MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

What is a computer virus?

Alert: Computer Virus Outbreaks

AVG Alternative Update URL

AVG Anti-Virus 7 FE

AVG Anti-Virus 7.5

AVG Email Server Edition

AVG File Server Edition

How to - Avoid Getting Infected

How to - Disabling System Restore

How to - Put Windows in Safe Mode

MAC OS X Anti-Virus

Removal of Trojan

Removing File Locked by OS

Stop the virus Ping-Pong

The real thing !

Viruses: Email-borne

Viruses: On-line Scanners
Home » Virus Protection » Viruses: Email-borne  » 

This morning I receive this suspected virus bourne e-mail that escape the detection of my AV system  (AVG DB408).

screen shots

From: ???? @ hotmail . com
Subject: Mail Delivery (failure my e-mail address)

---

If the message will not displayed automatically,
follow the link to read the delivered message.

Received message is available at:
www.mac-net.com/inbox/ptong/read.php?sessionid-15870

(above is a forged web link. )
---

hidden underneath the link is a script:

< iframe src=cid:031401Mfdab4$3L7fa70Re height=0 width=0 >
< /iframe >

which is probably an executable program! 

This is another classic example of how well virus writers are social engineering their products.  So be alert when you are e-mailing.

This virus has been classified as the NetSky variant Q (also known as Worm.SomeFool.P).

The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems.  If you are not too sure of your version of Internet Explorer, just head on to Microsoft Windows update site.

If you have received similar mail, and have click on the link, then you may have a virus in your computer system.  If you think your computer may have been infected with Netsky.Q, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.   If you have problem starting up your computer, you can try to put your computer into SAFE Mode

The Stinger tool software is pretty good!  I have used them on various occasions clear virus from my client's computer.  I normally run it twice to make sure everything is cleared.  Then I would reinstall their anti-virus software and then download the latest update.  After that run a complete scan with their updated anti-virus software.

Manual Removal Instructions

Terminate the FVPROTECT.EXE process using Windows Task Manager.
Delete the following files from your Windows directory (typically c:\windows or c:\winnt):

  • FVPROTECT.EXE 
  • USERCONFIG9X.DLL
  • BASE64.TMP
  • ZIP1.TMP
  • ZIP2.TMP
  • ZIP3.TMP
  • ZIPPED.TMP
    Delete the many copies of the worm dropped on the victim machine, with the enticing filenames as described above.

Edit the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run

Delete the key "Norton Antivirus AV" with %WinDir%\FVProtect.exe  

By late evening, 23 March 2004, after my Anti-Virus Software updated AVGDB 408, it was able to trap the inbound virus.

Viruses found in the attached files. 
The attached file message.scr is infected by I-Worm/Netsky.Q. The attachment was removed from the mail.

commentPost your comment (12) 
Mail this pageMail this page

MAC-NET Secures IT | internet toolkit

© 2004-2008. All Rights Reserved.