How do I fix the damage caused by the "creative.exe" virus?

Question

How do I fix the damage caused by the "creative.exe" virus?

Answer

This question was answered on December 8, 2000. Much of the information contained herein may have changed since posting.

The W32/[email protected] or "creative.exe" worm program was discovered in early December 2000 pretending to be a Shockwave movie As with most current worms, it will most likely be sent to you by someone you know and trust because of its ability to automatically send itself to anyone in and infected systems Outlook address book The specifics of the worm are as follows:

Subject: A great Shockwave flash movie

Body text: Check out this new flash movie that I downloaded just now .. It's Great Bye

Attachment: creative.exe

This is an Internet worm coded in Visual Basic 6 and compiled as an executable named "CREATIVE.EXE" It carries the icon of a Shockwave Media Player application.

When run, this Internet worm will write a copy of itself to the local system in these folders:

C:\creative.exe

C:\WINDOWS\TEMP\creative.exe

C:\WINDOWS\Start Menu\Programs\StartUp\creative.exe

It then will send a copy of itself via MAPI email to all users in a Microsoft Outlook address book As a final note, it sends a note to presumably the author:

Author = [email protected]

Subject = Job complete

Body = Got yet another idiot

This worm will then finds files with the .JPG and .ZIP extensions on the local machine and moves them to the root of C: and an additional extension is added to them of "change at least now to LINUX"

Example: "c:\Notebook.jpgchange at least now to LINUX"

Renaming the file back to its original name will restore its use.

A helpful note about this action however, this Internet worm logs the changes to a file named "c:\messageforu.txt" Within this file is the following text:

Hi, guess you have got the message I have kept a list of files that I have infected under this If you are smart enough just reverse back the process i could have done far better damage, i could have even completely wiped your harddisk Remember this is a warning & get it sound and clear.. - The Penguin

Following the above paragraph is a listing of files from their original location The files are not damaged or "infected", only that they were moved and the suffix added to the end.

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on December 8, 2000