Security Incidents mailing list archives

Re: While we're on viruses...

From: AM7 () OPERAMAIL COM (Mohammed Al-Shehri)
Date: Sat, 20 May 2000 05:52:11 -0400


First, click Start, and go to Run. In the box, type regedit and click OK.
When regedit starts, you will see a file-like tree on the left hand panel.
Open the folders to follow the path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
At the end, click on 'Run' once, and the right hand panel should change.
On the right hand side of Regedit, look for the item titled
Loader = "c:\windows\system\***"
The *** will be a random .exe name. Write this down as it is the sub7 server!
Right click on that line only and choose delete.
Last, open the folders to follow the path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
At the end, click on 'RunServices' once, and the right hand panel should
change.
On the right hand side of Regedit, again look for the item titled the same as
above.
Right click on that line only and choose delete. Close regedit and reboot your
PC.

Close RegEdit and use Windows Explorer to open the file c:\windows\win.ini

Near the top you will see a line starting with run=
If you see a path pointing to the sub7 server here as well, delete it so the
line Only reads run=
Save and close the win.ini file, then open your system.ini (also in the
c:\windows directory)

Look for a line starting with Shell=explorer.exe
If the Sub7 server name is after this, remove that file name so the line reads
exactly shell=explorer.exe
Save and close system.ini.

Restart your computer to remove Sub7 from memory.
Once your computer starts back up, open your C:\windows\system\ directory and
find the random file from the above steps.
Right-click this file and choose Delete. Then empty your recycle bin.

anyway ... did you try the AVP anti-virus ???

                     AM7+

From: Keith McCammon <kmccammon () TIDALWAVE NET>
Subject: While we're on viruses...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all,

A co-worker came in today and his home PC found "Subseven 22", which
can only be the 2.2 beta release.  Norton 2000 could not "clean" the
virus, but it did delete the infected file.  However, with previous
versions of SubSeven, the registry changes had to be made before the
file was deleted.

Anyone know anything about the latest release of this fine virus?  In
particular I'm looking for the latest registry fixes and such for
total eradication.

Many thanks...

Keith W. McCammon
Network Administrator
Quantum Communications, Inc.

Current thread:

Re: While we're on viruses... Mohammed Al-Shehri (May 20)
- <Possible follow-ups>
- Re: While we're on viruses... William Miller (May 20)