Dialer Viruses

Resident Virus

This type of virus is a permanent as it dwells in the RAM. From there it can overcome and interrupt all the operations executed by the system. It can corrupt files and programs that are opened, closed, copied, renamed etc.

Examples: Randex, CMJ, Meve, and MrKlunky.

Direct Action Viruses

The main purpose of this virus is to replicate and take action when it is executed. When a specific condition is met, the virus will go into action and infect files in the directory or folder that it is in as well as directories that are specified in the AUTOEXEC.BAT file path. This batch file is always located in the root directory of the hard disk and carries out certain operations when the computer is booted.

Examples: Vienna virus.

Overwrite Viruses

Virus of this kind is characterized by the fact that it deletes the information contained in the files that it infects, rendering them partially or totally useless once they have been infected. The only way to clean a file infected by an overwrite virus is to delete the file completely, thus losing the original content.

Examples: Way, Trj.Reboot, Trivial.88.D.

Boot Sector Virus

This type of virus affects the boot sector of a floppy or hard disk. This is a crucial part of a disk, in which information of the disk itself is stored along with a program that makes it possible to boot (start) the computer from the disk. The best way of avoiding boot sector viruses is to ensure that floppy disks are write-protected and never starting your computer with an unknown floppy disk in the disk drive.

Examples: Polyboot.B, AntiEXE.

Macro Virus

Macro viruses infect files that are created using certain applications or programs that contain macros. These mini-programs make it possible to automate series of operations so that they are performed as a single action, thereby saving the user from having to carry them out one by one.

Examples: Relax, Melissa.A, Bablas, O97M/Y2K.

Directory Virus

Directory viruses change the path that indicate the location of a file. When you execute a program file with an extension .EXE or .COM that has been infected by a virus, you are unknowingly running the virus program, while the original file and program is previously moved by the virus. Once infected it becomes impossible to locate the original files.

Examples: Dir-2 virus.

Polymorphic Virus

Polymorphic viruses encrypt or encode themselves in a different way (using different algorithms and encryption keys) every time they infect a system. This makes it impossible for anti-viruses to find them using string or signature searches (because they are different in each encryption). The virus then goes on creating a large number of copies.

Examples: Elkern, Marburg, Satan Bug and Tuareg.

File Infector Virus

This type of virus infects programs or executable files (files with .EXE or .COM extension). When one of these programs is run, directly or indirectly, the virus is activated, producing the damaging effects it is programmed to carry out. The majority of existing viruses belong to this category, and can be classified depending on the actions that they carry out.

Examples: Cleevix and Cascade.

Companion Viruses

Companion viruses can be considered as a type of file infector viruses like resident or direct action types. They are known as companion viruses because once they get into the system they 'accompany' the other files that already exist. In other words, in order to carry out their infection routines, companion viruses can wait in memory until a program is run (resident virus) or act immediately by making copies of themselves (direct action virus).

Some examples include: Stator, Asimov.1539 and Terrax.1069

FAT Virus

The file allocation table or FAT is the part of a disk used to store all the information about the location of files, available space, unusable space etc. FAT virus attacks the FAT section and may damage crucial information. It can be especially dangerous as it prevents access to certain sections of the disk where important files are stored. Damage caused can result in information losses from individual files or even entire directories.

Examples:

Multipartite Virus

These viruses spread in multiple ways possible. It may vary in its action depending upon the operating system installed and the presence of certain files.

Examples: Invader, Flip and Tequila

Web Scripting Virus

Many web pages include complex code in order to create an interesting and interactive content. This code is often exploited to bring about certain undesirable actions.

Worms

A worm is a program very similar to a virus; it has the ability to self-replicate and can lead to negative effects on your system. But they can be detected and eliminated by anti-viruses.

Examples of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D, Mapson.

Trojans or Trojan Horses

Another unsavory breed of malicious code are Trojans or Trojan horses, which unlike viruses do not reproduce by infecting other files, nor do they self-replicate like worms. In fact, it is program which disguises itself as a useful program or application.

Logic Bombs

They are not considered viruses because they do not replicate. They are not even programs in their own right but rather camouflaged segments of other programs. They are only executed when a certain predefined condition is met. Their objective is to destroy data on the computer once certain conditions have been met. Logic bombs go undetected until launched and the results can be destructive.

Besides, there are many other computer viruses that have a potential to infect your digital data. Hence, it is a must that you protect your data by installing a genuine quality anti-virus software.

Type the following line in the notepad: attrib -h -s -r /s /d *.*

then 1 - save the file with "bat" extension

2 - copy the file onto your flash drive

After, you just execute the new created file (on the flash drive), and your hidden folders will appear.

Yes, I have been told by my doctor that there is a virus out there that can last about 4 weeks that causes nasal and chest congestion and should be watched for any bacterial infection that may develop. I had this and it started with a thick mucous that dripped from my sinus down my throat and was accompanied by dry mouth making it hard to swallow. It is important to drink plenty of water to keep you hydration and to thin the mucous. Also, it is recommended that you perform a sinus rinse 3-4 times daily. Your doctor can give you the recipe (that involves 8 oz of water with canning salt and baking soda). For temporary relief a nasal decongestant like Neo Synepherine nasal spary will clear you out and help you sleep but do not take for more than three days. Also, phseudophedrine is another daytime option. I found that elevating my bed by about 6 inches helped since it seems that the congestion feels worse when laying down.

Just to add that I have spoken to numerous people who have had this virus and all found it lingered for 3-4 weeks. Mine is now tappered off to just an occasssional cough but all the nasal congestions seems to be almost completely gone. See your doctor if your mucous is thick and turns yellow-green (might be a bacterial infection) and you will need an antibiotic like I did.

More Information:

• Please try this NeilMed Sinus Rinse and Mucinex. These symptons only last for 1 - 3 days if you use this product. I found out about it last year. If I feel like I'm about to get sick I use it and less than 2 days I am completely better. I made my 17 year old use it when she was about to get sick. She seldom gets sick. She was better in less than 3 days. That sinus rinse is kind of nasty but it works. The Mucinex is expensive but it works.
• It sounds like a sinus infection in most of the cases that have been reported. Often sinusitis (sinus infections) are mistaken for a cold, so if you have cold like symptoms that have lasted longer than three weeks it is likely that you have a sinus infection. What actually happens is that your sinuses become congested and your mucus becomes infected by bacteria/virus. It is also important to note that there are medications available that can help decongest your sinuses but that do not actually help to treat the infection, this is why some people my have felt little relief when using certain products- I won't mention any brands because it's not nice to bad mouth products. In order to treat a sinus infection effectively you can either go to your doctor and get a prescription of antibiotics (but these won't help with the decongestion, or not immediately at least). You can also try alternative medications, such as sinus-wars homeopathic products (which help treat the sinus infection and decongest your sinuses).Regardless of the method you choose to use the first step in recovery is understanding the condition that you may have.

Manual removal steps: Disconnect your computer from the network and disable file sharings, if any.

Disable System Restore (for Windows XP/Windows Me only).

For Windows XP:

Click Start.

Right-click My Computer, and then click Properties.

Click the System Restore tab.

Select "Turn off System Restore" or "Turn off System Restore on all drives" check box. Start your machine in Safe mode.

How to start a computer in safe mode, pls refer to: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Update your Anti-virus software with the latest signature files and scan your computer withthe Anti-virus to detect the worm and delete any files detected as the worm by clicking the DELETE button.

Delete the value from the registry.

You need to back up the registry before making any changes to it. In correct changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only.

How to make a backup of the Windows registry, pls refer at: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam

Click Start > Run. Type regedit Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. You can used a tool to resolve this problem.

Download this tool. Once downloaded, �right-click� the UnHookExec.inf file and click install. Then continue with the removal steps. http://securityresponse.symantec.com/avcenter/venc/data/tool.to.reset.shellopencommand.registry.keys.HTML

Other alternative way to enable registry, please refer to: http://www.patheticcockroach.com/mpam4/index.php?p=28

Navigate to the subkey that was detected by the anti-virus and delete the value.

Exit the Registry Editor.

If you are still unable to open your registry, you may try the following steps.

Boot up the infected computer, but do not login to the server, leave it at the login prompt.

Start up another clean computer, worm-free computer which has an updated anti-virus software running and an active firewall running preventing all inbound connections.

From the clean computer, start REGEDIT.EXE and click on File -> File -> Connect Network Registry. Connect to the infected computer.

Modify the following values in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\NT\CurrentVersion\Winlogon to the following values:

"Userinit" = "C:\WINNT\system32\userinit.exe," "Shell" = "Explorer.exe"

(make sure that you enter the correct path to where Windows is installed. For example on NT4.0 it is WINNT)

After completing the above steps, reboot the infected computer.

Using the clean computer, map the C$ share and scan it using the up to date anti-virus to remove any infected files on the infected computer. Then, you should be able to boot to the computer and then follow Steps 6 - Steps 11.

Run a full system scan using an updated version of Anti-virus software and delete any files detected as worm.

Download and run a process management tool or process viewer to kill all worm processes running on the infected machine. The process management tool or the process viewer is available according to the machine's platform and can be downloaded free from the internet. For example users can download and use the following process viewer: http://www.sysinternals.com/Utilities/ProcessExplorer.HTML

Delete the scheduled tasks added by the worm. Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task is displayed. Delete the task if the contents of the Run text box in the task pane matches the worm.

Enable the System Restore (for Windows XP/Windows Me only).

Re-scan your computer with an updated version of Anti-virus to confirm the computer is clean.

Re-connect your computer to the network once confirmed clean.

Brontok Virus Manual Removal Instructions

1. Disconnect your computer from the network and disable file sharings, if any exist on the PC.
2. Disable System Restore (for Windows XP/Windows Me only).

For Windows XP:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Select Turn off System Restore or Turn off System Restore on all drives check box.

1. Start your machine in Safe mode. Reboot and repeatedly press F8. If you cannot boot into safe mode, you should still be able to get rid of the virus, however, safe mode is recommended.
2. Update the anti-virus software for any latest updates.
3. You will have to use the regedit function to remove a lot of infected/newly created values in the registry.
4. Click Start>Run. Then type regedit, click OK.
   1. You will need to use Internet Explorer to download this file.
   2. Go to http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99 and download the UnHookExec.inf file at the bottom of the page. (you will have to download this file on another PC and save it on a drive and move it over to the infected PC)
   3. Once you have put this file onto the infected PC's Desktop, Right-click the file and click Install. You won't really notice anything happen, however, this will enable the regedit function.
5. If the registry editor fails to open, the threat may have modified the registry to prevent it from opening. You can use a tool to resolve this problem:
6. Once you can use the regedit function check to see if there is a scheduled task named A1 or something along those lines (scheduled to run at 5:08pm) in All Programs\Accessories\System Tools\Scheduled Tasks. If you can't reach that location try: Control Pannel in classic view and look for the Scheduled Tasks icon/folder. Delete the task.
   1. The tool can also be found at: http://www.kaer-media.org/penawar-brontok/Download.htm
7. Next, before going ahead and deleting anything in the registry. You will need to use this German Brontok Removal tool
8. Click on the link that says: PenawarB.exe and save the file.
   1. Double click the file, click Run
   2. In the bottom right hand corner click the button that says: Percubaan Percuma!
   3. On the next screen click on the button on the left that says: Tidak mengapa, saya hendak cuba dahulu…
   4. On the next screen click the button that says: Scan sekarang!
   5. Once the tool has run it will show the location of all of the infected files
   6. Click the button that says: Buang ! & Repair to delete the infected files
   7. Note: This tool is free so when you click Repair it will delete all of the files except for 10 of them. For the remaining 10 you will have to take not of the infected files' locations and manually delete them. Also, if there are less than 10 files that are infected to begin with you will have to manually delete all of them.
9. Once the file has been saved to the infected PC's Desktop
10. Once this is done follow the instructions below on deleting all other files and registry values. This step is very important and crucial to the final removal of the virus!

The worm may use various methods to run automatically each time Windows starts. Automatic startup methods that the worm employs may include:

• Placing a copy of itself in the user's startup folder, i.e. %homepath%\Start Menu\Programs\Startup\Empty.pif. Delete the file.
• Adding a scheduled task to run %homepath%\Templates\A.kotnorB.com each day at 5:08 pm. Also check to see if there is a scheduled task named A1 or something along those lines in All Programs\Accessories\System Tools\Scheduled Tasks. If you can't reach that location try: Control Pannel in classic view and look for the Scheduled Tasks icon/folder. Delete the task.
• Adding a registry value: "Tok-Cirrhatus"

With data:

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Delete the key.

• Adding registry value: "Bron-Spizaetus"

with data: <path to Win32/Brontok worm>

in subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Delete the key.

• Adding registry value: Shell

  with data: "explorer.exe " <path to Win32/Brontok worm>

in registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon. Delete the key.

• Modifies registry value: AlternateShell

  with data: <Win32/Brontok file name>

  in registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

  Note: the default setting for this key is "AlternateShell"="cmd.exe"

Win32/Brontok may attempt to lower security settings by making the following changes:

• Prevents the user from accessing the Registry Editor by making the following registry edit:

Adds value: DisableRegistryTools

With data: 1

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System. Change the Data to 0.

• Prevents the display of files and folders with the 'hidden' attribute set:

Adds value: Hidden

With data: 0

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 1.

• Prevents the display of Windows system files:

Adds value: ShowSuperHidden

With data: 0

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 1.

• Prevents the display of executable file extensions:

Adds value: HideFileExt

With data: 1

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. Change the Data to 0.

• Prevents access to the Folder Options menu:

Adds value: NoFolderOptions

With data: 1

In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Change the Data to 0.

• Modifies the Windows HOSTS file to prevent access to certain Internet sites, the majority of which are antivirus or security-related.
• Attempts ping attacks against certain Web sites, presumably to launch a form of denial of service (DoS) attack.
• Terminates applications or restarts Windows when the title of the active window contains certain strings, many of which may be representative of antivirus or system tools that might ordinarily be used to detect or remove the worm.
• Overwrites the autoexec.bat file with the word "pause", causing systems that employ the autoexec.bat file to pause on bootup. Some variants of Win32/Brontok may modify the autoexec.bat in order to display a message during bootup.

1. You will also want to go into msconfig. Start>Run, type msconfig. And disable any startup items (under the startup tab) that look suspicious; you may have to run an internet search to determine which are normal processes and which may be a threat.
   1. make sure the scheduled task is no longer there
   2. make sure you can open regedit
   3. re-run the scanner for any infected files. If it finds anything delete them, restart the PC, and then re-run the scanner and delete files until nothing shows up again.
   4. Make sure the registry is back to normal and that you can view hidden files and folders.
2. Once this has been done, restart the PC, and check over everything in the following order: