Solved

computer infected!!(probly by worm)

Posted on 2004-08-18
6
292 Views
Last Modified: 2013-12-29
hi. i think my computer (win 98) is infected by worm.
the win.ini is added this line run=c:\windows\puta!!.com,c:\windows\natal.scr
but sometimes the c:\..\natal!.pif

the computer always hangs (i think low in resources)

can any1 help me identify the infection and tell me wat to do?

thanx..
0
Comment
Question by:HLLau
6 Comments
 
LVL 32

Expert Comment

by:_
ID: 11838046
First thing to try is download Spybot, Adaware, and CWShedder ( with current updates ) and see if they will kill it. If you don't have anti-virus, get one of those also. AVG is free and pretty good.
Links and more info here:

http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html
0
 
LVL 6

Accepted Solution

by:
caza13 earned 50 total points
ID: 11838510
W32.Opaserv.AE.Worm


When W32.Opaserv.AE.Worm runs on Windows 95/98/Me-based computers, it does the following:

Attempts to create a mutex named 4wsDosFDPS! and exits if the mutex already exists. This ensures that only one instance of the worm is running on the computer.

Registers itself as a service process.

Lowers its priority so that it runs only when the system is otherwise idle.

Copies itself as %Windir%\Natal.scr.

Checks for the value:

Natal!Old

in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If the value exists, the worm deletes the file to which the Natal!Old value points.


If the Natal!Old value does not exist, then the worm will determine whether the value:

Natal

exists in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If the value does not exist, the worm will add the value:

"Natal"="%Windir%\Natal.scr"

to that registry key.


Creates the file named C:\lammer!, which contains the text:

run=c:\windows\natal.scr

Attempts to contact a predetermined Web site, probably to update itself. The Web site was inactive at the time of this writing.

Uses a security vulnerability in Microsoft Windows 95/98/Me to spread to other computers. The worm sends single-character passwords to network shares, attempting to get access to other Windows 95/98/Me file shares without knowing the entire password. The affected systems include:

Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me

Attempts to copy itself as Natal.scr to vulnerable network shares.

Modifies the[windows]section of the %Windir%\Win.ini file by adding one of the following lines:

run= c:\windows\natal.scr
run= c:\lammer!

so that Windows 95/98/Me-based computers will run the worm each time you start Windows.

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.ae.worm.html
0
 
LVL 92

Expert Comment

by:nobus
ID: 11838887
download stinger, adaware and spybot and run them first

Spybot :       http://www.download.com/3000-8022-10122137.html
adaware :  http://www.lavasoftusa.com/
STINGER   http://www.chip.de/downloads/c_downloads_11105456.html

nobus
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 38

Expert Comment

by:BillDL
ID: 11841927
HLLau.

Some of the good advice above relies on a knowledge of using Regedit to make changes to your Registry.  Is this something you are familiar with, or would you need further advice on what to do?  If so, please ask for it, because it's not difficult to do but can cause more problems than you have if you do something wrong.

Not sure if you know this, but a good Windows utility for selectively disabling entries in your text-based system files and also items that start up automatically is MSCONFIG.

Start Menu > RUN option > and type MSCONFIG > click "OK".

Unchecking items in the autoexec.bat and the .ini files will "remark them out" so that they are not read.  You can later open the files (Start > Run > and type SYSEDIT > click "OK") and delete them permanently.

This is just extra information that might help if you are still left with problems after running Stinger, Adaware, and SpyBot.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 11843930

hi. i think my computer (win 98) is infected by worm.
the win.ini is added this line run=c:\windows\puta!!.com,c:\windows\natal.scr
but sometimes the c:\..\natal!.pif

the computer always hangs (i think low in resources)

Boot into DOS, and delete the following files (del filename):

c:\windows\puta!!.com
c:\windows\natal.scr
c:\..\natal!.pif                         (if you can find it!)
c:\lammer!

Once you have done that, you will be able to boot into windows, although you will probably receive a whole load of errors about being unable to find files (which you can ignore). You can run any of the aforementioned utilities.

Then after reflecting on how lucky you are not to have lost all your data, you need to go out and get an up to date anti virus solution, and update the virus signatures regularly!

Next use the update tool in internet explorer to ensure that all your security updates have been carried out.:
Menu: Tools->Windows update.

If you've never done this before, it'll take some time, and a number of reboots, but it does ensure that your system is better protected than it has been before!

HTH:)




remember that the files may try and hide themselves from DOS, but the attrib *.* will always reveal them!


0
 

Author Comment

by:HLLau
ID: 11848773
thanx you guys for your comments. i have checked the registry and this isn't nothing wrong with it.

anyway thanks again!!
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

An article on effective troubleshooting
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question