HELP: MSN virus!!!

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I got this sent to me via MSN by a friend:

omg this is funny! http://jose.rivera4.home.att.net/cute.*

(replaced * with pif for security reasons)

I noticed it was a MS-DOS executable and didn't accept/open it and
immediately warned everybody on my MSN list.

I then downloaded the file and accidently ran it! I wanted to open it in
Notepad but I accidently "opened" it and it ran!!

Now I need to know what cute.pif really did, what's its purpose? Is it a
virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
came up negative. I tried searching on the web and could not find one single
imformation about this file.

HELP!

 

[galen]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:uZ87i6pIFHA.4060@TK2MSFTNGP14.phx.gbl,
Kevin C. <kevingpo@ukonline.co.uk> had this to say:
> I got this sent to me via MSN by a friend:
>
> omg this is funny! http://jose.rivera4.home.att.net/cute.*
>
> (replaced * with pif for security reasons)
>
> I noticed it was a MS-DOS executable and didn't accept/open it and
> immediately warned everybody on my MSN list.
>
> I then downloaded the file and accidently ran it! I wanted to open it
> in Notepad but I accidently "opened" it and it ran!!
>
> Now I need to know what cute.pif really did, what's its purpose? Is
> it a virus? Or harmless fun? I tried doing a AVG virus scan on the
> file and it came up negative. I tried searching on the web and could
> not find one single imformation about this file.
>
> HELP!

Well it's VIRUS: IM-Worm.Win32.Kelvir.a according to updated AVP settings.
(I just downloaded it on an computer that's not on my network for you.)

Here's a nice Google to get you started.

http://www.google.com/search?num=100&hl=en&lr=&newwindow=1&safe=off&q=IM-Worm.Win32.Kelvir.a

Galen
--
"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Why would you expect us to go visit this?!



"Kevin C." <kevingpo@ukonline.co.uk> wrote in message
news:uZ87i6pIFHA.4060@TK2MSFTNGP14.phx.gbl...
>I got this sent to me via MSN by a friend:
>
> omg this is funny! http://jose.rivera4.home.att.net/cute.*
>
> (replaced * with pif for security reasons)
>
> I noticed it was a MS-DOS executable and didn't accept/open it and
> immediately warned everybody on my MSN list.
>
> I then downloaded the file and accidently ran it! I wanted to open it in
> Notepad but I accidently "opened" it and it ran!!
>
> Now I need to know what cute.pif really did, what's its purpose? Is it a
> virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
> came up negative. I tried searching on the web and could not find one
> single imformation about this file.
>
> HELP!
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

| I got this sent to me via MSN by a friend:
|
| omg this is funny! http://jose.rivera4.home.att.net/cute.*
|
| (replaced * with pif for security reasons)
|
| I noticed it was a MS-DOS executable and didn't accept/open it and
| immediately warned everybody on my MSN list.
|
| I then downloaded the file and accidently ran it! I wanted to open it in
| Notepad but I accidently "opened" it and it ran!!
|
| Now I need to know what cute.pif really did, what's its purpose? Is it a
| virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
| came up negative. I tried searching on the web and could not find one single
| imformation about this file.
|
| HELP!
|

So is it Kevin C. or is it Steven Makie ? ;-)

ClamAV supposedly catches this so give it a shot, it's free.

ClamWin -
http://prdownloads.sourceforge.net/clamwin/clamwin-0.37.3-setup.exe?download


--
Dave

 

[galen]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:%23aDR6mqIFHA.576@TK2MSFTNGP15.phx.gbl,
Scott M. <s-mar@nospam.nospam> had this to say:

> Why would you expect us to go visit this?!

Because insane people such as myself will isolate a computer from the
network and give it a shot *chuckles*

Galen
--
"My mind rebels at stagnation. Give me problems, give me work, give me
the most abstruse cryptogram or the most intricate analysis, and I am
in my own proper atmosphere. I can dispense then with artificial
stimulants. But I abhor the dull routine of existence. I crave for
mental exaltation." -- Sherlock Holmes

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Galen" <galennews@gmail.com> wrote in message
news:u5bj2mqIFHA.696@TK2MSFTNGP10.phx.gbl...
> In news:uZ87i6pIFHA.4060@TK2MSFTNGP14.phx.gbl,
> Kevin C. <kevingpo@ukonline.co.uk> had this to say:
>> I got this sent to me via MSN by a friend:
>>
>> omg this is funny! http://jose.rivera4.home.att.net/cute.*
>>
>> (replaced * with pif for security reasons)
>>
>> I noticed it was a MS-DOS executable and didn't accept/open it and
>> immediately warned everybody on my MSN list.
>>
>> I then downloaded the file and accidently ran it! I wanted to open it
>> in Notepad but I accidently "opened" it and it ran!!
>>
>> Now I need to know what cute.pif really did, what's its purpose? Is
>> it a virus? Or harmless fun? I tried doing a AVG virus scan on the
>> file and it came up negative. I tried searching on the web and could
>> not find one single imformation about this file.
>>
>> HELP!
>
> Well it's VIRUS: IM-Worm.Win32.Kelvir.a according to updated AVP settings.
> (I just downloaded it on an computer that's not on my network for you.)
>
> Here's a nice Google to get you started.
>
> http://www.google.com/search?num=100&hl=en&lr=&newwindow=1&safe=off&q=IM-Worm.Win32.Kelvir.a
>
> Galen
> --
> "My mind rebels at stagnation. Give me problems, give me work, give me
> the most abstruse cryptogram or the most intricate analysis, and I am
> in my own proper atmosphere. I can dispense then with artificial
> stimulants. But I abhor the dull routine of existence. I crave for
> mental exaltation." -- Sherlock Holmes
>

I downloaded the file to check it out and it creates a shortcut to the
Windows Messenger API

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Sun, 06 Mar 2005 21:11:25 -0500, David H. Lipman wrote: [snip]
> Ditto Galen !
>
> The problem is with those that don't obfuscate the URL !!

Your Symantec AV product is out of date - the Symantec site shows that it
was detected in the wild on 3/6 and the update for the definitions was
release on 3/6.

W32.Kelvir.A is a worm which spreads through MSN Messenger. The worm
attempts to download and execute a variant of W32.Spybot.Worm.

The worm arrives in an MSN window with a link to the file cute.pif.

Note: Virus definitions version 70306r (extended version 3/6/2005 rev. 18)
or greater are required to detect this threat.

Also Known As: IM-Worm.Win32.Kelvir.a [Kaspersky Lab]

Type: Worm
Infection Length: 46,082 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows XP

--
spam999free@rrohio.com
remove 999 in order to email me

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

On Mon, 07 Mar 2005 08:36:44 -0500, David H. Lipman wrote:
[snip]
> Leythos:
>
> At the time that screenshot was taken, it was up-to-date. By 11pm
> Eastern time Symantec did have recognition for it. Attached is a
> screenshot taken at 10:57pm.

I have our commercial and business servers set to update every 3 hours
using the Symantec Corporate Edition. The default is once per day if I
remember correctly.

I'm not sure how many people this will impact as the description indicates
it's a IM worm, and I don't allow IM on any of the clients networks. I
only know a few home users that run IM, but I do know that a lot of the
Sororities we service use it non-stop, but they run non-MS IM products.

--
spam999free@rrohio.com
remove 999 in order to email me

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Kevin C." <kevingpo@ukonline.co.uk>

| I got this sent to me via MSN by a friend:
|
| omg this is funny! http://jose.rivera4.home.att.net/cute.*
|
| (replaced * with pif for security reasons)
|
| I noticed it was a MS-DOS executable and didn't accept/open it and
| immediately warned everybody on my MSN list.
|
| I then downloaded the file and accidently ran it! I wanted to open it in
| Notepad but I accidently "opened" it and it ran!!
|
| Now I need to know what cute.pif really did, what's its purpose? Is it a
| virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
| came up negative. I tried searching on the web and could not find one single
| imformation about this file.
|
| HELP!
|




UPDATE:

Trend Pattern File 476 just released now removes this infector...


1) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt476.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM .

2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode then shutdown as many applications as possible.
4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point

* * Please report back your results * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Dave, I tried following your steps and it didn't work. However, I think i may
not be
following the correct proceedure. You say to put the zip file in the same
directory as the sysclean.com file . I saved it to a folder I created on my
desktop (the same place I put sysclean.com download). When I try to open the
file it says "pattern file LPT$VPN is missing" so how do I fix this? Thanks,
J


"David H. Lipman" wrote:

> From: "Kevin C." <kevingpo@ukonline.co.uk>
>
> | I got this sent to me via MSN by a friend:
> |
> | omg this is funny! http://jose.rivera4.home.att.net/cute.*
> |
> | (replaced * with pif for security reasons)
> |
> | I noticed it was a MS-DOS executable and didn't accept/open it and
> | immediately warned everybody on my MSN list.
> |
> | I then downloaded the file and accidently ran it! I wanted to open it in
> | Notepad but I accidently "opened" it and it ran!!
> |
> | Now I need to know what cute.pif really did, what's its purpose? Is it a
> | virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
> | came up negative. I tried searching on the web and could not find one single
> | imformation about this file.
> |
> | HELP!
> |
>
>
>
>
> UPDATE:
>
> Trend Pattern File 476 just released now removes this infector...
>
>
> 1) Download the following two items...
>
> Trend Sysclean Package
> http://www.trendmicro.com/download/dcs.asp
>
> Latest Trend signature files.
> http://www.trendmicro.com/download/pattern.asp
>
> Create a directory.
> On drive "C:\"
> (e.g., "c:\New Folder")
> or the desktop
> (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
>
> Download SYSCLEAN.COM and place it in that directory.
> Download the Trend Pattern File by obtaining the ZIP file.
> For example; lpt476.zip
>
> Extract the contents of the ZIP file and place the contents in the same directory as
> SYSCLEAN.COM .
>
> 2) Disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
> 3) Reboot your PC into Safe Mode then shutdown as many applications as possible.
> 4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
> clean/delete any infectors found
> 5) Restart your PC and perform a "final" Full Scan of your platform
> 6) Re-enable System Restore and re-apply any System Restore preferences,
> (e.g. HD space to use suggested 400 ~ 600MB),
> 7) Reboot your PC.
> 8) Create a new Restore point
>
> * * Please report back your results * *
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "jenniferesme" <jenniferesme@discussions.microsoft.com>

| Dave, I tried following your steps and it didn't work. However, I think i may
| not be
| following the correct proceedure. You say to put the zip file in the same
| directory as the sysclean.com file . I saved it to a folder I created on my
| desktop (the same place I put sysclean.com download). When I try to open the
| file it says "pattern file LPT$VPN is missing" so how do I fix this? Thanks,
| J
|

Here is an alternate set of instructions that uses an automated process to download Tred
Sysclean and to execute the software.



Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

1) Download the TrendMicro Sysclean Front End

Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe


2) Download and install Ad-aware SE
(free personal version v1.06)
http://www.lavasoftusa.com/
Update Ad-aware with the latest definitions and then exit the software.

3) Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close


Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
when you get to the menu dhoose [1] so you can boot into Safe Mode.

4) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

5) Reboot your PC into Safe Mode and shutdown as many applications as possible.

6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a full scan of your PC and delete
all objects found.

7) Restart your PC and perform a "final" Full Scan of your platform
Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] on the menu and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a final scan of your PC and delete
all objects found.


8) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),

9) Reboot your PC.

10) If you are using WinME or WinXP, create a new Restore point


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks for the additional help. When Iget to stpe #3 of your additional
instructions, and try double-clicking sysclean_fe link it does nto get me to
a menu or allow me to choose. It just shuts down my system with the
following message:

"Trend Pattern File not found on the system. Shutting down so you can run
sysclean_fe to obtain the pattern file." FYU I use Firefox. So, I followed
steps 1 and 2 to the letter, and this is what happened.
Thanks.

"David H. Lipman" wrote:

> From: "jenniferesme" <jenniferesme@discussions.microsoft.com>
>
> | Dave, I tried following your steps and it didn't work. However, I think i may
> | not be
> | following the correct proceedure. You say to put the zip file in the same
> | directory as the sysclean.com file . I saved it to a folder I created on my
> | desktop (the same place I put sysclean.com download). When I try to open the
> | file it says "pattern file LPT$VPN is missing" so how do I fix this? Thanks,
> | J
> |
>
> Here is an alternate set of instructions that uses an automated process to download Tred
> Sysclean and to execute the software.
>
>
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> 1) Download the TrendMicro Sysclean Front End
>
> Download the utility SYSCLEAN_FE at the following URL --
> http://www.ik-cs.com/got-a-virus.htm
> SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
> Direct URL --
> http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
>
>
> 2) Download and install Ad-aware SE
> (free personal version v1.06)
> http://www.lavasoftusa.com/
> Update Ad-aware with the latest definitions and then exit the software.
>
> 3) Execute; SYSCLEAN_FE.EXE
> Choose; Unzip
> Choose; Close
>
>
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> when you get to the menu dhoose [1] so you can boot into Safe Mode.
>
> 4) If you are using WinME or WinXP, disable System Restore
> http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
>
> 5) Reboot your PC into Safe Mode and shutdown as many applications as possible.
>
> 6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a full scan of your PC and delete
> all objects found.
>
> 7) Restart your PC and perform a "final" Full Scan of your platform
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> Choose [2] on the menu and let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a final scan of your PC and delete
> all objects found.
>
>
> 8) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
> System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
>
> 9) Reboot your PC.
>
> 10) If you are using WinME or WinXP, create a new Restore point
>
>
> * * * Please report back your results * * *
>
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "jenniferesme" <jenniferesme@discussions.microsoft.com>

| Thanks for the additional help. When Iget to stpe #3 of your additional
| instructions, and try double-clicking sysclean_fe link it does nto get me to
| a menu or allow me to choose. It just shuts down my system with the
| following message:
|
| "Trend Pattern File not found on the system. Shutting down so you can run
| sysclean_fe to obtain the pattern file." FYU I use Firefox. So, I followed
| steps 1 and 2 to the letter, and this is what happened.
| Thanks.

I don't know why you continue to have problems.

You have to be in Normal mode to perform step #3.

If you are in Safe Mode prior to obtaining SYSCLEAN.COM and the Pattern File, you will get
the error message "Trend Pattern File not found on the system. ..." and it will reboot the
PC.

So boot into Normal Mode. Execute; c:\sysclean\SYSCLEAN_FE.BAT

If your Internet access is worrking properly then SYSCLEAN.COM and the Pattern File will be
downloaded. If they don't download do reboot into Safe Mode otherwise you will just get the
error message and be rebooted again.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm