Hi,
Recently, I was sent an email regarding the 'Jdbgmgr.exe' file. Thinking it was truly a virus, I deleted it. Soon after, I learnt that it was plainly just a hoax.
A few days ago, I have been recieving many emails that have attachments to them, that read in the email, 'smell the fragrance of love' and a few others. When opened, and checked for viruses by 'Hotmail', nothing appears on the screen.
A notepad file called 'aYerHS' appeared on my desktop screen. When opened, it reads 'We are the Indians' and then something about hackers. I immediately put this file straight into the 'Recycling Bin', (which I have on 'Remove files immediately when deleted), hoping that it will not come up, the next time I use the computer. But, it always does now.
Also, I use Internet Explorer 5, and usually, I use 'Yahoo' as my homepage. But now, instead of 'Yahoo', I have sites such as: www.geocities.com/snak33yr or www.hackertools.com/<-Unfortunately, I can not remember if that site was truly called that. (Both websites I can not fully remember the site name, I apologize).
I am hoping to find out if all of these mysterious happenings be, that a virus has entered into my computer system, and if you could help, how to scan, (I do have NortonAntiVirus) and immediately prevent any damage.
I am hoping that someone will have the answers,
Your Sincerely,
Ali
This question was answered on March 12, 2003. Much of the information contained herein may have changed since posting.
This is a worm that propagates by sending email messages to addresses found in MSN Messenger, .NET messenger, Yahoo Pager and Windows Address Book Please see the details sections for the list of possible email formats the worm composed
The worm also terminates certain antivirus products and firewall softwares, including the Windows Task Manager program in Windows NT/2K/XP operating systems
The worm also copies itself to the system directory as the following file names:
WinServices.exe
Nav32_loader.exe
Tcpsvs32.exe
It creates auto startup and shell spawning registry entries to execute these programs every time the system restarts or a program is double-clicked
The worm has payload that is triggered on March 25, May 22 or Thursday It does the following on the trigger date:
Swaps mouse buttons
Modifies Internet Explorer Start page
Set file attributes of files in My Documents folder to "Hidden"
Drops a file AYERHS.TXT the Desktop folder
Registry shell spawning executes the malware when a user tries to run an EXE file The following procedures should restore the registry to its original settings
Click Start>Run
In the Open input box, type:
command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
Press Enter
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>exefile>shell>open>comm
In the right panel, locate the registry entry:
Default
Check whether its value is the path and filename of the malware file
If the value is the malware file, right-click Default and select Modify to change its value
In the Value data input box, delete the existing value and type the default value:
"%1" %*
Close Registry Editor
Click Start>Run, then type:
command /c del %WinDir%\regedit.com
Press Enter.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup
Open Registry Editor In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
%System\Winservices.exe %System\Tcpsvs32.exe %System\Nav32_loader.exe
%System% refers to the System folder, which usually either C:\Windows\System (9x/Me), C:\WinNT\System32 (NT/2000), or C:\Windows\System32 (XP)
Resetting Internet Explorer Homepage and Search Page
This procedure restores the Internet Explorer home page and search page to the default settings
Close all Internet Explorer windows
Open Control Panel Click Start>Settings>Control Panel
Double-click the Internet Options icon
In the Internet Properties window, click the Programs tab
Click the �SReset Web Settings? button
Select �SAlso reset my home page.?Click Yes
Click OK.
Removing the Dropped File
Delete the file AYERHS.TXT located on your desktop
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_YAHA.M To do this, Trend Micro customers must download the latest pattern file and scan their system Other Internet users can use HouseCall, Trend Micro's free online virus scanner
About the author
Posted by Eugene of Katharine Gibbs School - New York on March 12, 2003
Need Help with this Issue?
We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!