Store Locator: Enter Zip Code: List All Locations

How do I fix the damage caused by the "creative.exe" virus?

Question

How do I fix the damage caused by the "creative.exe" virus?

Answer

This question was answered on December 8, 2000. Much of the information contained herein may have changed since posting.

The W32/ProLin@MM or "creative.exe" worm program was discovered in early December 2000 pretending to be a Shockwave movie. As with most current worms, it will most likely be sent to you by someone you know and trust because of its ability to automatically send itself to anyone in and infected systems Outlook address book. The specifics of the worm are as follows:

Subject: A great Shockwave flash movie

Body text: Check out this new flash movie that I downloaded just now ... It's Great Bye

Attachment: creative.exe

This is an Internet worm coded in Visual Basic 6 and compiled as an executable named "CREATIVE.EXE". It carries the icon of a Shockwave Media Player application.

When run, this Internet worm will write a copy of itself to the local system in these folders:

C:\creative.exe

C:\WINDOWS\TEMP\creative.exe

C:\WINDOWS\Start Menu\Programs\StartUp\creative.exe

It then will send a copy of itself via MAPI email to all users in a Microsoft Outlook address book. As a final note, it sends a note to presumably the author:

Author = z14xym432@yahoo.com

Subject = Job complete

Body = Got yet another idiot

This worm will then finds files with the .JPG and .ZIP extensions on the local machine and moves them to the root of C: and an additional extension is added to them of "change at least now to LINUX".

Example: "c:\Notebook.jpgchange at least now to LINUX"

Renaming the file back to its original name will restore its use.

A helpful note about this action however, this Internet worm logs the changes to a file named "c:\messageforu.txt". Within this file is the following text:

Hi, guess you have got the message. I have kept a list of files that I have infected under this. If you are smart enough just reverse back the process. i could have done far better damage, i could have even completely wiped your harddisk. Remember this is a warning & get it sound and clear... - The Penguin

Following the above paragraph is a listing of files from their original location. The files are not damaged or "infected", only that they were moved and the suffix added to the end.

Author

Posted by Ken of Data Doctors on December 8, 2000

Personal Services | Business Services | Radio Show | Free Help Center | Franchising | About Us | Sitemap

Business Network Solutions | Computer Data Recovery | Computer Franchises | Computer Hardware Repair | Computer Help | Computer Network Support | Computer Problems | Computer Repair | Computer Troubleshooting | Data Recovery | Data Recovery Service | Data Recovery Services | Disk Recovery | File Recovery | Wireless Networking Solutions