Virus help.. not listed in anywhere !
11 August 2004, 10:30 AM
#1
Scooby Regular
Thread Starter
Join Date: Jul 2004
Location: Cheltenham, Gloucestershire
Posts: 188
Likes: 0
Received 0 Likes
on
0 Posts
Virus help.. not listed in anywhere !
My uncle's has gone and opened a pif document 
(on his own pc 
)
and AVG has picked it up in a scan as I-Worm/Mutubu.A
Now I've checked Grisoft site, McAfee site and Norton site and no one seems to have this worm listed.
Is it new...?
What can I do about it as AVG just says "still infected" although it has now removed the e-mail...
Fecking wrinklies.. how many times I have said not to open stuff you know nothing about, wasn't even fecking addressed to him.
Anyway, any help appreciated.
Andy
(on his own pc )and AVG has picked it up in a scan as I-Worm/Mutubu.A
Now I've checked Grisoft site, McAfee site and Norton site and no one seems to have this worm listed.
Is it new...?
What can I do about it as AVG just says "still infected" although it has now removed the e-mail...
Fecking wrinklies.. how many times I have said not to open stuff you know nothing about, wasn't even fecking addressed to him.
Anyway, any help appreciated.
Andy
11 August 2004, 10:51 AM
#3
Scooby Regular
Join Date: Oct 2001
Posts: 11,403
Likes: 0
Received 0 Likes
on
0 Posts
I am assuming that you spelt it incorrectly...
W32/Mabutu-A is an email worm and IRC backdoor Trojan.
W32/Mabutu-A copies itself to the Windows folder using a random filename with an EXE extension, generating the random name by searching for a file with a DLL extension in the Windows folder and prepending a random character. W32/Mabutu-A also drops a file with a DLL extension using the same random name generation and the dropped DLL is also detected as W32/Mabutu-A.
W32/Mabutu-A sets the following registry entry so as to run the dropped DLL on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \
winupdt = "RUNDLL32.EXE <Dropped Dll Name>,_mainRD"
W32/Mabutu-A creates a log file CFG.DAT in the Windows folder.
W32/Mabutu-A may set the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\
enableautodial = 1
W32/Mabutu-A harvests email addresses from files on the host computer with the following extensions:
WAB
HTM
HTML
TXT
W32/Mabutu-A ignores addresses containing the following strings:
kaspers
avp
virus
syman
panda
sopho
bitdef
trendmicro
nai.c
eeye
neohapsis
secur
ntbugtraq
secunia
microsoft
spam
where
admin
webmaster
mailer
mailing
postmaster
someone
somebody
noone
nobody
anyone
nothing
info
abuse
contact
service
support
secur
spam
register
news
subscription
confirm
.edu
W32/Mabutu-A sends itself as an attachment to an email with a ZIP or SCR extension.
W32/Mabutu-A attempts to gather information related to MSN Messenger from the infected computer.
W32/Mabutu-A also attempts to send gathered information to remote users via IRC channels. W32/Mabutu-A may download a file from a remote location to C:\UPDATE.DLL
W32/Mabutu-A is an email worm and IRC backdoor Trojan.
W32/Mabutu-A copies itself to the Windows folder using a random filename with an EXE extension, generating the random name by searching for a file with a DLL extension in the Windows folder and prepending a random character. W32/Mabutu-A also drops a file with a DLL extension using the same random name generation and the dropped DLL is also detected as W32/Mabutu-A.
W32/Mabutu-A sets the following registry entry so as to run the dropped DLL on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \
winupdt = "RUNDLL32.EXE <Dropped Dll Name>,_mainRD"
W32/Mabutu-A creates a log file CFG.DAT in the Windows folder.
W32/Mabutu-A may set the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\
enableautodial = 1
W32/Mabutu-A harvests email addresses from files on the host computer with the following extensions:
WAB
HTM
HTML
TXT
W32/Mabutu-A ignores addresses containing the following strings:
kaspers
avp
virus
syman
panda
sopho
bitdef
trendmicro
nai.c
eeye
neohapsis
secur
ntbugtraq
secunia
microsoft
spam
where
admin
webmaster
mailer
mailing
postmaster
someone
somebody
noone
nobody
anyone
nothing
info
abuse
contact
service
support
secur
spam
register
news
subscription
confirm
.edu
W32/Mabutu-A sends itself as an attachment to an email with a ZIP or SCR extension.
W32/Mabutu-A attempts to gather information related to MSN Messenger from the infected computer.
W32/Mabutu-A also attempts to send gathered information to remote users via IRC channels. W32/Mabutu-A may download a file from a remote location to C:\UPDATE.DLL
11 August 2004, 11:53 PM
#7
Scooby Regular
Join Date: May 2003
Posts: 1,165
Likes: 0
Received 0 Likes
on
0 Posts
Jack has hit it right on the head
Monday's outbreak for instance
W32/Bagle.ag@MM Computer Associates
WORM_BAGLE.AC Trend
Bagle.al F-Secure
W32/Bagle.aq@MM McAfee
W32/Bagle-AQ Sophos
The list goes on I deal with this everyday
Monday's outbreak for instance
W32/Bagle.ag@MM Computer Associates
WORM_BAGLE.AC Trend
Bagle.al F-Secure
W32/Bagle.aq@MM McAfee
W32/Bagle-AQ Sophos
The list goes on I deal with this everyday
Trending Topics
13 August 2004, 10:27 AM
#9
Scooby Regular
Thread Starter
Join Date: Jul 2004
Location: Cheltenham, Gloucestershire
Posts: 188
Likes: 0
Received 0 Likes
on
0 Posts
Update:
Uncle has now done the free scan.
Results as written by him;
w32 Mabatu.a@MM!zip
No further advise was offered on the free scan
Some other info he wrote down was,
Files, \k7q76zsp\thumbs(1)zip
zr4tab1j\thumbs(1)zip
Cheers for any further help here.
Andy
Uncle has now done the free scan.
Results as written by him;
w32 Mabatu.a@MM!zip
No further advise was offered on the free scan
Some other info he wrote down was,
Files, \k7q76zsp\thumbs(1)zip
zr4tab1j\thumbs(1)zip
Cheers for any further help here.
Andy
13 August 2004, 11:13 AM
#10
Scooby Senior
Get him to change brands. McAfee can remove that puppy for you, but I'm biased. There are probably some free Antivirus products that could do the job also.
Thread
Thread Starter
Forum
Replies
Last Post