Subject = Don't worry be happy

[anna keynow]

Hi,
Sorry if this has already been asked. I've looked in the archives but
still can't find the info I need.
A friends computer (yes - a friends <g>) is apparently infected with
some malware. I haven't seen it and am only going by what she has
told me over the phone.
She apparently received an email from someone called 'harley'. with
the subject being 'don't worry be happy'. She opened it believing it
was from her boyfriend emailing from the harley shop or some such
thing.
The message was - hi honey, still love you. here's the pictures to
prove it.
Anyone got any idea what worm this is. I'm assuming it's a worm. I'm
no computer god so, excuse my ignorance.
Oh yeah, one other thing. She can't download anything (she's on 56k
dial-up). She said something about the symantec site constantly being
accessed.
She uses Norton, has let it lapse (as of last week apparently) and of
course, didn't keep her definitions up to date. She understands
little of how the computer works and once again, it is another person
that I tried hammering home the importance of safe hex, when they
first got their computer but, it was ignored.
TIA.
-+Anna+-

 

[Melissa]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anyone got any idea what worm this is.

Hi Anna,

I think it may be "Zafi.B". Here's some information on it:

http://www.f-secure.com/v-descs/zafi_b.shtml

A few different sites mention the following as one of the several
messages that are sent with this worm:

======================================
Subject: Don`t worry, be happy!
Message: Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:
======================================

- --
Melissa

-----BEGIN PGP SIGNATURE-----

iD8DBQFA0UFWKgHVMc6ouYMRApkjAJ4yd+S2prRiuiC84E8wPVC1/p44uwCfcnQ6
CE9xpDTwXvQ5eS4n4yxlC2Q=
=Jskr
-----END PGP SIGNATURE-----

 

[Jason Wade]

[ snippedy do-dah ]
Anyone got any idea what worm this is. I'm assuming it's a worm.
[ chomp ]

Burn her a cd with these antispyware and antiworm utilities on it:

Spybot Search and Destroy:
http://www.safer-networking.org/

AdAware (adware and spyware remover):
http://www.lavasoftusa.com/software/adaware/

McAfee Stinger
http://vil.nai.com/vil/stinger/

Hijackthis!
http://tomcoyote.org/hjt/

Now here's the tricky bit. Spybot s&d and adaware need to be updated
before they are used. Your friend (I believe you <g>) doesn't have
i'net connectivity to get the updates, so the updates have to
be burned to the cd also.

I have never done this, but I'm assuming that it can be done.

Right after she installs spybot s&d and adware onto her 'puter,
she should install the updates for these programs from the cd.

Hijackthis doesn't need to be updated, but it does require
expert knowledge to use, expert knowledge that she can get
here:
http://www.spywareinfo.com/~merijn/htlogtutorial.html

If she uses hijackthis, to get expert help you can post
her hijackthis log in one of these forums:
http://forums.net-integration.net/
http://forums.spywareinfo.com/
http://forums.tomcoyote.org/
http://www.wilderssecurity.com/

If she's lucky, stinger will remove the m@13w@r3 without any fuss.

 

[Shane]

Now here's the tricky bit. Spybot s&d and adaware need to be updated

before they are used. Your friend (I believe you <g>) doesn't have
i'net connectivity to get the updates, so the updates have to
be burned to the cd also.

I have never done this, but I'm assuming that it can be done.

I update these on one machine and copy the updates to three other systems.

With Ad-aware it's only reflist.ref needs copying over anyway (to
"c:\program files\lavasoft\ad-aware 6").

With Spybot S&D I zip the contents of "c:\program files\spybot - search &
destroy", then delete files from the zip prior to a certain date, eg the
most recent date file in the folder prior to the update. Then just unzip
into "c:\program files\spybot - search & destroy" on the other systems.
Possibly won't work with the TeaTimer update (that or I just forgot to apply
it, thus it still showed up when I searched for updates). It does work for
includes, excludes etc.

Shane