There is a blank email going around with a .txt attachment. The second you receive it and select the email to read it or delete it, the virus activates itself. You'll see the Windows Save Program automatically execute in the background. Yes, without opening the attachment it simply activates itself. So either way you are doomed, because like I said, trying to delete the virus will activate it.

Things you'll notice:

1. Your new messages become read.
2. If you create a directory within a Windows application, only that application can see the directory. You won't see it through other applications. DOS however picks it up.
3. If you FTP to a server, you won't see any files or folders on the remote server.

This above is only while the virus is active.

What the virus does: Attempts to email your Inbox emails to whomever it likes. Doesn't use the Address book emails.

A firewall will block the virus from performing its activties.

I manually found the virus and deleted it but it keeps on coming back. It will sleep for a while, ie. a few hours, couple of days, and then come back. It makes use of the temporary internet files and windows temporary directories. The virus files change their names all the time.

It also makes changes to your PCs configuration, ie. when you start your computer, no matter how many times, it will say "updating configuration." Even though when checking your configuration files there is nothing new.

Why am I telling you all this??? I have tried 2 anti-virus programs to try and find the virus to get rid of it with no luck. Seems as though I'll have to reformat my PC, but I'm hoping that someone else has come across this virus and successfully got rid of it and can share how they did it.

Thanks :D

Originally posted by Dylan
Yes, without opening the attachment it simply activates itself. That probably means you haven't installed the patch to correct IE's "incorrect MIME header vulnerability," and your email program is either Outlook or some other app that's using Explorer as its viewer.

If that's the case, you're vulnerable to a lot of nastiness until you go here: http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp

Or, switch to a different email app or change the mail viewer settings.

I manually found the virus and deleted it but it keeps on coming back. What file(s) did you delete? Find anything in the registry? This would be helpful to anyone else who might get it, and to anyone who might be able to help you finalize your cleanup.

In the windows\temp directory there was a program called: mep*.tmp.exe

It called the files mep*.tmp (within the same directory) which contained the emails and bug it was attempting to email.

* represented by numbers and letters.

When it came back, I found it in the windows\sytem directory, this time named: load.exe

load.exe deletes itself after attempts to access the internet fail.
It also made use of *.tmp files which were located in the windows\temp directory.

I'm manually searching through the registry but haven't found anything yet.

...and thanks JayC :D


To IE 6 users, I don't know if it's been mentioned here on WHT yet, but a patch was released last week (12th Nov) for a cookie vulnerability.

Looks like you got Nimda (http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html) (link to Symantec) and they released a removal tool here (http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html). Good luck!

Originally posted by Dylan
Why am I telling you all this??? I have tried 2 anti-virus programs to try and find the virus to get rid of it with no luck.

Thanks :D :look: Try checking out this program.
Nod32.........it is pretty good at finding the nasties when the others can't. www.nod32.com

Peace
RoZey

Yep, as El Nino says the mep* files and load.exe are indicative of nimda. Even if you've already removed some of the affected files, you should run that removal tool or one from one of the other antivirus vendors.

The big risk is that nimda would have left you vulnerable to unauthorized access (because it opens network shares). That really could mean that any kind of changes could have been made to your system by an intruder, especially if you are on a dedicated internet connection or a LAN with multiple users. If that's the case, the only way to really be sure you're secure is to reinstall the operating system.

ThanX everybody for your help!

I had Nimda E + A, and got rid of both :)
I used the Symantec tools.


RoZey, I'm downloading node32 now to see if I've got any other happy campers in my PC.