A notepad file called 'aYerHS' appeared on my desktop screen

Question

Hi,

Recently, I was sent an email regarding the 'Jdbgmgr.exe' file. Thinking it was truly a virus, I deleted it. Soon after, I learnt that it was plainly just a hoax.

A few days ago, I have been recieving many emails that have attachments to them, that read in the email, 'smell the fragrance of love' and a few others. When opened, and checked for viruses by 'Hotmail', nothing appears on the screen.

A notepad file called 'aYerHS' appeared on my desktop screen. When opened, it reads 'We are the Indians' and then something about hackers. I immediately put this file straight into the 'Recycling Bin', (which I have on 'Remove files immediately when deleted), hoping that it will not come up, the next time I use the computer. But, it always does now.

Also, I use Internet Explorer 5, and usually, I use 'Yahoo' as my homepage. But now, instead of 'Yahoo', I have sites such as: www.geocities.com/snak33yr or www.hackertools.com/<-Unfortunately, I can not remember if that site was truly called that. (Both websites I can not fully remember the site name, I apologize).

I am hoping to find out if all of these mysterious happenings be, that a virus has entered into my computer system, and if you could help, how to scan, (I do have NortonAntiVirus) and immediately prevent any damage.

I am hoping that someone will have the answers,

Your Sincerely,

Ali

Answer

This question was answered on March 12, 2003. Much of the information contained herein may have changed since posting.

This is a worm that propagates by sending email messages to addresses found in MSN Messenger, .NET messenger, Yahoo Pager and Windows Address Book Please see the details sections for the list of possible email formats the worm composed

The worm also terminates certain antivirus products and firewall softwares, including the Windows Task Manager program in Windows NT/2K/XP operating systems

The worm also copies itself to the system directory as the following file names:

WinServices.exe

Nav32_loader.exe

Tcpsvs32.exe

It creates auto startup and shell spawning registry entries to execute these programs every time the system restarts or a program is double-clicked

The worm has payload that is triggered on March 25, May 22 or Thursday It does the following on the trigger date:

Swaps mouse buttons

Modifies Internet Explorer Start page

Set file attributes of files in My Documents folder to "Hidden"

Drops a file AYERHS.TXT the Desktop folder

Registry shell spawning executes the malware when a user tries to run an EXE file The following procedures should restore the registry to its original settings

Click Start>Run

In the Open input box, type:

command /c copy %WiDir%\rgedit.exe regedit.com | regedit.com

Press Enter

In the left panel, double-click the following:

HKEY_CLASSES_ROOT>exefile>shell>open>comm

In the right panel, locate the registry entry:

Default

Check whether its value is the path and filename of the malware file

If the value is the malware file, right-click Default and select Modify to change its value

In the Value data input box, delete the existing value and type the default value:

"%1&uot; %* /p>

Close Registry Editor

Click Start>Run, then type:

command /c del %WiDir%\rgedit.com

Press Enter.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup

Open Registry Editor In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>Run

In the right panel, locate and delete the entry or entries:

%Sytem\Winservices.exe %Sytem\Tcpsvs32.exe %Sytem\Nav32_loader.exe

%Sytem% rfers to the System folder, which usually either C:\Windows\System (9x/Me), C:\WinNT\System32 (NT/2000), or C:\Windows\System32 (XP)

Resetting Internet Explorer Homepage and Search Page

This procedure restores the Internet Explorer home page and search page to the default settings

Close all Internet Explorer windows

Open Control Panel Click Start>Settings>Control Panel

Double-click the Internet Options icon

In the Internet Properties window, click the Programs tab

Click the �SReset Web Settings? button

Select �SAlso reset my home page.?Click Yes

Click OK.

Removing the Dropped File

Delete the file AYERHS.TXT located on your desktop

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_YAHA.M To do this, Trend Micro customers must download the latest pattern file and scan their system Other Internet users can use HouseCall, Trend Micro's free online virus scanner

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Eugene of Katharine Gibbs School - New York on March 12, 2003