Solved

computer infected!!(probly by worm)

Posted on 2004-08-18
6
287 Views
Last Modified: 2013-12-29
hi. i think my computer (win 98) is infected by worm.
the win.ini is added this line run=c:\windows\puta!!.com,c:\windows\natal.scr
but sometimes the c:\..\natal!.pif

the computer always hangs (i think low in resources)

can any1 help me identify the infection and tell me wat to do?

thanx..
0
Comment
Question by:HLLau
6 Comments
 
LVL 32

Expert Comment

by:_
Comment Utility
First thing to try is download Spybot, Adaware, and CWShedder ( with current updates ) and see if they will kill it. If you don't have anti-virus, get one of those also. AVG is free and pretty good.
Links and more info here:

http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html
0
 
LVL 6

Accepted Solution

by:
caza13 earned 50 total points
Comment Utility
W32.Opaserv.AE.Worm


When W32.Opaserv.AE.Worm runs on Windows 95/98/Me-based computers, it does the following:

Attempts to create a mutex named 4wsDosFDPS! and exits if the mutex already exists. This ensures that only one instance of the worm is running on the computer.

Registers itself as a service process.

Lowers its priority so that it runs only when the system is otherwise idle.

Copies itself as %Windir%\Natal.scr.

Checks for the value:

Natal!Old

in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If the value exists, the worm deletes the file to which the Natal!Old value points.


If the Natal!Old value does not exist, then the worm will determine whether the value:

Natal

exists in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


If the value does not exist, the worm will add the value:

"Natal"="%Windir%\Natal.scr"

to that registry key.


Creates the file named C:\lammer!, which contains the text:

run=c:\windows\natal.scr

Attempts to contact a predetermined Web site, probably to update itself. The Web site was inactive at the time of this writing.

Uses a security vulnerability in Microsoft Windows 95/98/Me to spread to other computers. The worm sends single-character passwords to network shares, attempting to get access to other Windows 95/98/Me file shares without knowing the entire password. The affected systems include:

Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me

Attempts to copy itself as Natal.scr to vulnerable network shares.

Modifies the[windows]section of the %Windir%\Win.ini file by adding one of the following lines:

run= c:\windows\natal.scr
run= c:\lammer!

so that Windows 95/98/Me-based computers will run the worm each time you start Windows.

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.ae.worm.html
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
download stinger, adaware and spybot and run them first

Spybot :       http://www.download.com/3000-8022-10122137.html
adaware :  http://www.lavasoftusa.com/
STINGER   http://www.chip.de/downloads/c_downloads_11105456.html

nobus
0
Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
HLLau.

Some of the good advice above relies on a knowledge of using Regedit to make changes to your Registry.  Is this something you are familiar with, or would you need further advice on what to do?  If so, please ask for it, because it's not difficult to do but can cause more problems than you have if you do something wrong.

Not sure if you know this, but a good Windows utility for selectively disabling entries in your text-based system files and also items that start up automatically is MSCONFIG.

Start Menu > RUN option > and type MSCONFIG > click "OK".

Unchecking items in the autoexec.bat and the .ini files will "remark them out" so that they are not read.  You can later open the files (Start > Run > and type SYSEDIT > click "OK") and delete them permanently.

This is just extra information that might help if you are still left with problems after running Stinger, Adaware, and SpyBot.
0
 
LVL 22

Expert Comment

by:pjedmond
Comment Utility

hi. i think my computer (win 98) is infected by worm.
the win.ini is added this line run=c:\windows\puta!!.com,c:\windows\natal.scr
but sometimes the c:\..\natal!.pif

the computer always hangs (i think low in resources)

Boot into DOS, and delete the following files (del filename):

c:\windows\puta!!.com
c:\windows\natal.scr
c:\..\natal!.pif                         (if you can find it!)
c:\lammer!

Once you have done that, you will be able to boot into windows, although you will probably receive a whole load of errors about being unable to find files (which you can ignore). You can run any of the aforementioned utilities.

Then after reflecting on how lucky you are not to have lost all your data, you need to go out and get an up to date anti virus solution, and update the virus signatures regularly!

Next use the update tool in internet explorer to ensure that all your security updates have been carried out.:
Menu: Tools->Windows update.

If you've never done this before, it'll take some time, and a number of reboots, but it does ensure that your system is better protected than it has been before!

HTH:)




remember that the files may try and hide themselves from DOS, but the attrib *.* will always reveal them!


0
 

Author Comment

by:HLLau
Comment Utility
thanx you guys for your comments. i have checked the registry and this isn't nothing wrong with it.

anyway thanks again!!
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Update 11/3/2014 - Although the below article will get you to relocate the WINSXS folder, Microsoft has finally released a utility to reduce the size of the WINSXS folder. For some reason, it's not that straightforward. It only works on Windows 2008…
Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now