I think one of my clients has a weird virus. People started calling him saying that they couldn’t open the attachment he sent them, and he said he didn’t send them anything. He calls me and tells me that, and a big alarm goes off in my head.
The subject line is “S. copyright laws as unpublished”.
There is some text, and then an attachement titled “confidential.bat”
Open it up and Windows tells you that it won’t open.
Lots of people haver recieved it from him. He has Norton Antivirus, and his computer updates the virus definitions and runs a virus scan every morning. I ran them both again, and it says there is no virus on his computer. Moreover, I can’t find it anywhere on the web.
Any help from you lords of techdom?
JWT
If you pr!ck us, do we not bleed? If you poison us, do we not die? And if you wrong us, shall we not revenge? If we are like you in the rest, we will resemble you in that the villany you teach me, I will execute, and it shall go hard but I will better the instruction. MOV
in all seriousness the only thing you can do is keep him off the network while you research the possible virus. if you can find info on it you maybe able to do something other than format. if it was sent to people without him actually doing so then i would venture to say he’s got a virus that norton can not detect. especially with a bat extension.
i don’t know very much at all about viruses, but when you get one that can not even be found to be repaired the only thing you can do is wipe the machine.
here is a link to another utility that is offered via the web. i don’t trust it as much as norton, but it has been known in the past to find viruses norton missed.
This depends on what version of Outlook you are running. An executable (a progam that runs - .exe, .bat, .vbs, .wsh and 10 or 12 others) attachment to an email will not be opened if your client has Outlook 2000 SR2, has applied the security update for Outlook 98, and I believe Outlook XP as well. You could probably save the attachment to a disk, RIGHT CLICK on it and choose edit to see what the batch file does if you are curious. It may not be a virus but Outlook is attempting to be safe and not opening the program.
If the email body text (not the attachment) does not make sense, or is leaking a white powder, then just delete the email as it is probably a virus or a bacteria. If you want you can also do a check at http://www.symantec.com or http://www.mcafee.com for any new virus alerts.
Have your client do a search for SirC32.exe This sounds like it could be a variation of the SirCam Worm. Just as GDA said though, the safest thing would be to format it.
"Just because I joke around sometimes doesn’t mean I’m serious about kung-fu.
" - nightair
Virus (what is the plural - viruses, virii?) can now randomly generate subject lines and attachment names, so check the signs of infection and make sure the virus definitions are up to date. Shifty little buggers, aren’t they?
If the emails were sent automatically then it is probably a worm. Most worms include trojans that are launched at startup or the worm is launched again. Checking this is a little more technical, but you should be able to do it.
Do a search for system.ini - it is usually in the windows or winnt folder - and edit it. Depending on the OS it could have a [BOOT] section which will include a shell= line. This should only say explorer.exe and not include some other crap so delete it if it is there.
Go to Start - Run and type regedit. Go to HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion and you should have several Run keys - Run, RunOnce, RunOnceEx. The programs listed in these keys and values run at startup and most are fairly common, however one could be a trojan and is usually identified by it’s weird name. Not very scientific, but the best I can do. Delete that value - not the entire Run key - and the program will not load again at startup. However, if you edit the registry and mess up you can crash the computer and have to rebuild it.
I’ve checked, it’s sending out different things to different people. I’ve edited the boot line, but I’m still pretty nervous. Housecall, Norton, and McAfee all say there is nothing wrong.
JWT
If you pr!ck us, do we not bleed? If you poison us, do we not die? And if you wrong us, shall we not revenge? If we are like you in the rest, we will resemble you in that the villany you teach me, I will execute, and it shall go hard but I will better the instruction. MOV
Once you have edited the boot line the virus will not launch at startup, but it is probably still running. If you remember the name of the program, launch the taskmanager and end that task or process (again, this depends on what version of windows you are running).
This is probably a new virus and the AV programs cannot detect it yet. Perhaps later today or tomorrow, but it is too late by then. Such is the nature of antivirus software. This virus has probably infected some other files and the new virus definitions will likely spot these. You will probably not be able to clean them and they will have to be deleted. I hope those files were nothing important and your client has good backups, but that is never the case.
Did you ever edit the .bat file and see what it did?
Claymoore is correct. It is most likely a worm or trojan. these can only be started by executing them in a .com,.bat, or .exe extension. Once you double clicked on the file it became active. It probably is a brand new virus and that’s why none of the AV’s are picking it up.
Go here and submit it and have it looked at:
