A new virus on the loose with political ambition?

[Wim Cossement]

Hi people,

I've got this rather nasty problem with some sort of a virus/trojan and
I don't know how to get rid of it because is seems not yet known by all
major AV-companies.

According to those 2 pages it's a variant of the Raila virus but that's
about all I know.

http://mweusi.blogspot.com/2007/07/raila-virus.html
http://www.advance-africa-forum.com/showthread.php?p=19856

McAfee is installed with the latest updates and Windows should also be
up to date.

The user got the problem this morning after signing in to MSN but did
not download any file and she has knowledge about what to do and which
files to trust.

This thing now hijacks most important programs and is using 100% CPU
time. You can't run the task manager anymore, can't turn on hidden files
anymore (the Folder options in the control panel has been hidden and the
menu in Explorer is gone too, and running the control panel extension in
system32 does not work either), running regedit restarts the laptop,
searching does not work and if you try to peek in some folders you get
kicked out of Windows (either with command line or Explorer).
And it does not matter if you're in Safe mode or not, so this really sucks!

And every 20 minutes or so you get a popup saying you should vote for
Kibaki or something like that (which is apparently the president after
the elections in 2002 and a candidate now).

She had however an infection a few days ago with Raila (but McAfee was
able to get rid of this) so probably these are related...

Raila is also a candidate btw:
http://www.kenyaelection2007.com/presidential.html

What should I do?

Wimmy

 

[Beauregard T. Shagnasty]

What should I do?

Vote for the other guy?

Try some anti-malware software:
http://k75s.home.att.net/tips.html#spyware

 

[Wim Cossement]

Vote for the other guy?

Try some anti-malware software:
http://k75s.home.att.net/tips.html#spyware

Well I've already done that, this is not working either.

Isn't there a report point for 'new' viruses?

 

[Duh_Oz]

Well I've already done that, this is not working either.

Isn't there a report point for 'new' viruses?

========
Can you submit it to http://www.virustotal.com/

And post the results if you were able to?

 

[Dustin Cook]

Hi people,

I've got this rather nasty problem with some sort of a virus/trojan
and I don't know how to get rid of it because is seems not yet known
by all major AV-companies.

According to those 2 pages it's a variant of the Raila virus but
that's about all I know.

http://mweusi.blogspot.com/2007/07/raila-virus.html
http://www.advance-africa-forum.com/showthread.php?p=19856

McAfee is installed with the latest updates and Windows should also be
up to date.

The user got the problem this morning after signing in to MSN but did
not download any file and she has knowledge about what to do and which
files to trust.

This thing now hijacks most important programs and is using 100% CPU
time. You can't run the task manager anymore, can't turn on hidden
files anymore (the Folder options in the control panel has been hidden
and the menu in Explorer is gone too, and running the control panel
extension in system32 does not work either), running regedit restarts
the laptop, searching does not work and if you try to peek in some
folders you get kicked out of Windows (either with command line or
Explorer). And it does not matter if you're in Safe mode or not, so
this really sucks!

And every 20 minutes or so you get a popup saying you should vote for
Kibaki or something like that (which is apparently the president after
the elections in 2002 and a candidate now).

She had however an infection a few days ago with Raila (but McAfee was
able to get rid of this) so probably these are related...

Raila is also a candidate btw:
http://www.kenyaelection2007.com/presidential.html

What should I do?

Wimmy

Hi There.

Are you by chance able to run Hijackthis?
You may wish to give BugHunter a shot at scanning your machine for you,
preferably in safe-mode. You can use the included process control file if
the malware? in question will allow it. Post back your results. Proc
control is inside safebug.zip, encrypted due to some virus scanners being
overly protective.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: (e-mail address removed)
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml

 

[Wim Cossement]

========
Can you submit it to http://www.virustotal.com/

And post the results if you were able to?

I'll do my best, thanks for the tip!

 

[Wim Cossement]

Hi There.

Are you by chance able to run Hijackthis?
You may wish to give BugHunter a shot at scanning your machine for you,
preferably in safe-mode. You can use the included process control file if
the malware? in question will allow it. Post back your results. Proc
control is inside safebug.zip, encrypted due to some virus scanners being
overly protective.

I've tried to run Hitman pro to make things easier, but this was not
going anywhere, so maybe running the specific apps separately might do
something...
But as I recall I also could not open any zipfiles (or maybe it was due
to the content...)

Wimmy

 

[Duh_OZ]

Try taking the drive out and "slaving it" on a clean machine.

 

[Wim Cossement]

Try taking the drive out and "slaving it" on a clean machine.

Tis a laptop so I don't know how... :-(

 

[Char Jackson]

Tis a laptop so I don't know how... :-(

Depending on the laptop make & model, it's typically one or two screws
on the bottom of the laptop, or sometimes a latch and no screws, to
remove either a cover or the entire drive itself. Once the drive is
physically removed, computer stores sell an adapter that lets you
connect your drive to a USB port or to an internal drive connector on
a desktop PC.

 

[Rick]

Tis a laptop so I don't know how... :-(

For ~$10, one of these things can come in real handy at times...


http://www.geeks.com/details.asp?invtid=USB2IDE-25-35&cat=HDD


or for ~$20 if you see a need for SATA drives as well...

http://www.geeks.com/details.asp?invtid=2020&cat=HDD

 

[Ernie B.]

For ~$10, one of these things can come in real handy at times...


http://www.geeks.com/details.asp?invtid=USB2IDE-25-35&cat=HDD


or for ~$20 if you see a need for SATA drives as well...

http://www.geeks.com/details.asp?invtid=2020&cat=HDD

A drive imaging program is handy also. XXClone,
<http://www.xxclone.com/idwnload.htm>, is free. Norton Ghost,
<http://www.symantec.com/themes/ghost/index.jsp>, also works but it isn't
free.

 

[Larry Sabo]

On Tue, 17 Jul 2007 16:43:34 GMT Rick wrote:
[snip]

A drive imaging program is handy also. XXClone,
<http://www.xxclone.com/idwnload.htm>, is free. Norton Ghost,
<http://www.symantec.com/themes/ghost/index.jsp>, also works but it isn't
free.

Acronis true Image is V7 free but only handles IDE (i.e., not SATA)
drives, I believe, and is available as follows...

Go to http://rapidshare.com/files/27852592/truimage7.zip and click the
"Free" link. Enter the characters displayed then click on "Download
via Level 3." The serial number key is in the archive.

 

[Ernie B.]

On Tue, 17 Jul 2007 16:43:34 GMT Rick wrote:
[snip]

A drive imaging program is handy also. XXClone,
<http://www.xxclone.com/idwnload.htm>, is free. Norton Ghost,
<http://www.symantec.com/themes/ghost/index.jsp>, also works but it isn't
free.

Acronis true Image is V7 free but only handles IDE (i.e., not SATA)
drives, I believe, and is available as follows...

Why would the type of drive make a difference?

Go to http://rapidshare.com/files/27852592/truimage7.zip and click the
"Free" link. Enter the characters displayed then click on "Download
via Level 3." The serial number key is in the archive.

The current version of True Image is v10, sells for $39.99 USD at amazon.com.
See <http://tinyurl.com/ytz4oe>.

 

[Tommy McClure]

Hi people,

I've got this rather nasty problem with some sort of a virus/trojan
and
I don't know how to get rid of it because is seems not yet known by
all major AV-companies.

According to those 2 pages it's a variant of the Raila virus but
that's about all I know.

http://mweusi.blogspot.com/2007/07/raila-virus.html
http://www.advance-africa-forum.com/showthread.php?p=19856

McAfee is installed with the latest updates and Windows should also be
up to date.

The user got the problem this morning after signing in to MSN but did
not download any file and she has knowledge about what to do and which
files to trust.

This thing now hijacks most important programs and is using 100% CPU
time. You can't run the task manager anymore, can't turn on hidden
files anymore (the Folder options in the control panel has been
hidden and the menu in Explorer is gone too, and running the control
panel extension in system32 does not work either), running regedit
restarts the laptop, searching does not work and if you try to peek
in some folders you get kicked out of Windows (either with command
line or Explorer).
And it does not matter if you're in Safe mode or not, so this really
sucks!

And every 20 minutes or so you get a popup saying you should vote for
Kibaki or something like that (which is apparently the president after
the elections in 2002 and a candidate now).

She had however an infection a few days ago with Raila (but McAfee was
able to get rid of this) so probably these are related...

Raila is also a candidate btw:
http://www.kenyaelection2007.com/presidential.html

What should I do?

Wimmy

Try McAfee Stinger, free , about 2mb. Found trojans for me that others
missed.

Tommy

 

[jen]

Hi people,
I've got this rather nasty problem with some sort of a virus/trojan
and
I don't know how to get rid of it because is seems not yet known by
all major AV-companies.
According to those 2 pages it's a variant of the Raila virus but
that's about all I know.
http://mweusi.blogspot.com/2007/07/raila-virus.html
http://www.advance-africa-forum.com/showthread.php?p=19856 [snip]
What should I do?

Try McAfee Stinger, free , about 2mb. Found trojans for me that others
missed.

You do realize you're replying to an article dated Mon, 16 Jul 2007
17:44:59 +0200?

-jen

 

[Tommy McClure]

Hi people,
I've got this rather nasty problem with some sort of a virus/trojan
and
I don't know how to get rid of it because is seems not yet known by
all major AV-companies.
According to those 2 pages it's a variant of the Raila virus but
that's about all I know.
http://mweusi.blogspot.com/2007/07/raila-virus.html
http://www.advance-africa-forum.com/showthread.php?p=19856 [snip]
What should I do?

Try McAfee Stinger, free , about 2mb. Found trojans for me that
others missed.

You do realize you're replying to an article dated Mon, 16 Jul 2007
17:44:59 +0200?

-jen

oops!

 

[Kenfish (Osotsi)]

Hi;

I have the same problem, someone on http://www.avs.edgekenya.com
insinuates they got a solution, it seems the new Kibaki virus has
eluded them.

I have tried everything and it seems not to work.

Help.

Peter