View Single Post
  #74 (permalink)  
Old October 29th, 2005
joe_danger joe_danger is offline
Novicius
 
Join Date: October 29th, 2005
Posts: 4
joe_danger is flying high
Talking

Hello, i had the same problem as many of you, maybe this helps you in some form:

As you know, it was a virus, and that virus was installed because a file that was downloaded from a p2p program, like Kazaa, Limewire, etc. it seems that supports many of them.

When someone is infected by that virus, it makes a search, trying to find the Shared folder of one of the p2p programs supported and places a dummy file in that folder. The name of the file is obtained frow the names in warez pages, like phazeddl.com and others, and makes a zip file with a setup.exe file inside with a size of about 700kb or more, and because it is in shared folder, it is downloaded by members of the p2p programs.

If you download one of that files, and execute setup.exe it opens a dummy installer that sends an error to make the user that it wasn't installed, but in that moment it installs the virus and that installs a process, in my case it was winupdate.exe if i remember well.

Also the virus changes taskman.exe for a dummy file, that why you can't use Ctrl. + Alt. + Supr.. And creates some dummy com files for many common commands, like ping, regedit, etc. (about 10 in total). This is because when you call a program without the extension (.exe in this case) it executes the one with more precedence (.com haves more precedence than .exe), so when you try to execute one of this commands, it executes a dummy file, that does nothing.

Also as you have seen, it executes limewire every 15 seconds or so, so basically the computer begins to be full and slow.

THE SOLUTION (for me)

First, i changed the name of the Limewire was installed (to Limewir) so the virus could not execute limewire.

And easily enough, it was removed using Microsoft Anty Spyware Beta (last update). It detected the trojan and restored my taskman.exe file.

After that, i removed the .com copies(dummy's) of the command files the program installed.

And finally renamed my limewire folder and checked the shared folder to see if a file containing the trojan was created.

Maybe this can help you, i'm a Computer Systems Engineer and have experience with computer since i was 5, but this trojan was one of the most annoying things i have seen.

In internet you can find more information, using the name winupdates.exe and doing a google search.
Reply With Quote