Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > WARNING and RECOMMENDATION re: Kama Sutra Worm

Reply
Thread Tools

WARNING and RECOMMENDATION re: Kama Sutra Worm

 
 
Jim Byrd
Guest
Posts: n/a
 
      02-02-2006
There is currently in the wild a particularly destructive worm called by
variety of names but most commonly know as the "Kama Sutra" worm which has a
payload scheduled to be activated tomorrow, Feb 3rd.

The following is courtesy of a special edition of the www.spywareinfo.com
newsletter. See following this for some additional recommendations:

<Newsletter Extract>
Special Edition

The Kama Sutra worm, which has numerous aliases, is set to deliver its first
destructive payload TOMORROW (February 3). This worm is believed to have
infected anywhere from 200,000 to 700,000 computers worldwide.

The worm is programmed to destroy numerous antivirus program files and
Microsoft Office document files, thirty minutes after an infected machine is
powered up, on the third day of each month.

Microsoft has included detection for this worm in its Malicious Software
Removal Tool. However, Microsoft is withholding that update from all but
paying members of their "Windows Live Safety" and "OneCare" beta services.
Microsoft refuses to release the update to the general public, before their
regularly scheduled general update, on February 14th. I will have plenty to
say about that in tomorrow's newsletter, believe me.

Whether you believe that you are infected or not, you should take
precautionary steps now, just in case. Any documents created by Microsoft
Office as well as .rar and .zip archives should be backed up and stored on
separate, removable storage, such as a CD or DVD. Files and documents of
this type will be corrupted beyond repair on infected machines.

Symantec has released a free tool that will remove the virus. Download the
tool and run it, even if you are certain that you are not infected. It is a
very small file and you have nothing to lose by running it. You don't want
to be wrong and lose your boss's spreadsheets, now do you?
http://securityresponse.symantec.com...oval.tool.html

If you already have an antivirus program, make certain it is updated and run
a full scan of your computer.
</Newsletter Extract>



I would recommend that you run this Removal Tool from a "Clean Boot". Below
are directions for this from my Blog, Defending Your Machine, addy below in
my Signature. (Note that this tool may take quite a long time to run, and
that it should be rerun immediately BEFORE the third day of each month in
the future using a new, fresh download of the Removal Tool each time.):


<Blog Extract>
#########IMPORTANT#########

Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF) (including offline content.) Reboot and test if the
malware is fixed after using each tool.

HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT...02092715262339

Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2...nfig_setup.exe ):

1. StartRun enter msconfig.

2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.

3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.

4. Click OK and then reboot.

For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:

310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
</Blog Extract>


--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/



 
Reply With Quote
 
 
 
 
rehsifttam
Guest
Posts: n/a
 
      02-02-2006
Thanks Jim that sould help everyone out!

 
Reply With Quote
 
 
 
 
Gabriele Neukam
Guest
Posts: n/a
 
      02-02-2006
On that special day, Jim Byrd, ((E-Mail Removed)) said...

> There is currently in the wild a particularly destructive worm called by
> variety of names but most commonly know as the "Kama Sutra" worm which has a
> payload scheduled to be activated tomorrow, Feb 3rd.


For instance Blackmal, Nyxem.E, MyWife, and a couple more. Read
Is everyone ready for Blackworm? (Feb 3)

and see that your message is BY NO MEANS new.


Gabriele Neukam

http://www.velocityreviews.com/forums/(E-Mail Removed)


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      02-02-2006

isc.sans.org has among its recommendations a simple batch file to
take a look for things:

@echo off
dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
dir /b %WinDir%\system\Update.exe >> %username%_%computername%.rgh
dir /b %WinDir%\system\scanregw.exe >> %username%_%computername%.rgh
dir /b %WinDir%\Rundll16.exe >> %username%_%computername%.rgh
dir /b %WinDir%\winzip_tmp.exe >> %username%_%computername%.rgh
dir /b c:\winzip_tmp.exe >> %username%_%computername%.rgh
dir /b "%Temp%\word.zip .exe" >> %username%_%computername%.rgh



Drop that into a text file ending in .bat and run it from a command prompt. If all is happy, you should see a bunch of file not found messages, supposedly. I'm not sure if it's fool proof though.




--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      02-02-2006
Gabriele Neukam <(E-Mail Removed)> writes:

> On that special day, Jim Byrd, ((E-Mail Removed)) said...
>
> > There is currently in the wild a particularly destructive worm called by
> > variety of names but most commonly know as the "Kama Sutra" worm which has a
> > payload scheduled to be activated tomorrow, Feb 3rd.

>
> For instance Blackmal, Nyxem.E, MyWife, and a couple more. Read
> Is everyone ready for Blackworm? (Feb 3)
>
> and see that your message is BY NO MEANS new.


No, his message is not new, but it is timely since the activation hour
is fast approaching (and past in many parts of the world).

Jim, thanks for the reminder.

--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Virus Guy
Guest
Posts: n/a
 
      02-02-2006
"Todd H." wrote:

> isc.sans.org has among its recommendations a simple batch file


Wouldn't it just be simpler to do a file-find for one or two of these
files?

Like maybe Rundll16.exe or winzip_tmp.exe ?

And scanregw.exe is a legit file (but not necessarily located in the
\system directory)

Do ALL of those files have to be present in order to have a
fully-functional infection?

Or is it just a single file that goes by those various names?

What about an alternative, like Start->Run->msconfig->startup and then
look for a run reference to any of those files?
 
Reply With Quote
 
Harold
Guest
Posts: n/a
 
      02-02-2006
Gabriele Neukam wrote:
> On that special day, Jim Byrd, ((E-Mail Removed)) said...
>
>
>>There is currently in the wild a particularly destructive worm called by
>>variety of names but most commonly know as the "Kama Sutra" worm which has a
>>payload scheduled to be activated tomorrow, Feb 3rd.

>
>
> For instance Blackmal, Nyxem.E, MyWife, and a couple more. Read
> Is everyone ready for Blackworm? (Feb 3)
>
> and see that your message is BY NO MEANS new.


I, for one, was well aware of the worm. But the links were BY ALL MEANS
new to me

Thanks for your useful post, Jim.

--
Harold



 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      02-02-2006
Virus Guy <(E-Mail Removed)> writes:

> "Todd H." wrote:
>
> > isc.sans.org has among its recommendations a simple batch file

>
> Wouldn't it just be simpler to do a file-find for one or two of these
> files?
>
> Like maybe Rundll16.exe or winzip_tmp.exe ?
>
> And scanregw.exe is a legit file (but not necessarily located in the
> \system directory)
>
> Do ALL of those files have to be present in order to have a
> fully-functional infection?
>
> Or is it just a single file that goes by those various names?
>
> What about an alternative, like Start->Run->msconfig->startup and then
> look for a run reference to any of those files?


As I understand it, worry if any of those batch file tests comes back
positive.

--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
nt4-ever
Guest
Posts: n/a
 
      02-02-2006
saw on news:
"Blackworm, Blackmal, Nyxem, Kama Sutra - whatever you call it, this
worm will attack this Friday, February 3rd"

from:
http://securityresponse.symantec.com...oval.tool.html
"W32.Blackmal@mm Removal Tool"
"Important: You must have administrative rights to run this tool on
Windows NT 4.0, Windows 2000, or Windows XP."

so assume by above, its Ok for NT-4 ??
has anyone tried it on NT-4 ??

 
Reply With Quote
 
Jim Byrd
Guest
Posts: n/a
 
      02-02-2006
To all that have commented, YW. Glad you've found it useful (at least
those that have.)

--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/



"Harold" <(E-Mail Removed)> wrote in message
news:43e2700b$0$6998$(E-Mail Removed)
> Gabriele Neukam wrote:
>> On that special day, Jim Byrd, ((E-Mail Removed)) said...
>>
>>
>>> There is currently in the wild a particularly destructive worm called by
>>> variety of names but most commonly know as the "Kama Sutra" worm which

has a
>>> payload scheduled to be activated tomorrow, Feb 3rd.

>>
>>
>> For instance Blackmal, Nyxem.E, MyWife, and a couple more. Read
>> Is everyone ready for Blackworm? (Feb 3)
>>
>> and see that your message is BY NO MEANS new.

>
> I, for one, was well aware of the worm. But the links were BY ALL MEANS
> new to me
>
> Thanks for your useful post, Jim.



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PRUDISH Microsoft reaction to Kama Sutra worm set to confuse Au79 Computer Support 0 02-05-2006 06:27 AM
WARNING and RECOMMENDATION re: Kama Sutra Worm Jim Byrd Computer Security 21 02-04-2006 09:35 AM
HEXUS.lifestyle :: Prudish Microsoft reaction to Kama Sutra worm set to confuse Silverstrand Front Page News 0 02-02-2006 01:18 PM
Security Experts Warn of Kama Sutra Worm (yet another MS worm) Imhotep Computer Security 4 01-30-2006 01:53 PM
Where can I buy a pictures set of Kama sutra positions ? Eric T Digital Photography 6 08-26-2005 09:48 PM



Advertisments