Gnutella Forums
Page 2 of 4 1 2 34
Show 50 post(s) from this thread on one page

Gnutella Forums (https://www.gnutellaforums.com/)
-   General Windows Support (https://www.gnutellaforums.com/general-windows-support/)
-   -   files from limewire converted into zip files (https://www.gnutellaforums.com/general-windows-support/67151-files-limewire-converted-into-zip-files.html)

wondering why February 16th, 2007 01:01 PM
Good info Mick...:idea:

birdy February 16th, 2007 02:09 PM
AFAIK, just from having a look on Google, that worm dates back to 2002-2003. Unless there's a new variety of it around now?

mickjapa108 February 17th, 2007 04:44 AM
Hi Everyone
Yes This is an old worm, But looking at its behavour there were similaraties
So my thinking was It could have been modified.
Hey Birdy, 4 hours of searching & this is the only thing so far that I found that was even remotly similar.
After going through the list of file names that had been posted I realised that
we have most of them present, Here on the network.
Im not a teki so if anyone can sujest other places to look, I will do some donky work sniffin around.

why dont L/W just limmit the file extentions you can share in tools/options/sharing,Extensions. If the defult setting (beginers) ticked auto at setup only had audio,vidio,pic,doc. then an advanced tab for, fools & experts, we would not have half the crap in search. Because the newbies
could not auto share exe rar zip an other crap. If I gave a small child a motor
bike n said ride it, without checking how n if they could you would call me
recless, well I beileve P2P also needs stablizers for most of the new guys at the first.

P.S.. sorry off topic.....But is'nt that easly possable.
Peace.

birdy February 17th, 2007 04:59 PM
Have a look here, at posts #8 & #9
http://www.gnutellaforums.com/showth...754#post255754

When you do a search for xzxzxzxzxzxz.exe....
http://www.bitdefender.com/VIRUS-100...B.Ymeak.A.html

http://www.bleepingcomputer.com/forums/topic45260.html

http://forums.techguy.org/windows-nt...indows-xp.html
(check out post #4 of the above...they're telling people to use BFU, same as is used for the LW always popping up worm)

http://forums.spywareinfo.com/lofive...hp/t72978.html
(also mentions BFU)

When you do a search for q7q7q7q7q7q7q7q7xx.zip
http://forums.spywareinfo.com/index.php?showtopic=93859

I know nothing about cleaning up this sort of thing...I don't see how running BFU could hurt but I don't know if it's going to fix the whole thing either. KillBox is mentioned a couple of times also, but I've never heard of that one. We could get people to run BFU & if that doesn't fix the prob, then send them on to one of the help sites?
Or one of the gurus might have some more info & suggestions? Atm, people are just refusing to believe they're infected at all...if their AV doesn't pick anything up then they're convinced things are ok.

What do you guys think?
:virusalert:

muhctekdano February 17th, 2007 08:06 PM
Good info Birdy! :xirokrotima:

The people in those spyware forums really seem to know their stuff! At least now everyone that is having this problem has somewhere to go...in the thread that I was most impressed by (the last one), the expert had the person download 5 or 6 programs to eliminate all of the malware! This just goes to show how evasive some of these nasty files can be. No program is guaranteed to get rid of all malware. It can be quite a battle, and that's why we try our best to avoid it in the first place! Of course, a few people must take one for the team, so to speak, whenever something new like this pops up. Good luck to everyone that is suffering through this.

Dano

mickjapa108 February 18th, 2007 05:08 AM
Hi every one
This is expansion of 2nd Link that Birdy Gave, Users can check if they have any of these files n folders present on there computer
By copying the names EXACTLY to Notepad, then Boot in safe mode.

Note: In file options, you must enable SHOW hidden files.
Before Boot in safe mode

Then Go, Start/Search n enter exact file names. If found please make short
posts in this thread ONLY, No life history:D just list of file names & anything
related directly. We appreciate you help, Thank you.

Win32.Worm.VB.Ymeak.A
Spreading: MEDIUM
Damage: MEDIUM
Size: 236,136
Discovered: 2006 Mar 02

SYMPTOMS:

Presence of the following files:

%windir%\b.exe (usually C:\Windows\b.exe), 155,648 bytes
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe, 236,136 bytes
The file xzxzxzxzxzxz.exe (236,136 bytes) may appear in a subdirectory called "_" (underscore)
in the shared folders of peer-to-peer file sharing applications.
TECHNICAL DESCRIPTION:
This is a worm that spreads itself via peer-to-peer file sharing networks,
dropping a backdoor identified by BitDefender as Backdoor.RBot.CMQ. It has a file size of 236,136 bytes.

The first time it is run, it displays the following message to make the user believe it is a setup file downloaded with errors:

After displaying the message, it copies itself to the All Users' startup folder
(usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup\)
as svchost.exe, and launches itself from that new location.
The original instance ends its execution at this point.

When launched from the afore mentioned (Startup) folder, it checks if the %system%
(usually C:\Windows\System32) folder contains any of the following files:
winlog.exe, p2pnetworking.exe, scvhost.exe, winlogi.exe or p2pnetwork.exe.
These are all file names used by the RBot trojan. If it can't find any of them,
it assumes the RBot trojan is not present so it dropps it into the Windows folder as b.exe and runs it.

To spread itself, it collects random application names from certain torrent and direct download sites.
It then places itself in the shared folder of five common P2P file sharing software (listed below)
using the previousely collected names, in a subfolder called "_" (underscore).
At regular intervals it looks for the executable files of the file sharing programs
Limewire, Shareaza, Bearshare, Morpheus and Morpheus Ultra and launches them.

To protect itself from being discovered, it opens the following files (requesting exclusive access):
cmd.exe, netstat.exe, tracert.exe, ping.exe, ipconfig.exe, taskkill.exe, regedt32.exe
and taskmgr.exe from the %system% folder and regedit.exe from the %windir% folder.
It keeps them open while it is active, so they can not be executed.
Removal instructions:

Please let BitDefender disinfect your files.
ANALYZED BY:

Vlad Ioan Topan, BitDefender Virus Researcher

wondering why February 18th, 2007 03:42 PM
Excellent research Birdy...I'm Bookmarking this page...:idea:

wondering why February 18th, 2007 03:50 PM
I asked about this over at the Beta forums the other day and Aaron has replied with this...
http://www.limewire.org/forum/showpo...16&postcount=2

stumpymacde18 February 26th, 2007 05:04 AM
HELP
 
I have had the same thing happen to me, very scary as i have lost a huge amount of files can anyone help ? all the .mp3 files have been converted into .zip files and if you try opening or playin them they are just setup files, anyway to save these files ? really need to, and 'quotejnr' did u find out how to do this?

aac February 28th, 2007 05:49 PM
Hi, its a worm called delf.atb . here is a link to free virus software that can find and remove it.

http://free.grisoft.com/doc/5390/lng/us/tpl/v5


All times are GMT -7. The time now is 06:44 PM.
Page 2 of 4 1 2 34
Show 50 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.