| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 51568 | 2004-11-24 05:56:00 | Bloodhound | Juls (6449) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 295798 | 2004-11-24 05:56:00 | Hi...I seem to have the Bloodhound virus firmly stuck in my computer. I have Norton Anitvirus 2004 installed and was advised I have a problem with my subscription and to deinstall and reinstall (more fool me). Consequently I can't connect to Live Update anymore. Nor can I shut down my computer in the formal way..I have to turn it off at the wall. A large popup says I have a high risk virus, ie. Bloodhound W32EP on C/Windows/System 32/xaxe.exe. Acess to file denied. I have installed Spybot and run it, but no success. I have a Dell computer bought new about 6 months ago and am running Windows XP home edition. Any ideas? |
Juls (6449) | ||
| 295799 | 2004-11-24 06:46:00 | AVG, STINGER, A2, There are other free ways to solve your problem. D. |
drb1 (4492) | ||
| 295800 | 2004-11-24 06:47:00 | According to Symantec's site, this doesnt run/work on XP. BUT it is a nasty one. W9 5. CIH.1049 is a slight variant of W9 5. CIH. The difference is that W9 5. CIH.1049 executes its payload every August 2nd. Please see the W9 5. CIH write-up for more information. Also Known As: Bloodhound.W3 2. EP Type: Virus Infection Length: 1049 bytes Systems Affected: Windows 95, Windows 98, Windows Me Systems Not Affected: Windows NT, Windows 2000, Windows XP CIH is a virus that infects 32-bit Windows 95/98/NT executable files, but it can function only under Windows 95/98/Me. It does not function under Windows NT/2000/XP. When an infected program is run under Windows 95/98/Me, the virus becomes resident in memory. Although Windows NT system files can be infected, the virus cannot become resident or infect files on a computer running Windows NT/2000/XP. The virus does not function under DOS, Windows 3. 1, or on Macintosh computers. Once the virus is resident, CIH virus infects other files when they are accessed. Files infected by CIH may have the same size as the original files because of CIH's unique mode of infection. The virus searches for empty, unused spaces in the file. Next it breaks itself up into smaller pieces and inserts its code into these unused spaces. When Norton AntiVirus repairs a file that is infected by CIH, it looks for these small viral pieces and removes them from the file. Payload The payload for W9 5. CIH.1049 executes on August 2nd. The first payload overwrites the hard disk with random data, starting at the beginning of the disk (sector 0). The overwriting of the sectors does not stop until the system has crashed. As a result, the computer will not boot from the hard disk or a floppy disk. Also, the data that has been overwritten on the hard disk will be very difficult or impossible to recover. You must restore the data from backups. The second payload tries to cause permanent damage to the computer. This payload attacks the Flash BIOS (a part of your computer that initializes and manages the relationships and data flow between the system devices, including the hard drive, serial and parallel ports, and the keyboard) and tries to corrupt the data that is stored there. As a result, nothing may be displayed when you start the computer. To fix this requires the services of a computer technician. W9 5. CIH.1049 has been known to infect the worm W3 2. Klez.gen@mm. recommendations Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices": * Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. * If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. * Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. * Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. * Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. * Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. * Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. removal instructions Do one of the following: * If your computer can boot from the CD-ROM drive and you are using Norton AntiVirus 2001 or later: 1. Place the Norton AntiVirus CD into the CD-ROM drive, and restart the computer. 2. When the menu appears, proceed to scan and repair viruses. 3. When the scan has finished, remove the CD from the CD-ROM drive and restart the computer. 4. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 5. Run a full system scan. 6. If any files are detected as infected by W9 5. CIH.1049 , click Repair. * If your computer cannot boot from the CD-ROM drive or if you are using Norton AntiVirus 2000 or earlier: 1. Install Norton AntiVirus on an uninfected computer. 2. Run LiveUpdate, and then run a full system scan. 3. On the NAV toolbar, click Rescue. 4. Follow the prompts to create a Basic Rescue set. 5. Take the completed Basic Rescue set to the infected computer, and insert the "Basic Rescue Boot Disk" into the floppy disk drive. Restart the computer. 6. When the Rescue Disk window appears, use the arrow keys on the keyboard to select Norton AntiVirus. 7. On the command line at the bottom of the window, edit the line to read as follows: navdx /a /b+ /m+ /repair /cfg:a /log:c:\nvreplog.txt and then press Enter. 8. After the scan has finished, repeat steps 6 through 8 again; this time edit the command line to read as follows: navdx /a /b+ /m+ /delete /cfg:a /log:c:\nvdellog.txt and then press Enter. 9. When the scan has finished, the removal process is complete. Remove all disks from the disk drives, and restart the computer. 10. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files. 1 1. Run a full system scan. 1 2. If any files are detected as infected by W9 5. CIH.1049, click Repair. |
Spacemannz (808) | ||
| 1 | |||||