PDA

View Full Version : Help with virus attack please



aronking
15-06-2004, 09:29 PM
A friend has just had his computer infected with the Worm.Zafi.B virus. He is running Win98 with AVG (free version) and Zone Alarm (free). Yes, they omitted updating the patches over the weekend.

I have downloaded stinger.exe from McAfee and will try to remove the virus using it (bringing it on a floppy). Apart from booting into safe mode (F8?), is there anything else I should be doing?

One of the first things after disinfecting the machine that would be done is to update AVG and the windows update patch, which they also failed to do over the weekend.

BTW, I received two emails which were intercepted by Orcon. Both were sent early on Monday and had this virus attached.

Thanks to the PF1 person who suggested that I get a free email account with Orcon. Otherwise, those emails may still have made it through my anti-virus program!

No this is not a commercial message. My friend is with Ihug and the virus was not detected.

Cheers

Wayne H
15-06-2004, 09:43 PM
here (http://www.sophos.com/virusinfo/analyses/w32zafib.html) is some more on the following info

W32/Zafi-B is a peer-to-peer (P2P) and email worm that will copy itself to the Windows system folder as a randomly named EXE file and set the following registry entry to ensure that it will be run on system restart.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \
_Hazafibb= <Windows system folder> \<filename.exe>

The following registry branch will also be created:

HKLM\Software\Microsoft\_Hazafibb\

This registry branch will have value names consisting of two alphanumeric characters.

you will nedd to delete these two keys and then the <filename.exe> this will be completely random.
"bring back the death penalty" what extreme measures... maybe it could be for virus writers.

Jim B
15-06-2004, 09:43 PM
Symantec removal tool here (http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.b@mm.removal.tool.html)

aronking
15-06-2004, 09:52 PM
Thanks very much Wayne and Jim for your comments and help.

I have also downloaded the Symentac removal tool as well (2 are better than 1 :-) ) and will let you know how I get on.

Thanks especially for the very prompt responses. Keep up the great work!

Cheers

whiskeytangofoxtrot
15-06-2004, 11:21 PM
Seriously, please kick his ass for opening the attachment as well if that was the mode of infection.

Berryb
15-06-2004, 11:30 PM
Brother in law clicked on the attachment as well and I get the fix it phone call. It also took out anti virus software and PC anywhere. Haven't tried the fix yet but are interested on how you get on.

aronking
16-06-2004, 12:40 AM
WTF

I have "counselled" them as to the issues - the last thing I want is to be infected myself.

In my last post I mentioned that I would provide feedback (and someone asked for this as well).

The virus was Worm.Zafi.B. Apparently it was only discovered on 11 June 2004, no doubt to propogate itself over the weekend and to have the maximum effect.

The PC was disabled such that it could not boot up at all. Each time it reached the Windows (98) splashscreen, it would reboot. The only way bootup could occur was in safe mode (F8).

Used the McAfee program first which picked up 41 infected files, including the AVG files and the Zone Alarm files with the effect that it disabled Zone Alarm and ensuring that it was reinstalled each time AVG was run!

Ran the Symentec file as well after the McAfee tool and the machine was clear. Spent the next 3 hours downloading AVG and Zone Alarm to reinstall them again.

BTW, the download for AVG did NOT contain the latest definition file, so ensure that this is updated before running the first scan after cleanup.

Thanks again guys for the very prompt responses.

And if you do get your hands on the b****** that wrote the virus, I have the perfect solution - hand him to the terrorists in Iraq with the request that they do whatever they want with them. Or can someone come up with a better punishment?

The McAfee file (called Stinger.exe) is available from:
http://vil.nai.com/vil/content/v_126242.htm

and the Symentec file is called FxErkezB.exe, which is available from the address posted earlier.

Cheers

whiskeytangofoxtrot
16-06-2004, 01:01 AM
> And if you do get your hands on the b****** that
> wrote the virus, I have the perfect solution - hand
> him to the terrorists in Iraq with the request that
> they do whatever they want with them. Or can someone
> come up with a better punishment?

The Iraqi's are getting Saddam back soon, they'll be pre-occupied.