Abs.Net web Page

Share Your Knowledge, Build your Network..

Bad News From imissyou@btamail.cn.net

Posted by absnet on 31 January 2009


One of my computer just got eml virus. This is a virus that creating readme.eml to every folder, which contain imissyou@btamial.cn.net in it’s body. I googled it in the net and found it’s name W32.Chir.B mass mailing worm, Redlof or anything (that’s not important isn’t it?). It’s spread from the email attachment, and infecting *.html, *htm, *.exe. The hidden file here is runouce.exe.

Actually, this is a very old virus, as it found at the year 2002. You can suspend this file from running using Process Explorer, but one you find *.eml in one of your folder, THIS IS A RED ALERT. Why?

This is what i found in my computer!.

What’s that mean?

This mean that this virus wrapped itself into our application *.exe file to ensure it runs into memory. Almost all my application embedded with this virus. Besides, it create 2 files in windows directory:

In mine, it creating services.exe in c:windows and runounce.exe in c:windowssystem32. When i delete this (of course after suspending this services from the memory and deleting the registry key) i found that my computer keep restarting after logging on

Well, Can we just suspend it?.

Maybe, but my first trial was fail

What’s another way to remove this shit?

I try bitdefender to do the task. It actually able to clear the thread, but, my exe file don’t work. I must reinstall my windows. A BAD NEWS!

How about manually delete each file infected, like what you specify in http://pascaltutorial.50webs.com/hentikanVirus_di_Memori.htm

I’m not sure, because if you remove embedded virus from your exe file without special attention to the file handle, your result is just rubbish exe, it won’t work. Different with the Deudel-x, this virus embedded into file as a resource. In a short word, its not a simple one. BitDefender had proven failed to do that.

What’s you suggest?

Try this First.

  • Download the bundle here
  • Run Antiredlof
  • Install Total commander to delete your htt file and file infected but unsuccesfully deleted by antiredlof
  • Restart your computer
  • Depend on your system update, update your windows security (should connected to the net). It’s link is here

Notes:

  1. DONT FORGET TO INSTALL ANTIVIRUS AFTER CLEANING. It’s impossible even for me to check every html file in my flashdisk to find a single virus!.
  2. Kill your SYSTEM RESTORE, because now it’s useles and eating your resource. To kill it, go to start-my computer, right click, choose properties. In tab system restore, check turn off system restore, click apply and OK.
  3. Set your scan alway resident. What can else i say?
  4. Update your antivirus regularly
  5. Image your C: using drive image manager and save it to CD
  6. Use BartPE to known virus

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: