Hi!

I have a friend that has a virus or something.

Without her knowledge her msn sends this

"eggs friend says:
wow this one made my head spin"
eggs friend says:
h@@p://dosnet.us/lk/crazy.scr"

DO NOT CLICK THE ABOVE LINK OR YOU WILL GET THE VIRUS

Any ideas?

Does anyone read the front page ? :rolleyes:

http://www.techzonez.com/comments.php?shownews=12751

Yep it downloads allright AVK says it is a variant of Backdoor.Rbot - I cleaned this off a machine 2 days ago and it left quite a bit of crap in the registry. It's a bit of a naughty one see http://securityresponse.symantec.com/avcenter/venc/data/w32.chod.b@mm.html although to be honest the one I cleaned doesn't right fit that description but it does fit yours, maybe it's another variant. I used Microworld Antivirus Toolkit to detect the poop then deleted manually.

I googled "eggs friend says" and it came up zip - that's the exact phrase I noticed in the other one so it must be a variant which isn't fully written up yet, it was detected though - it's also detected by bitdefender as Backdoor.RBot.28B373ED, which doesn't google either.

Hope you don't mind by I edited your post EH so no one accidentally clicks the link.

I googled "eggs friend says" and it came up zip - .

I replaced my friends name with "eggs friend"

Thanks very much for your hard work guys!

I checked out symantecs link and this thing looks impossible to clean.

Does stinger detect it?

No the one I saw said 'eggs friend says' I remember thinking it was wierd at the time, and there were run keysa in the registry with 'eggs friend says' I thought it was something to do with easter - as it was easter. Maybe I am suffering from poor memory.

Anyway you can rid yourself of it if you take your time and use some free tools. Firstly 1 of 3 possible ways to get your registry back
1 Tool on Symantec's Site - it's an inf file but I can't remember name of it.
2 Could use registrar lite www.resplendence.com usually works.
3 Could use RegSeeker http://www.hoverdesk.net/freeware.htm may work for you.

The stuff about the Hidden and SuperHidden is just the 'hide protected operating system files' and 'don't show hidden files' settings for explorer it's nothing major.

You might also want HijackThis http://www.spywareinfo.com/~merijn/downloads.html and Killbox http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41 as well as Microworld Antivirus Toolkit http://www.mwti.net/antivirus/mwav.asp to help you identify and delete the bad things.

1/2 hour with those should see you right - good luck.
:)

Thanks!

I don't have it but a friend does and she knows nothing about the button that says disconnect. :p

i appreciate your help

These new worms are employing greater social engineering tactics (from front page Rev ;) )... its hard to tell if its legite or not :eek:

Egg, you might be able to run the removal tool from symantec?

These new worms are employing greater social engineering tactics (from front page Rev ;) )... its hard to tell if its legite or not :eek:

Egg, you might be able to run the removal tool from symantec?

Thanks!

I looked at the removal instructions and symantec does not have a removal tool.

I asked tyhe girl to download symantec av and she says that no virus was found but i think she did not intsall it and only let it scan option before the install so it really is not looking for the worm

I installed it on a test VM - this is what it did

Registry
Keys ignored: 0
(none)

Keys added: 2
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Values added: 4

HKEY_CURRENT_USER\Software\Microsoft\OLE "ITUNES"
Type: REG_SZ
Data: itune.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\fcbq\Qrfxgbc\penml.rkr"
Type: REG_BINARY
Data: 01, 00, 00, 00, 06, 00, 00, 00, 20, AE, 8D, 4F, 43, 3B, C5, 01
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ITUNES"
Type: REG_SZ
Data: itune.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "ITUNES"
Type: REG_SZ
Data: itune.exe
Values changed: 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"
Old type: REG_BINARY
New type: REG_BINARY
Old data: 01, 00, 00, 00, 19, 00, 00, 00, A0, 29, D0, 2A, 43, 3B, C5, 01
New data: 01, 00, 00, 00, 1A, 00, 00, 00, 20, AE, 8D, 4F, 43, 3B, C5, 01
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "EnableDCOM"
Old type: REG_SZ
New type: REG_SZ
Old data: Y
New data: N
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa "restrictanonymous"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 00, 00, 00, 00
New data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa "restrictanonymous"
Old type: REG_DWORD
New type: REG_DWORD
Old data: 00, 00, 00, 00
New data: 01, 00, 00, 00
To Contents


--------------------------------------------------------------------------------

Disk contents
Drives tracked: 1
c:\


Files added: 1
c:\WINNT\system32\itune.exe
Date: 7/22/2002 1:05 PM
Size: 116,250 bytes
Files deleted: 1
c:\Documents and Settings\spod\Desktop\crazy.exe
Date: 4/5/2005 10:02 PM
Size: 116,250 bytes
Files changed: 9 -- edited for brevity --

The only file it ran was the newly installed 'itune.exe' after rebooting to make sure it was fully 'in' I opened regedit - it opened OK. I ran STM and top of the list was (you guessed it) itune.exe so I selected it clicked REMOVE selected 'move to quarantine' - that was it, bye bye itune.exe.

This machine was not connected to any network or the internet, the machine I did previously was and was also infected with mucho spyware/adware - maybe part of it's process does that (if and when it can).

It can't be the one referenced on symantec link - it didn't do any of that. So I ran it at Symantec Corp and it said 'W32.Spybot.Worm' not 'chod.b'. No worries at least you know what you are looking at.

This should clean up thje registry

_______________________________________________________
REGEDIT4


[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"ITUNES"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ITUNES"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"ITUNES"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30D02401-6A81-11D0-8274-00C04FD5AE38}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"=-
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"=-


________________________________________________________________
edit enabledcom and restrictanonymous as needed

well done!

hats off to you

You've been makin some very technical posts and you are a very valuable member here.

Thanks again :D

I am glad to help if I can.

Should say the extra bits remove the CLSID entries for 180 solutions, little bit of VX2 and Alexa