I recieved a virus which Norton Anti Virus can not detect.
it is taking up 98% of my computers available space .
I can not do a reboot becauce the system tells me that I do not have enough space to do it.
what I do know is The virus is a worm type ,it comes thru Outlook Express. it contains a 11,283 file and attaches to every folder in the computer.It is trying to download a wbk file (word book) ?
I went thru and elimiinated all that i could find and then it reappearsand boggs me down again.

my question is
How do i eliminate it if norton cant tell me where it is and can I do it or should I leave it to a pro.

OK - first thing is to download or create a Norton Rescue disk with the latest virus definitions - RTFM (read the friekin' manual ;) ).

Damn - ran out of time - must catch train but I'll follow up more when I'm home...

Hmmm, sounds weird. If Norton cannot detect it, how do you know it's a virus??? Anyway, what OS are you using? Do you run a firewall? When was the last time you updated your virus defs? Give us some details please so we can help you. First off all, anyone that uses Outlook Express is at risk for the simple fact that your emails open up automatically when you start OE, BAD BAD MICROSOFT! You can set up OE rules under the "tools" tab, then "message rules", then "mail" tab. You create a rule that does not allow email with attachments to be opened.,. and all such messages goto the deleted files folder. And even better for those not to computer Savvy, is not to use OE at all, it is full of bugs and holes, use Yahoo email instead.

Sorry - first thing is to do a cleaning from a anti-virus boot floppy from a cold boot. This should eliminate any resident viruses. Then, depending on the damage, determines how you clean up or if you need to restore...

Call me @ home if you need to. Or on my cell 617-512-2541

mikecc

let me look into this tomorrow at the office, if you can wait.

We've had several clients with viruses that do similar things. One of our clients got a virus all it did was inflate every file (in size) it could attach to until the hard drive was full.

The reason Norton didn't see it, is that many viruses,worms and trojan horses look for files, registry settings that reference Norton, NAV, etc. and then if they see it, they modify the Windows Registry and disable Norton.

Most good virus writers :-) will focus on beating Norton and Outlook/Outlook Express. Their the easiest targets.

I'll check with our antivirus vendor tomorrow.

Megabyte - thank you for jarring my memory. There is an inftating PNG mod: http://www.sarc.com/avcenter/security/Content/6366.html

Mike - you are the first I've heard of this.

To everyone else: We all know the joy of turning on our machines and see what's changed online or for new e-mails since we last checked, but before reading e-mails or websites, give your AV scan time to download the latest defs before hoofing along the web... A def that's a day or 2 newer can make a difference.

Other tips - like Dave S stated above - PLEASE TURN OFF the PREVIEW PANE. It's the worst thing in the world as it allows any malignant code to launch right away. Also make certain that your anti-virus package is integrated into your e-mail package...

Here is the info on that worm...

****

Microsoft Internet Explorer PNG Deflate Heap Corruption Vulnerability
Risk
High

Date Discovered
12-12-2002

Description

A heap corruption vulnerability has been reported for Microsoft Internet Explorer.

The vulnerability is related to the way that Microsoft Internet Explorer interprets PNG image data. The function that handles the deflation of PNG images does not properly handle some invalid data within PNG image files.

An attacker can exploit this vulnerability by tricking a user into viewing a maliciously constructed PNG image file. When the image file is rendered it will trigger the heap corruption condition and overwrite critical areas in memory. Any malicious attacker-supplied code will be executed with elevated privileges.

It should be noted that applications which depend on MSIE to render PNG files are also affected.
Platforms Affected
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services SP2
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP6a
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP6a

Components Affected
Microsoft Internet Explorer 5.0.1 SP2
Microsoft Internet Explorer 5.0.1 SP1
Microsoft Internet Explorer 5.0.1
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 5.5 SP1
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0

Recommendations
Run all client software as a non-privileged user with minimal access rights.
Browsing the web as a low-privileged user will limit the consequences of malicious code being executed.

Do not follow links provided by unknown or untrusted sources.
Be extremely careful when following links sent by unknown individuals. If possible, always ensure that any email that has been received is solicited before reading the contents.

This vulnerability has been resolved in MSIE 6.0 SP 1. Users are advised to obtain the latest version of MSIE.


Microsoft Internet Explorer 5.0.1 SP2:

Microsoft Patch q328970
http://www.microsoft.com/windows/ie/downloads/critical/q328970/default.asp

Microsoft Internet Explorer 5.0.1 SP1:
Microsoft Patch q328970
http://www.microsoft.com/windows/ie/downloads/critical/q328970/default.asp

Microsoft Internet Explorer 5.0.1:
Microsoft Patch q328970
http://www.microsoft.com/windows/ie/downloads/critical/q328970/default.asp

Microsoft Internet Explorer 5.5 SP2:
Microsoft Patch q328970
http://www.microsoft.com/windows/ie/downloads/critical/q328970/default.asp

Microsoft Internet Explorer 5.5 SP1:
Microsoft Patch q328970
http://www.microsoft.com/windows/ie/downloads/critical/q328970/default.asp

Microsoft Internet Explorer 5.5:
Microsoft Patch q328970
http://www.microsoft.com/windows/ie/downloads/critical/q328970/default.asp

Microsoft Internet Explorer 6.0:
Microsoft Patch ie6sp1
http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp
Microsoft Patch q328970
http://www.microsoft.com/windows/ie/downloads/critical/q328970/default.asp
References
Source: PNG (Portable Network Graphics) Deflate Heap Corruption Vulnerability
URL: msg://bugtraq/MKEAIJIPCGAHEFEJGDOCCEDMIBAA.marc@eeye.com

Source: Microsoft Security Bulletin MS02-066
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-066.asp

Credits
Vulnerability discovery credited to Eeye Digital Security.

*****

Freaking Microsoft - Optical Rectumitis!

I don't know why the system did not pick them out but I have norton do a systen live update every night. I download all the latest versions.



anyway here are some results.
Mrmacey Pm me with a different virus scan download called Trend Micro Housecall.
the virus scan picked up 2 virus with no problem where Norton could not.
the virus names are
PE NIMDA.E
HTML IFRMEXP.GEN

I then went back to Norton and told it which to look for and had it scan and remove thers areas
I have completed the first virus removal and Norton it deleted 2240 infected files and repaired 922 additional files

I am about to do the rest I will let you know tomorrow.


Thanks for all the help

2 very effective ways to avoid viruses.

1. Don't use Norton AntiVirus or McAfee

2. Don't use Outlook or Outlook Express.

These are the top two requirements virus writers look to use to spread their "new virus"

There are thousands of site on the web that not only help people make viruses but also supply the kernel of the worm, virus or trojan horse. If only all that effort could be channeled into something good, it would be a much better world.

If you need any further help let me know.

Megabyte,

Question on your advice. As current user of both Norton and Outlook I have to ask what is the best alternative to Norton? I saw the Yahoo e-mail recommendation but what about Virus proctection? I have no attachment to continue using Norton but it has to be better than nothing at all doesn't it? Our company used Trend Micro at one time but not sure what they are using now as its filtered at the server not the pc level.

Thanks in advance!

Jeff

For home use

Antivirus
We like Panda,PC-Cillin and TrendMicro. They both update automatically (when connected to the web).
We use SOPHOS Antivirus, but it comes only in 5 user packs or more. Most of our corporate clients use SOPHOS (www.sophos.com)

eMail
Eudora version 5.2 (www.eudora.com) and its has a free version where you'll get a few ads. But you can upgrade to eliminate ads.
We use Frontrange Goldmine for our email.

Stopping viruses is like a moving target. The minute you get hit, you move the target. The virus writer re-aims his virus and attachs again.

What you want are virus and email programs that are not in the center of the bullseye like MS Outlook and Norton. These are the largest used programs so they shoot for them. Big ego's have big targets.

Nobody said it was fun, but you've got to protect yourself.

Hope this helps

2 very effective ways to avoid viruses.
1. Don't use Norton AntiVirus or McAfee

2. Don't use Outlook or Outlook Express.



M-Byte

I don't think thats a very fair statement. I'm not sure what your basing this info on but seems like you've had some trouble with those two? Norton also updates automatically and Outlook does not open you're attachments when you open the program. IMHO if you keep you're defs up to date and practice some "safe" computer, you'll be just fine. I ask people when they call me for virus issues if they have an UPDATED av program and they say "oh yea, it came with the computer" Well you know they never updated their defs so it may as well be off. Not to say its their fault, I think the sales folks should do a better job in stressing to people the importance of AV programs.
I have worked with many of the programs out there and found that overall they are very similar and as long as you're up to date, manage your computer wisely, you'll be fine.

Sorry for rambling but there are alot of folks out there that use these programs and to make a statement like that may scare them into thinking they should dump them right away or they'll end up with a virus. Thats just not the case, IMO

RockLobsta,

I would agree with what you said about updating defs when you ask "Have you updated your def's" and you know they haven't. I don't think people realize that means within the last 12-24 hours as a new virus was just created. Many users with dialup internet connections tend not to do it as often as necessary.

Yes, you are right, we do have alot of bad experience with this combination (Outlokk/Norton) in the corporate world where users may not be as diligent as they should be.

My only point was that a "virus writer" is going to target the biggest audience they can. The biggest audience is the combination of Outlook (because it's "free") and Norton or McAfee Antivirus.

This makes them the number one target.

No one ever wrote a virus to attack many of the other lesser known antivirus/email programs. There's is no fame in that. By moving out of the center of the bullseye you can lessen your chances of being "inflicted".

Talk about rambling, I guess I win. sorry

"What man does, man can un-does"
IMHO