cath
asked on
HELP! Infected with virus...
Hi.
I've just been hit with the Klez.E@mm virus, which has infected Norton's (so that it won't run, although it does still pick up atempts to run infected programs), Stay Connected, Textpad and, worst of all, kernel.exe. I've downloaded a trial of McAfee, and that agrees that kernel.exe is infected and recommends deleting it and replacing it with an uninfected copy.
problem is, where would I get an uninfected copy _from_? isn't the kernel the core of the OS? I don't want to go aroud deleting that, do I?
any help much appeciated - and I need it quick, please...
Ian W
I've just been hit with the Klez.E@mm virus, which has infected Norton's (so that it won't run, although it does still pick up atempts to run infected programs), Stay Connected, Textpad and, worst of all, kernel.exe. I've downloaded a trial of McAfee, and that agrees that kernel.exe is infected and recommends deleting it and replacing it with an uninfected copy.
problem is, where would I get an uninfected copy _from_? isn't the kernel the core of the OS? I don't want to go aroud deleting that, do I?
any help much appeciated - and I need it quick, please...
Ian W
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I just fought this one for a client. It actually went rather easily after following those instructions. He had two computers which were infected at startup although they didn't show the effects in the registry. The initial infections were done by one receiving machine. I first had to clear it up and then follow the procedures on the other machines. You can do a scan at http://housecall.antivirus.com after you get it up and running.
ASKER
worked like a dream. many, many thanks, you're a lifesaver...
took all day Friday and all yesterday to remove virus, uninstall infected software (it had infected _51_ .exe's...!), reinstall software, and have a bloody good cleanup while I was at it (disk doctor/speed disk, remove loads of old programs I don't use any more or never did...)
so my machine is running rather better now than it has for a while.
every cloud has a silver lining... ;-)
many thanks again.
Ian W
took all day Friday and all yesterday to remove virus, uninstall infected software (it had infected _51_ .exe's...!), reinstall software, and have a bloody good cleanup while I was at it (disk doctor/speed disk, remove loads of old programs I don't use any more or never did...)
so my machine is running rather better now than it has for a while.
every cloud has a silver lining... ;-)
many thanks again.
Ian W
Glad I could help..
Cheers,
T.
Cheers,
T.
W32.Klez.E@mm
W32.Klez.E@mm is a mass-mailing email worm that also attempts to copy itself to network shares. The worm uses random subject lines and message bodies.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express in an attempt to execute itself when you open or even preview the message in which it is contained.
Information and a patch for the vulnerability can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
The worm drops a virus similar to W32.ElKern.3326, and it attempts to disable some common antivirus products.
In addition, the worm will infect executable files by prepending itself to the infected files.
When executed, the worm will copy itself to %System%\Wink[random characters].exe
NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
It adds the values
Wink[random characters] %System%\Wink[random characters].exe
WQK %System%\Wqk.exe
to the registry key
HKEY_LOCAL_MACHINE\Softwar
so that it is executed when you start Windows.
The worm attempts to disable on-access virus scanners and some previously distributed worms (such as W32.Nimda and CodeRed) by stopping any active processes.
The worm copies itself to local, mapped, and network drives. The worm copies itself as a random file name with a double extension such as filename.txt.exe. In addition, the worm copies itself as a .rar archive with a double extension, for example filename.txt.rar.
In addition, the worm searches the Windows address book, which is used by Microsoft Outlook, for email addresses. The worm sends an email message to these addresses with itself as an attachment.
The subject line and message bodies are random. If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed. Information about this vulnerability and a patch are available at http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
The worm also infects executables by prepending itself to the infected files.
For information please visit http://www.symantec.com/avcenter/venc/data/w32.klez.e@mm.html
Cheers,
T.