
Restart the computer in Safe Mode. Go to Start|Shut Down. Select Restart from the drop down list and click OK. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'.
Either run SAV32CLI from the Sophos CD or download an emergency copy of SAV32CLI on an uninfected computer, extract it and write it to CD.
At the infected computer, place the CD in the CD drive (D: in this example) and the floppy disk with the IDEs in the floppy disk drive (A: in this example).
At the command prompt type
D:
to access the CD drive. If you are using the Sophos CD, type:
CD WIN32\I386\SAV32CLI
if you are using a SAV32CLI download disk, type:
CD SAV32CLI
Then type:
SAV32CLI -IDEDIR=A:\ -REMOVEF -P=C:\LOGFILE.TXT
to remove the Trojan.
Before leaving Safe Mode edit any registry entries mentioned in the Trojan analysis recovery instructions.
If problems persist contact support.
Windows NT
Download the most recent virus identity (IDE) files and save them to floppy disk. Write-protect the floppy disk.
Either use SAV32CLI from the Sophos CD or download an emergency copy of SAV32CLI on an uninfected computer, extract it and write it to CD.
Shut down all programs.
Go to Start|Settings|Control Panel and double-click Services. Stop as many services as possible using the Stop button. Close and shut down the Control Panel.
Press the Ctrl, Alt and Del keys at the same time. Click 'Task Manager' and select the Processes tab. Select a process and click on End Process. It may or may not end. Repeat this for other processes (including the Windows desktop).
After closing all possible programs go to File|New Task (Run) and type 'Cmd'.
Close down the Task Manager screen.
Place the CD in the CD drive (D: in this example) and the floppy disk with the IDEs in the floppy disk drive (A: in this example).
At the command prompt type
D:
to access the CD drive. If you are using the Sophos CD, type:
CD WIN32\I386\SAV32CLI
if you are using a SAV32CLI download disk, type:
CD SAV32CLI
Then type:
SAV32CLI -IDEDIR=A:\ -REMOVEF -P=C:\LOGFILE.TXT
to remove the Trojan.
If Trojan removal has succeeded, edit any registry entries mentioned in the Trojan analysis recovery instructions.
If problems persist contact support.


3. Removing Trojans on Macintosh computers
Check the virus analysis for details on the Trojan and its removal.
Close down all programs.
Run the 'Sophos Anti-Virus' program.
Go to Edit|Preferences.
Choose Virus Action from the Immediate Mode menu.
Select Infected Files and Delete.
Close SAV Preferences.
Click on the Go button.
Click 'OK' when asked if files should be deleted.
Run another scan to ensure that the Trojan has been removed.
Go back to Virus Action and deselect Infected Files and Delete.
If problems with the Trojan persist then contact support.

4. Removing Trojans in DOS
You will need SWEEP for DOS on floppy disk. To do this make a set of Emergency SAV disks.

Check the virus analysis for details on the Trojan and its removal.
Reboot your PC from a clean system disk, put the 'SWEEP for DOS' disk in the floppy drive and at the A: prompt type:

SWEEP *: -REMOVEF


5. Removing Trojans in OS/2
To delete infected files:

Check the virus analysis for details on the Trojan and its removal.
For drive C: at a command prompt type
OSWEEP C: -REMOVEF
Run a scan to check that all Trojan files were deleted.
If infection persists disinfect in stand-alone mode:

If OS/2 is running, shut it down.
Boot OS/2 from the OS/2 Utility disk set. Follow the on-screen instructions. When booting has finished the A: prompt appears.
Remove the OS/2 Utility disk.
Place the 'Emergency OSWEEP' disk in drive A:.
For drive C: at the A: command prompt type
OSWEEP C: -REMOVEF -CI
(-REMOVEF deletes the infected files, -CI checks the integrity of SWEEP on the 'Emergency OSWEEP' disk). The computer checks program integrity then asks for the virus data disk. Replace the 'Emergency OSWEEP' disk with the virus data disk.
After disinfection, run another scan to check that all Trojan files were deleted.
If problems persist contact support.

6. Removing Trojans in NetWare
Trojan files should be deleted.

Note: This will delete any documents infected with macro viruses. Deal with them first.

Check the virus analysis for details on the Trojan horse and its removal.
Run a scan to locate all Trojan files.
Select 'Delete in the 'Removal mode' option of the 'Immediate mode' menu.
Delete the Trojan files.


7. Removing Trojans in Unix
To delete Trojan files:

Check the virus analysis for details on the Trojan and its removal.
Use SWEEP with the -remove option

sweep -remove
Run a scan to check that Trojan infected files were deleted.
8. Removing Trojans in OpenVMS
To delete Trojan files:

Check the virus analysis for details on the Trojan and its removal.
Delete the Trojan files by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.

Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.
For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS manual.

;)Knowledge is power

[turtle]

aku kalo da byk sgt menantang tue, format jer tros x payah pening kan kapla

[StRiDeR]

to be right back:

x jugak....kita cuba lah cara nie dulu....format pc tue...sebagai last resort....lagi pun lau nak format....document2 penting camner?....hilang terus camtue jer....x pun lau dah selalu sgt format....h/d kong nanti.....

[StRiDeR]

thread nie....diadakan utk inform u guys....pasal virus2 baru....n cara handle virus2 nie ....lau cara nak buang virus tue....terpulang pada korang lah....ini just for information and tips jer.... ;D

[StRiDeR]

W32/Mimail-M
Type
Win32 worm

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
Sophos has received several reports of this worm from the wild.

Note: Sophos issued an IDE for W32/Mimail-M at 10:02 GMT on 4 December. This updated IDE includes detection for a slight variant.


Description
W32/Mimail-M is a worm which spreads via email using addresses harvested from the hard drive of the infected computer. All email addresses found on the computer are saved in a file named xjwu2.tmp in the Windows folder.


The worm copies itself to the Windows folder with the filename netmon.exe and creates the following registry entry so that this file is run when Windows starts up:



HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetMon



W32/Mimail-M can arrive in three different email formats. Some users may find the explicit language used by the worm offensive.



The first type of email the worm can send has the following characteristics:



Subject line: Re[3]<44 spaces><random characters>

Message text:

Hello Greg,



I was shocked, when I found out that it wasn't you but your twin brother!!! That's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9.



He took my skirt off, then my panties, then my bra, he sucked my tits, with the same fury you do it. He was writing alphabet on my pussy for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger.But Greg, why didn't you warn me that his dick is 15 inches long?? I was struck, we f**ked whole night.



I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...



Wendy.



Attached file: only_for_greg.zip (contains for_greg.jpg.exe)



The second email format, which appears to have been manually mass-mailed out, has the following characteristics:



Subject line: Re:Greg

Message text:

Hi Greg its Wendy.



I was shocked, when I found out that it wasn't you but your twin brother, that's amazing, you're as like as two peas. No one in bed is better than you Greg. I remember, I remember everything very well, that promised you to tell how it was, I'll give you a call today after 9.



He took my skirt off, then my panties, then my bra, he sucked my tits, with the same fury you do it. He was writing alphabet on my pussy for 20 minutes, then suddenly stopped, put me in doggy style position and stuck his dagger. But Greg, why didn't you warn me that his dick is 15 inches long? I was struck, we f**ked whole night.



I'm so thankful to you, for acquainted me to your brother. I think we can do it on the next Saturday all three together? What do you think? O yes, as you wanted I've made a few pictures check them out in archive, I hope they will excite you, and you will dream of our new meeting...



For unzip archiver download WinZip: download.winzip.com/winzip81.exe

Password for archive is "kiss".



Attached file: wendy.zip (contains file wendy.exe)



The third email format also appears to have been delibarately mass-mailed and has the following characteristics:



Subject line: Your message delivery has been failed

Message text:

This is the Postfix program at host <variable domain name>



I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations.



The message itself and all the other important information are included into the attachment.



Attached file: fail.hta (contains file test.exe)



W32/Mimail-M creates a copy of itself named nji2.tmp and a copy of only_for_greg.zip named msi2.tmp, both in the Windows folder.



W32/Mimail-M also attempts a denial of service attack targeting:



darkprofits.com

darkprofits.net

darkprofits.cc

darkprofits.ws

www.darkprofits.com

www.darkprofits.net

www.darkprofits.cc

www.darkprofits.ws


Recovery

Delete the files xjwu2.tmp, nji2.tmp and msi2.tmp in the Windows folder.



Windows NT/2000/XP/2003



In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.



At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.



Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.



Locate the HKEY_LOCAL_MACHINE entry:



HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NetMon



and delete it if it exists.



Close the registry editor.

[StRiDeR]

cont (W32/Mimail-M)

Worms infect computers, but do not infect files. They can simply be identified and deleted. However, they often make registry or startup file changes so that they are executed on boot-up. Check the virus analysis for details of such behaviour.

1. Removing worms in Windows 95/98/Me
To remove the worm

Check the virus analysis for details on the worm and its removal.
Go to Start|Programs|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
Select the 'Immediate' tab.
Go to Options|Configuration... select the 'Action' tab, tick 'Infected files', select 'Delete' then click 'OK'.
Click the 'Go' button on the toolbar to start the scan.
Delete the files. Run another scan to check it has gone.
Go back to Options|Configuration... select the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
Reboot and run a final scan to be certain it has gone.
If the worm cannot be removed because the files are held open by the operating system:

Reboot the computer from a clean startup or system disk.
Delete the worm files manually or using the DOS instructions.
2. Removing worms in Windows NT/2000/XP/2003
To remove the worm

Check the virus analysis for details on the worm and its removal.
Close down all programs.
Go to Start|Programs|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
Select the 'Immediate' tab.
Go to Options|Configuration... select the 'Action' tab, tick 'Infected files', select 'Delete' then click 'OK'.
Click the 'Go' button on the toolbar to start the scan.
Delete the files. Run another scan to check it has gone.
Go back to Options|Configuration... select the 'Action' tab, then deselect 'Infected files' and 'Delete'. Click 'OK'.
Reboot and run a final scan to be certain it has gone.
If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.

Windows 2000/XP/2003
Download the most recent virus identity (IDE) files and save them to floppy disk. Write-protect the floppy disk.
Restart the computer in Safe Mode. Go to Start|Shut Down. Select Restart from the drop down list and click OK. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'.
Either run SAV32CLI from the Sophos CD or download an emergency copy of SAV32CLI on an uninfected computer, extract it and write it to CD.
At the infected computer, place the CD in the CD drive (D: in this example) and the floppy disk with the IDEs in the floppy disk drive (A: in this example).
At the command prompt type
D:
to access the CD drive. If you are using the Sophos CD, type:
CD WIN32\I386\SAV32CLI
if you are using a SAV32CLI download disk, type:
CD SAV32CLI
Then type:
SAV32CLI -IDEDIR=A:\ -REMOVEF -P=C:\LOGFILE.TXT
to remove the worm.
Before leaving Safe Mode edit any registry entries mentioned in the worm analysis recovery instructions.
If problems persist contact support.
Windows NT
Download the most recent virus identity (IDE) files and save them to floppy disk. Write-protect the floppy disk.
Either use SAV32CLI from the Sophos CD or download an emergency copy of SAV32CLI on an uninfected computer, extract it and write it to CD.
Shut down all programs.
Go to Start|Settings|Control Panel and double-click Services. Stop as many services as possible using the Stop button. Close and shut down the Control Panel.
Press the Ctrl, Alt and Del keys at the same time. Click 'Task Manager' and select the Processes tab. Select a process and click on End Process. It may or may not end. Repeat this for other processes (including the Windows desktop).
After closing all possible programs go to File|New Task (Run) and type 'Cmd'.
Close down the Task Manager screen.
Place the CD in the CD drive (D: in this example) and the floppy disk with the IDEs in the floppy disk drive (A: in this example).
At the command prompt type
D:
to access the CD drive. If you are using the Sophos CD, type:
CD WIN32\I386\SAV32CLI
if you are using a SAV32CLI download disk, type:
CD SAV32CLI
Then type:
SAV32CLI -IDEDIR=A:\ -REMOVEF -P=C:\LOGFILE.TXT
to remove the worm.
If worm removal has succeeded, edit any registry entries mentioned in the worm analysis recovery instructions.
If problems persist contact support.


3. Removing worms on Macintosh computers
Check the virus analysis for details on the worm and its removal.
Close down all programs.
Run the 'Sophos Anti-Virus' program.
Go to Edit|Preferences.
Choose Virus Action from the Immediate Mode menu.
Select Infected Files and Delete.
Close SAV Preferences.
Click on the Go button.
Click 'OK' when asked if files should be deleted.
Run another scan to ensure that the worm has been removed.
Go back to Virus Action and deselect Infected Files and Delete.
If problems with the worm persist then contact support.

4. Removing worms in DOS
You will need SWEEP for DOS on floppy disk. To do this make a set of Emergency SAV disks.

Check the virus analysis for details on the worm and its removal.
Reboot your PC from a clean system disk, put the 'SWEEP for DOS' disk in the floppy drive and at the A: prompt type:

SWEEP *: -REMOVEF


5. Removing worms in OS/2
To delete infected files:

Check the virus analysis for details on the worm and its removal.
For drive C: at a command prompt type
OSWEEP C: -REMOVEF
Run a scan to check that all worm files were deleted.
If infection persists disinfect in stand-alone mode:

If OS/2 is running, shut it down.
Boot OS/2 from the OS/2 Utility disk set. Follow the on-screen instructions. When booting has finished the A: prompt appears.
Remove the OS/2 Utility disk.
Place the 'Emergency OSWEEP' disk in drive A:.
For drive C: at the A: command prompt type
OSWEEP C: -REMOVEF -CI
(-REMOVEF deletes the infected files, -CI checks the integrity of SWEEP on the 'Emergency OSWEEP' disk). The computer checks program integrity then asks for the virus data disk. Replace the 'Emergency OSWEEP' disk with the virus data disk.
After disinfection, run another scan to check that all worm files were deleted.
If problems persist contact support.

6. Removing worms in NetWare
Worm files should be deleted.

Note: This will delete any documents infected with macro viruses. Deal with them first.

Check the virus analysis for details on the worm and its removal.
Run a scan to locate all worm files.
Select 'Delete' in the 'Removal mode' option of the 'Immediate mode' menu.
Delete the worm files.


7. Removing worms in Unix
To delete worm files:

Check the virus analysis for details on the worm and its removal.
Use SWEEP with the -remove option

sweep -remove
Run a scan to check that all worm files were deleted.
8. Removing worms in OpenVMS
To delete worm files:

Check the virus analysis for details on the worm and its removal.
Delete the worm files by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.

Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.

[StRiDeR]

VBS/Suzer-B
Aliases
TrojanDropper.VBS.Inor.u, VBS/Inor, Download.Trojan
----------------------------------------------------------------------

Type
Trojan

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
Sophos has received several reports of this Trojan from the wild.


Description
VBS/Suzer-B is a Trojan that drops and executes Troj/Cidra-A as usb_d.exe.

Recovery
Please follow the instructions for removing Trojans.

[StRiDeR]

Troj/Cidra-A
Aliases
TrojanProxy.Win32.Cidra
-------------------------------------

Type
Trojan

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
Sophos has received several reports of this Trojan from the wild.


Description
Troj/Cidra-A is a backdoor proxy Trojan that allows a remote attacker to use a compromised computer to relay TCP traffic through.
In order to be executed automatically when Windows starts up Troj/Cidra-A adds the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Usbd pointing to the file usb_d.exe.

Troj/Cidra-A opens a random listening port and periodically attempts to connect to a remote website to register itself.

Troj/Cidra-A also has the ability to download and execute a file from a remote web site.


Recovery
Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Usbd

and delete the reference to usb_d.exe if it exists.

Close the registry editor.

[StRiDeR]

W32/Randon-AB
------------------------

Aliases
WORM_KINES.C, TrojanDownloader.Win32.Apher.gen, Trojan.BAT.Noshare.n

Type
Win32 worm

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.


Description
W32/Randon-AB is a multi-component network worm which attempts to spread by copying components of itself to and executing them on remote ADMIN$ shares with weak passwords. One component of the worm, B4AK.EXE, then attempts to download and execute a copy of the worm from a remote URL as a file called C:\SVCHOST.EXE.
The main file is a self-extracting EXE which creates a folder called AL within the Windows system folder and drops and executes several files, some of which are legitimate utilities or innocuous files, e.g.:



B4AK.EXE downloads and executes copies of the worm from the internet

CC.CDE is an innocuous TXT file

CED.TS is a TXT file containing a list of passwords

FAVER.EXE is a legitimate networking utility called PSEXEC

TAR.EXE is a legitimate utility called HIDEWINDOW

VER.EXE is a litimate utility called PROCVIEW

CEVE.BAT attempts to copy the worm to network shares and execute it using PSEXEC

CEZE.BAT is detected as Troj/Delshare-G

FOLDER.CPR is an INI file which may be used to flood IRC channels

H00D.CDE is a configuration INI file

H00D.EXE is a legitimate mIRC client

SHR.BAT is used to give certain files hidden, system and read-only attributes


The worm adds an entry to the registry Run Key to run H00D.EXE on system restart.

Recovery
Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

Delete any unwanted dropped files.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

[StRiDeR]

Troj/StartPg-BG
------------------------------

Aliases
Trojan.Win32.StartPage.bg

Type
Trojan

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
At the time of writing Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.


Description
Troj/StartPg-BG sets the home page of Internet Explorer to aifind.cc/ by modifying the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\SearchURL

Troj/StartPg-BG also creates a stylesheet that can be used to redirect the user to adult related sites by creating a stylesheet in the <Windows> folder called HH.HTT and by setting the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Styles\
Use My Stylesheet\ = 1

HKCU\Software\Microsoft\Internet Explorer\Styles\
User Stylesheet\ = <location of stylesheet>

The stylesheet is detected as Troj/StartPg-BG.

Troj/StartPg-BG also copies itself to the <Windows> folder as CTRLPAN.DLL and creates the following registry entry to run on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Control\= rundll32.exe <Windows>\SYSTEM\CTRLPAN.DLL,Restore ControlPanel


Recovery
Please follow the instructions for removing Trojans.

You should also change your Internet Explorer settings using Tools|Internet options|General to remove any modifications made by the Trojan.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Control\= rundll32.exe <Windows>\SYSTEM\CTRLPAN.DLL,Restore ControlPanel

and delete it if it exists.

Close the registry editor.

[atokENSEM]

eloklah..bykkan info mengenai virus ni!at least dpt information yg terkini..

[StRiDeR]

atok_ENSEM said:

eloklah..bykkan info mengenai virus ni!at least dpt information yg terkini..

okies, tok....

[StRiDeR]

Troj/Dloader-K
--------------------------

Aliases
Trojan.Win32.VB.ew

Type
Trojan

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
At the time of writing Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.


Description
Troj/Dloader-K is a downloader Trojan which downloads other Trojans.
Upon execution Troj/Dloader-K attempts to download and run Troj/Ipons-A and Troj/Lalus-A from pre-configured websites.

The downloaded Trojans are dropped to the Program Files folder as syslaunch.exe and msgcenter.exe.


Recovery
Please follow the instructions for removing Trojans.

[StRiDeR]

W32/Mimail-N
-------------------

Type

Win32 worm

Detection

A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the February 2004 (3.78) release of Sophos Anti-Virus.
At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.


Description

W32/Mimail-N is a mass-mailing worm that disguises itself as a legitimate form from Paypal credit card information.
If a network connection is detected on execution then two forms are displayed asking for credit card and personal information. Once this information is filled in, it is sent to a remote website.

If a network connection is not detected then the start page of Internet Explorer is changed to a website with a satirical picture.

The worm copies itself to ee98af.tmp and winmgr32.exe in the Windows folder and sets the following registry entry so that the latter is run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinMgr32

W32/Mimail-N also creates a zipped copy of itself as zipzip.tmp in the Windows folder and drops the fake forms as index.hta and index2.hta to the root folder.

The worm scans files on the hard disk for email addresses and stores the result in outlook.cfg in the Windows folder.


Recovery

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinMgr32

and delete it if it exists.

Close the registry editor.

[atokENSEM]

byk nye virus..