J
Jim Byrd
There is currently in the wild a particularly destructive worm called by
variety of names but most commonly know as the "Kama Sutra" worm which has a
payload scheduled to be activated tomorrow, Feb 3rd.
The following is courtesy of a special edition of the www.spywareinfo.com
newsletter. See following this for some additional recommendations:
<Newsletter Extract>
Special Edition
The Kama Sutra worm, which has numerous aliases, is set to deliver its first
destructive payload TOMORROW (February 3). This worm is believed to have
infected anywhere from 200,000 to 700,000 computers worldwide.
The worm is programmed to destroy numerous antivirus program files and
Microsoft Office document files, thirty minutes after an infected machine is
powered up, on the third day of each month.
Microsoft has included detection for this worm in its Malicious Software
Removal Tool. However, Microsoft is withholding that update from all but
paying members of their "Windows Live Safety" and "OneCare" beta services.
Microsoft refuses to release the update to the general public, before their
regularly scheduled general update, on February 14th. I will have plenty to
say about that in tomorrow's newsletter, believe me.
Whether you believe that you are infected or not, you should take
precautionary steps now, just in case. Any documents created by Microsoft
Office as well as .rar and .zip archives should be backed up and stored on
separate, removable storage, such as a CD or DVD. Files and documents of
this type will be corrupted beyond repair on infected machines.
Symantec has released a free tool that will remove the virus. Download the
tool and run it, even if you are certain that you are not infected. It is a
very small file and you have nothing to lose by running it. You don't want
to be wrong and lose your boss's spreadsheets, now do you?
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
If you already have an antivirus program, make certain it is updated and run
a full scan of your computer.
</Newsletter Extract>
I would recommend that you run this Removal Tool from a "Clean Boot". Below
are directions for this from my Blog, Defending Your Machine, addy below in
my Signature. (Note that this tool may take quite a long time to run, and
that it should be rerun immediately BEFORE the third day of each month in
the future using a new, fresh download of the Removal Tool each time.):
<Blog Extract>
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF) (including offline content.) Reboot and test if the
malware is fixed after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):
1. StartRun enter msconfig.
2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
</Blog Extract>
variety of names but most commonly know as the "Kama Sutra" worm which has a
payload scheduled to be activated tomorrow, Feb 3rd.
The following is courtesy of a special edition of the www.spywareinfo.com
newsletter. See following this for some additional recommendations:
<Newsletter Extract>
Special Edition
The Kama Sutra worm, which has numerous aliases, is set to deliver its first
destructive payload TOMORROW (February 3). This worm is believed to have
infected anywhere from 200,000 to 700,000 computers worldwide.
The worm is programmed to destroy numerous antivirus program files and
Microsoft Office document files, thirty minutes after an infected machine is
powered up, on the third day of each month.
Microsoft has included detection for this worm in its Malicious Software
Removal Tool. However, Microsoft is withholding that update from all but
paying members of their "Windows Live Safety" and "OneCare" beta services.
Microsoft refuses to release the update to the general public, before their
regularly scheduled general update, on February 14th. I will have plenty to
say about that in tomorrow's newsletter, believe me.
Whether you believe that you are infected or not, you should take
precautionary steps now, just in case. Any documents created by Microsoft
Office as well as .rar and .zip archives should be backed up and stored on
separate, removable storage, such as a CD or DVD. Files and documents of
this type will be corrupted beyond repair on infected machines.
Symantec has released a free tool that will remove the virus. Download the
tool and run it, even if you are certain that you are not infected. It is a
very small file and you have nothing to lose by running it. You don't want
to be wrong and lose your boss's spreadsheets, now do you?
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
If you already have an antivirus program, make certain it is updated and run
a full scan of your computer.
</Newsletter Extract>
I would recommend that you run this Removal Tool from a "Clean Boot". Below
are directions for this from my Blog, Defending Your Machine, addy below in
my Signature. (Note that this tool may take quite a long time to run, and
that it should be rerun immediately BEFORE the third day of each month in
the future using a new, fresh download of the Removal Tool each time.):
<Blog Extract>
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF) (including offline content.) Reboot and test if the
malware is fixed after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):
1. StartRun enter msconfig.
2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
</Blog Extract>
