I think one of my clients has a weird virus. People started calling him saying that they couldn't open the attachment he sent them, and he said he didn't send them anything. He calls me and tells me that, and a big alarm goes off in my head.

The subject line is "S. copyright laws as unpublished".

There is some text, and then an attachement titled "confidential.bat"

Open it up and Windows tells you that it won't open.

Lots of people haver recieved it from him. He has Norton Antivirus, and his computer updates the virus definitions and runs a virus scan every morning. I ran them both again, and it says there is no virus on his computer. Moreover, I can't find it anywhere on the web.

Any help from you lords of techdom?

JWT

If you pr!ck us, do we not bleed? If you poison us, do we not die? And if you wrong us, shall we not revenge? If we are like you in the rest, we will resemble you in that the villany you teach me, I will execute, and it shall go hard but I will better the instruction. MOV

format c:

where's my beer?

Don't open emails with attatchments. But I guess my wisdom arrived too late :o

Jaguar Wong

"If you learn to balance a tack hammer on your head
then you learn to head up a balanced attack!"
- The Sphinx

in all seriousness the only thing you can do is keep him off the network while you research the possible virus. if you can find info on it you maybe able to do something other than format. if it was sent to people without him actually doing so then i would venture to say he's got a virus that norton can not detect. especially with a bat extension.

i don't know very much at all about viruses, but when you get one that can not even be found to be repaired the only thing you can do is wipe the machine.

here is a link to another utility that is offered via the web. i don't trust it as much as norton, but it has been known in the past to find viruses norton missed.

http://housecall.antivirus.com/ ... hit scan without registering

where's my beer?

This depends on what version of Outlook you are running. An executable (a progam that runs - .exe, .bat, .vbs, .wsh and 10 or 12 others) attachment to an email will not be opened if your client has Outlook 2000 SR2, has applied the security update for Outlook 98, and I believe Outlook XP as well. You could probably save the attachment to a disk, RIGHT CLICK on it and choose edit to see what the batch file does if you are curious. It may not be a virus but Outlook is attempting to be safe and not opening the program.

If the email body text (not the attachment) does not make sense, or is leaking a white powder, then just delete the email as it is probably a virus or a bacteria. If you want you can also do a check at http://www.symantec.com or http://www.mcafee.com for any new virus alerts.

Hope that helps

"Lord, what fools these mortals be."

Have your client do a search for SirC32.exe This sounds like it could be a variation of the SirCam Worm. Just as GDA said though, the safest thing would be to format it.

"Just because I joke around sometimes doesn't mean I'm serious about kung-fu.
" - nightair

i second that... open the .bat file in notepad and see what it's doing.

not many viruses written as a .bat file. At least not by people over 14 :)

http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.39921@mm.html

Virus (what is the plural - viruses, virii?) can now randomly generate subject lines and attachment names, so check the signs of infection and make sure the virus definitions are up to date. Shifty little buggers, aren't they?

"Lord, what fools these mortals be."

Trend house call good one.

"Life's a great Adventure, Mate"
Jacko Jackson

I too am curious to what the bat file is doing


"Just because I joke around sometimes doesn't mean I'm serious about kung-fu.
" - nightair

You need to isola6te the station. And you will probably end up having to do a restore.

You can check the task manager to see if there are any crazy apps running. but that will only work if it is a sloppy virus.

If the emails were sent automatically then it is probably a worm. Most worms include trojans that are launched at startup or the worm is launched again. Checking this is a little more technical, but you should be able to do it.

Do a search for system.ini - it is usually in the windows or winnt folder - and edit it. Depending on the OS it could have a [BOOT] section which will include a shell= line. This should only say explorer.exe and not include some other crap so delete it if it is there.

Go to Start - Run and type regedit. Go to HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentV ersion and you should have several Run keys - Run, RunOnce, RunOnceEx. The programs listed in these keys and values run at startup and most are fairly common, however one could be a trojan and is usually identified by it's weird name. Not very scientific, but the best I can do. Delete that value - not the entire Run key - and the program will not load again at startup. However, if you edit the registry and mess up you can crash the computer and have to rebuild it.

"Lord, what fools these mortals be."

I've checked, it's sending out different things to different people. I've edited the boot line, but I'm still pretty nervous. Housecall, Norton, and McAfee all say there is nothing wrong.

JWT

If you pr!ck us, do we not bleed? If you poison us, do we not die? And if you wrong us, shall we not revenge? If we are like you in the rest, we will resemble you in that the villany you teach me, I will execute, and it shall go hard but I will better the instruction. MOV

Once you have edited the boot line the virus will not launch at startup, but it is probably still running. If you remember the name of the program, launch the taskmanager and end that task or process (again, this depends on what version of windows you are running).

This is probably a new virus and the AV programs cannot detect it yet. Perhaps later today or tomorrow, but it is too late by then. Such is the nature of antivirus software. This virus has probably infected some other files and the new virus definitions will likely spot these. You will probably not be able to clean them and they will have to be deleted. I hope those files were nothing important and your client has good backups, but that is never the case.

Did you ever edit the .bat file and see what it did?

"Lord, what fools these mortals be."

Claymoore is correct. It is most likely a worm or trojan. these can only be started by executing them in a .com,.bat, or .exe extension. Once you double clicked on the file it became active. It probably is a brand new virus and that's why none of the AV's are picking it up.
Go here and submit it and have it looked at:

http://service2.symantec.com/SUPPORT/nav.nsf/docid/1999052109284606

Good luck.