Jump to content

A New Worm Running Which Forced Several Services To Stop:


Recommended Posts

Posted

Windows Registry Editor, Task Manager and Folder Options Disabled by New Infection

- One more infection aiming to disable important Windows functions

January 2008 comes with a new trend when talking about computer security because lots of worms, Trojan horses, viruses or other pieces of malware attempt to disable important Windows functions in order to hide their files. WORM_YAHLOVER.AL is just another worm designed to work on Windows 98, ME, NT, 2000, XP and Server 2003, disabling the Task Manager, the Registry Editor and the Folder Options on the affected computers. The entire process is done through registry modifications, so a security solution to monitor the Windows registry would be quite useful.

The worm has already been included in most virus definitions, so whether you have installed

McAfee, Kaspersky, Symantec or Sophos antivirus protection, the threat is blocked. According to security company Trend Micro, the worm circulates under several aliases as it follows: Trojan-Downloader.Win32.AutoIt.x (Kaspersky), W32/YahLover.worm.gen (McAfee), W32.SillyFDC (Symantec), W32/Dzan.a (Avira), W32/Sohana-AH (Sophos), Worm:Win32/Nuqel.J (Microsoft).

Just like any other recent worm, WORM_YAHLOVER.AL attempts to add a new registry entry in order to be executed every time the operating system is fully loaded. Moreover, it builds a new Autorun.inf file and copies it on every removable drive connected to the affected computer as a method to spread its files.

The medium damage potential and the medium distribution potential set by Trend Micro come to underline the worm's ability to harm the data stored on your computer. To prove you that WORM_YAHLOVER.AL is really dangerous, here are some statistics provided by the same security company: 1,885 computers infected in Asia and 646 systems affected in North America, all of them reported since January 11th, 2008.

Today's piece of advice is similar to the past ones: avoid visiting malicious websites that may drop the infection on your computer and keep the antivirus solution up-to-date with the latest virus definitions.

Posted (edited)

Thanks Reimar.

THIS is what's been bugging the computers in my workplace.

Please see THIS

Now, how do you remove it if it's already there?

The infection also prevented me from installing an antivirus. When I do so, the installation proceeds like nothing is wrong. When it finishes the installation process, the ew antivirus is nowhere to be found. Not in the start-->all programs, not even in the program folder in drive c.

Help!

Edited by sensei
Posted
Thanks Reimar.

THIS is what's been bugging the computers in my workplace.

Please see THIS

Now, how do you remove it if it's already there?

The infection also prevented me from installing an antivirus. When I do so, the installation proceeds like nothing is wrong. When it finishes the installation process, the ew antivirus is nowhere to be found. Not in the start-->all programs, not even in the program folder in drive c.

Help!

Try to use CureIt. To get it go to: http://www.freedrweb.com and download the latest version of CureIt.

After downloaded please start the computer in Safe Mode and let CureIt run.

That works for many computer but not for all.

If you have, boot from an XP which runs from CD. If you dont have a CD like that, go to some of the IT Center like Pantip or Zeer or so and buy an Emergency CD with XP to run from CD.

If you still have problems. please PM me.

Cheers.

Posted

Hi Reimar

Every time I see a post of yours it is a MUST read for me and so far the information you have posted has been of use to me and cured problems that I didn't know I had.

I used to use a genuine Norton 360 from Symantec but I had a lot of problems with it not doing a live update that I complained on their website but they were unable to fix the problem so in the end I binned it and now I use Avast which is free, works and updates regularly.

I also use Dr web cure it most days and it picks up the odd one that Avast lets through.

On the other hand both of them picked up lots that Symantec missed.

I have come to the conclusion that no single single anti virus program is infallable.

Thanks for all your past help and the future too.

:o:D :D

Posted
Is there any need to post about new virus's??? According to symantec http://www.symantec.com/security_response/...-99&tabid=2 this virus has a risk rate of 'very low' it doesnt disable the folder, task manager and registry editor..this is just going to scare some people..

You get the answer if you read some of the replies! And even if is jusy 1 positive reply, the post has done it's work to 100%.

On the other hand it's your choice to read the posts you want and ignore the others! I do believe also that the other members of the forum old enough for to choose individually what they like to read and what not.

And by the way, Symantec is one of worst AV Systems today!

Posted

UBCD4win uses bartPE and a windows disc to do a similar thing

and also they way I will clean a system - though there has been one that it didn't do the full job , a chinese laptop with a chinese rootkit.

Posted (edited)
Is there any need to post about new virus's??? According to symantec http://www.symantec.com/security_response/...-99&tabid=2 this virus has a risk rate of 'very low' it doesnt disable the folder, task manager and registry editor..this is just going to scare some people..

$h1t happens... These blasted computers are easy prey to those who's got nothing to do with their free time. New viruses are coming out faster than any antivirus could cope up with.

Yes, BKKPERSON, this is real. My workplace is crawling with this. This is not that much threatening but it's annoying when it hides an important folder and replaces it with a file that bears the same name as th hidden folder. You can't get yor original files back because the folder options button is mysteriously gone. even the task manager seems to be disabled.

Hey, you are the Tech Support guy, right? So what do you think abut this "low risk" infection?

This post is NOT scaring me one bit. It's helping me solve a problem that our lazy IT expert is ignoring.

BTW, Thanks reimar. I will try CureIt and hope it cures it.

Edited by sensei
Posted
Is there any need to post about new virus's??? According to symantec http://www.symantec.com/security_response/...-99&tabid=2 this virus has a risk rate of 'very low' it doesnt disable the folder, task manager and registry editor..this is just going to scare some people..

$h1t happens... These blasted computers are easy prey to those who's got nothing to do with their free time. New viruses are coming out faster than any antivirus could cope up with.

Yes, BKKPERSON, this is real. My workplace is crawling with this. This is not that much threatening but it's annoying when it hides an important folder and replaces it with a file that bears the same name as th hidden folder. You can't get yor original files back because the folder options button is mysteriously gone. even the task manager seems to be disabled.

Hey, you are the Tech Support guy, right? So what do you think abut this "low risk" infection?

This post is NOT scaring me one bit. It's helping me solve a problem that our lazy IT expert is ignoring.

BTW, Thanks reimar. I will try CureIt and hope it cures it.

yeah i agree it's a pain in the arse but it is low risk and just a run of the mill virus..if there was a long old post every time a new low risk virus came out then everybody would be constantly scared...

If your place is crawling with these types of virus's then you 'lazy IT expert' clearly isn't doing his job properly as if he's any good then he would have been alerted as soon as the 1st one hit if it hit at all!!

Posted
Is there any need to post about new virus's??? According to symantec http://www.symantec.com/security_response/...-99&tabid=2 this virus has a risk rate of 'very low' it doesnt disable the folder, task manager and registry editor..this is just going to scare some people..

$h1t happens... These blasted computers are easy prey to those who's got nothing to do with their free time. New viruses are coming out faster than any antivirus could cope up with.

Yes, BKKPERSON, this is real. My workplace is crawling with this. This is not that much threatening but it's annoying when it hides an important folder and replaces it with a file that bears the same name as th hidden folder. You can't get yor original files back because the folder options button is mysteriously gone. even the task manager seems to be disabled.

Hey, you are the Tech Support guy, right? So what do you think abut this "low risk" infection?

This post is NOT scaring me one bit. It's helping me solve a problem that our lazy IT expert is ignoring.

BTW, Thanks reimar. I will try CureIt and hope it cures it.

yeah i agree it's a pain in the arse but it is low risk and just a run of the mill virus..if there was a long old post every time a new low risk virus came out then everybody would be constantly scared...

If your place is crawling with these types of virus's then you 'lazy IT expert' clearly isn't doing his job properly as if he's any good then he would have been alerted as soon as the 1st one hit if it hit at all!!

Come to think of it, this computer technician/expert of ours is the one to blame for of this. He installed copies and modded versions of the OS on all of the computers, installed a bloatware of an antivirus (McAfee) that he downloaded from a torrent site and locked everyone out by allowing us to use only a non-Admin account.

Yeah you are right bkkperson... a "virus" is in our midst. : )

Posted
ouch you got yourself a cowboy there..grr...puts shame on us techie's

Cowboy? Nah, more of a redneck.

: )

Posted

if you create your own disc ( UBCD4win recommended ) to boot with , it does not matter what he has done to lock down the windows OS as you will not be running it , only looking at the data on the hard drive.

and I don't think this worm is new - there have been others which do the same thing floating around for at least a year in my experience - also as I have mentioned elsewhere some of this malware will replace iexplore.exe with its own version , if your cleaning has the file deleted you need to get a copy from a computer which you know has not been compromised and replace it on the comp.

Posted
Come to think of it, this computer technician/expert of ours is the one to blame for of this. He installed copies and modded versions of the OS on all of the computers, installed a bloatware of an antivirus (McAfee) that he downloaded from a torrent site and locked everyone out by allowing us to use only a non-Admin account.

Yeah you are right bkkperson... a "virus" is in our midst. : )

Whaaaa?! Why doesnt he fix his mistakes?

Damian

Posted
if you create your own disc ( UBCD4win recommended ) to boot with , it does not matter what he has done to lock down the windows OS as you will not be running it , only looking at the data on the hard drive.

and I don't think this worm is new - there have been others which do the same thing floating around for at least a year in my experience - also as I have mentioned elsewhere some of this malware will replace iexplore.exe with its own version , if your cleaning has the file deleted you need to get a copy from a computer which you know has not been compromised and replace it on the comp.

I see light at the end of the tunnel.

I got the worm's number.

Thank you so much.

Posted

Well preventing computer virus infections by logging in with an user account and not as administrator in the windows OS is the way to go.

I have cleaned numerous computers now with some tools as Hijack This and Bart's Pe CD, more than a year ago I changed all the administrator accounts to user account and after that no virus infections on 10 computers.

Installing software is not possible as user ( thats the virus protection) you have to log out and log in as administrator to install software.

Posted
Thanks Reimar.

THIS is what's been bugging the computers in my workplace.

Please see THIS

Now, how do you remove it if it's already there?

The infection also prevented me from installing an antivirus. When I do so, the installation proceeds like nothing is wrong. When it finishes the installation process, the ew antivirus is nowhere to be found. Not in the start-->all programs, not even in the program folder in drive c.

Help!

Try to use CureIt. To get it go to: http://www.freedrweb.com and download the latest version of CureIt.

After downloaded please start the computer in Safe Mode and let CureIt run.

That works for many computer but not for all.

If you have, boot from an XP which runs from CD. If you dont have a CD like that, go to some of the IT Center like Pantip or Zeer or so and buy an Emergency CD with XP to run from CD.

If you still have problems. please PM me.

Cheers.

CureIt cured it!

Thanks Reimar!

A few clicks changing the registry and afew clicks using gpedit.msc brought the Task manager and the folder options back.

1 computer done, 10 more to go...

Thanks a lot!

Posted
Thanks Reimar.

THIS is what's been bugging the computers in my workplace.

Please see THIS

Now, how do you remove it if it's already there?

The infection also prevented me from installing an antivirus. When I do so, the installation proceeds like nothing is wrong. When it finishes the installation process, the ew antivirus is nowhere to be found. Not in the start-->all programs, not even in the program folder in drive c.

Help!

Try to use CureIt. To get it go to: http://www.freedrweb.com and download the latest version of CureIt.

After downloaded please start the computer in Safe Mode and let CureIt run.

That works for many computer but not for all.

If you have, boot from an XP which runs from CD. If you dont have a CD like that, go to some of the IT Center like Pantip or Zeer or so and buy an Emergency CD with XP to run from CD.

If you still have problems. please PM me.

Cheers.

CureIt cured it!

Thanks Reimar!

A few clicks changing the registry and afew clicks using gpedit.msc brought the Task manager and the folder options back.

1 computer done, 10 more to go...

Thanks a lot!

You very welcome!

Keep CureIt in mind for the next security threats!

Posted

You very welcome!

Keep CureIt in mind for the next security threats!

--------------------

Reimar

There is a way for to solve every thing but sometimes difficult to find.

Keep trying and going and on the end of the day may you got what you need!

Hi Reimar

For what it is worth I run cureit every 2 or 3 days and after yesterdays run it came back with no virus found.

Thanks once again.

:D:o:D

Posted
You very welcome!

Keep CureIt in mind for the next security threats!

--------------------

Reimar

There is a way for to solve every thing but sometimes difficult to find.

Keep trying and going and on the end of the day may you got what you need!

Hi Reimar

For what it is worth I run cureit every 2 or 3 days and after yesterdays run it came back with no virus found.

Thanks once again.

:D:o:D

But please keep in mind that you need to download everytime the latest version of CureIt because there isn't an database update for this free version. If you want an "normal" update, you need to buy the full version, but from my point of view just the everytime download do the job as well!

Cheers.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...