w32.SpyBot.Worm

DoG · #1 28th May 03, 04:42 PM

NAV caught this little bugger on my system last night, after a week or so of weird stuff happening i finally figured out why

This little pest appears to have used up around 40 gig of space across 4 partitions one a 120 GB HDD. I have no idea how i got this worn, or how long it was resident on the drives for but i can only presume it was there for at least a week. The first thing that happened was NAV died a horrid death, then a critical error sound popped up between every 4 and 6 minutes and lastly i seemed to be losing HDD space faster than i could fill it (40GB in a week on 512 ADSL would be hard going!).

What to look out for: A recurring windows Critical Error sound
NAV Dieing a nasty death ( Unable to run program, scheduled scans won't run, Unable to close NAV when trying to restart etc)
Sudden unexplainable HDD space usage
The creation and replication of a file called "Explorer.exe" approx 400kb in size

The Symantec web site has very little on this worn, apart from to say its rare. How nice for those of us that have our computers infected with it.
The latest NAV AntiVirus definitions catch and repair the damage caused by this worm, if NAV works for long enough!

Sephiroth · #2 28th May 03, 04:49 PM

well at least you don't have to hear the critical error sound anymore :P

DoG · #3 28th May 03, 05:02 PM

POS sound was driving me nuts!

Stringent · #4 28th May 03, 05:07 PM

I can imagine. Trust you to get something rare

~*McoreD*~ · #5 28th May 03, 05:42 PM

Lucky your NAV figured it out. I got few emails from companies which i have contacts with that i was sending them viruses and "please check your computer for viruses".

I have Norton AntiVirus 2003 Professional installed. and it is configured as to scane incoming/outgoing emails in Outlook XP SP2. But still??

Quote:

Iam unable to open your email they are getting removed by the fire ball anti virus scan. Please check your computer for virus
***** -----Original Message-----
From: support@microsoft.com [mailto:support@microsoft.com]
Sent: Tuesday, 27 May 2003 13:20
To: ********, *****
Subject: Re: Movie

***********************
A virus (WORM_PALYH.A) was detected in the file (doc_details.pif). Action taken = remove
***********-***********

DoG · #6 28th May 03, 07:55 PM

This little bleeder took NAV out of the equation, smart little thing. I still won't be changing to another Antivirus Scanner though, i have been with NAV too long to change now

scathe skeleton · #7 28th May 03, 08:55 PM

Does anyone know how long this has been out? I'm starting to think my mom might have it. On her laptop for work it keeps saying "Fatal Error:<processhasterminated>" when the computer starts windows or NAV starts. The isnt any unknown space being used but some MS Word files are unusually big. She is running XP on a Dell Dimension 8200, P4, 72GB Hard Drive, if that helps.

~Merlyn~

EDIT: So I should grab the Virus definitions?

BearCat · #8 28th May 03, 09:02 PM

@ ~*McoreD*~ :

You better stop flaming the support creew at MS

Quote:

getting removed by the fire ball anti virus scan

@ scathe skeleton :

Quote:

Jerry Berkman, IST?WSS
Mike Friedman, System and Network Security

A new worm, WORM_PALYH.A (also known as W32.HLLW.Mankx), appeared Sunday evening, May 18. It is supposedly from support@microsoft.com. This worm, which apparently infects only Windows (not Macintosh) systems, started hitting hard about 6 to 7 p.m. UCLink users received over 50,000 copies. We are now blocking it from UCLink and Socrates. Further, we are extracting it from UCLink users' inboxes. However, we are sure many copies were downloaded by users whose PC's check for mail automatically every few minutes.

Information about this worm is available on Symantec's Security response W32.Sobig.B@mm page (http://www.symantec.com/avcenter/ven....mankx@mm.html) where a tool for removing the worm from your system is also available for download.

We are advising people not to open mail from support@microsoft.com.

As a general reminder, never open an attachment unless you expect it!

More info here :
http://www.symantec.com/avcenter/ven....mankx@mm.html
/BearCat

KingCobra · #9 28th May 03, 09:20 PM

Nice to know!

NOTE - Since most of our users look in Chit Chat everytime they checkout the board I'll leave this thread here for 5 days or so before moving to Internet Security and Privacy Section.

DoG · #10 28th May 03, 11:05 PM

You can read what little Symantec have on w32.spybot.worm here :

Code:

http://securityresponse.symantec.com/avcenter/venc/dyn/34750.html

Though NAV contains a bit more info, it says its rare. Wonderfull info