Earlier this night, I dissected an SO.Big virus a couple times, the last time in front of my collegue-professionals, which went without real ‘accidents’.
A couple of side notes: the virus was actually an So.Big type F virus (thanks Alfons for catching this one). When testing out the virus the first time at home, I was caught by surprise when I did the ‘traditional matching timestamp’ file search. The virus itself (the executable) was created way before the accompanying datafile. After some logical backtracking, the clue was that the mailer’s extraction date of the pif file was exactly the same as the one of the winppr32.exe (the actual virus/server) file. This means that, when the pif file is executed by the user, the virus copies itself as winppr32 to the System directory instead of recreating itself.
Another interesting part was that the server apparantly connected to port 123. In the small timeframe I had, I wasn’t able to see the connection going through port 8898 UDP, let alone see the virus actually hunt for e-mail addresses (as the AV sites so colourfully describe).
Cleaning up is rather easy in this case: remove the program from the processlist. Then delete the winppr32.exe and winsst32.dat file in the sys-directory: in normal cases you would use the Find Files tool: this gives you on the forehand a chance to see which files were created at or around the same time. The last step is to look in the registry for the winppr32.exe file and delete the entries (Microsoft/Windows/CurrentVersion/Run in both Local_machine and Current_User).
I had a sitaution that I recieved an email and then deleted it on a Friday, when I came bacl to work on Monday, I was informed by my supervisor that I had sent it out to numerous people from my address book. I know, that I deleted the email, then I was informed by our IS dept that they where doing massive virus patches. Could the So Big virus have caused the email to go out after I deleted it?
Thank you for your time and I hope that you will advise me of your thoughts.
Wayne Dorn
Could the So Big virus have caused the email to go out after I deleted it?
I’m not sure which e-mailer you use, but if it was Outlook, the moment you checked (or viewed) the e-mail may have triggered the virus to start its SMTP engine (it’s ‘send mail functionality’). So maybe the best wording may have been ‘the e-mail to go out before it was deleted’. The best thing you could have done was to compare the timestamps of the mails sent out to collegues and the time you deleted the mail (moved into Trash folder in Outlook) and see if they were truly related.
Next time let the IT guys do some forensics before they bring in the artillery :-).
Best regards,
(upd1. edited and corrected my wording)
oOw do i get rid of this virus? PLZZZ need help