Micron
11-01-2007, 09:01 AM
Experts are warning of a new e-mail worm arriving in in-boxes with the subject "Happy New Year!,"
The message, currently being spread from 160 e-mail domains, requires users to click on the attached "postcard.exe" file in order to cause damage. The file will install several different malicious code variants, including Tibs, Nwar, Banwarum and Glowa, on the computer. It then executes mass mailings from the infected computer.
Anyone running the attached executable would find themselves infected with the Spammer.EN Trojan. The malware then sets out to harvest any e-mail addresses it finds on the system to send out stock manipulation e-mails via specific servers the software is able to connect to. Infection appears to pose no direct risk to a user’s PC.
The worm is already being heavily spammed, VeriSign said. The security company has found one network that is sending out five e-mails per second with the worm.
While the worm requires user interaction to do harm, VeriSign believes that it has the potential to do damage because of the "Happy New Year!" subject line. The company is warning e-mail users to be wary before clicking on messages that they think may be legitimate happy new year messages from friends.
As of Thursday, multiple large networks have reported interceptions of the e-mail, VeriSign said. While the postcard.exe attachment has the same name as an attack spread earlier this month, this is a new and largely undetected threat, the company said.
Removal
Run your Virus Program. This should get rid of the trojan. Make sure your Virus Program and Anti-Spyware Definitions are up-to-date.
IMPORTANT: Remember that you should only follow these steps after disinfecting the computer. These steps alone will not deactivate malware.
Sometimes, in computers with Windows XP, even after viruses and other threats have been eliminated the antivirus may detect it again and again in the _restore folder without being able to eliminate it.
Although malware is detected in this folder after disinfecting the computer, it does not mean that the computer is still infected. This situation, created by a particular characteristic of Windows XP, is not dangerous at all, although it may worry some users who are not familiar with the use of the _restore folder.
Windows XP offers the possibility of restoring the system automatically, recovering eliminated files or the system settings accidentally modified.
For that reason, Windows XP keeps all the eliminated or modified elements inside its hidden directory, called _restore, which is protected so that its contents can’t be manipulated by anybody or anything.
This feature, although sometimes advantageous, may cause the following conflict: when the antivirus performs a scan, it will detect the infected and the erased files which Windows XP stores in the _restore folder.
That is why when a new scan is performed, the antivirus will detect again the infected file in the _restore folder but it won’t be able to eliminate it because the file is protected by the operating system and is out of its reach.
How to eliminate viruses and other threats completely from the restore folder:
1. Log on as the Administrator or with the details of the user that has administrator rights.
2. Click with the right button of the mouse on My Computer.
3. Select Properties.
4. Click System Restore.
5. Check the Turn off System Restore or Turn off System Restore on all drives checkbox.
6. Click Apply and then OK.
How to reactivate System Restore option:
1. Click with the right button of the mouse on MY Computer.
2. Select Properties.
3. Click System Restore.
4. Disable the Turn off System Restore or Turn off System Restore on all drives checkbox.
5. Click Apply and then OK.
After completing these steps, carry out a full scan of your computer using the antivirus program in order to ensure that it correctly disinfected.
The message, currently being spread from 160 e-mail domains, requires users to click on the attached "postcard.exe" file in order to cause damage. The file will install several different malicious code variants, including Tibs, Nwar, Banwarum and Glowa, on the computer. It then executes mass mailings from the infected computer.
Anyone running the attached executable would find themselves infected with the Spammer.EN Trojan. The malware then sets out to harvest any e-mail addresses it finds on the system to send out stock manipulation e-mails via specific servers the software is able to connect to. Infection appears to pose no direct risk to a user’s PC.
The worm is already being heavily spammed, VeriSign said. The security company has found one network that is sending out five e-mails per second with the worm.
While the worm requires user interaction to do harm, VeriSign believes that it has the potential to do damage because of the "Happy New Year!" subject line. The company is warning e-mail users to be wary before clicking on messages that they think may be legitimate happy new year messages from friends.
As of Thursday, multiple large networks have reported interceptions of the e-mail, VeriSign said. While the postcard.exe attachment has the same name as an attack spread earlier this month, this is a new and largely undetected threat, the company said.
Removal
Run your Virus Program. This should get rid of the trojan. Make sure your Virus Program and Anti-Spyware Definitions are up-to-date.
IMPORTANT: Remember that you should only follow these steps after disinfecting the computer. These steps alone will not deactivate malware.
Sometimes, in computers with Windows XP, even after viruses and other threats have been eliminated the antivirus may detect it again and again in the _restore folder without being able to eliminate it.
Although malware is detected in this folder after disinfecting the computer, it does not mean that the computer is still infected. This situation, created by a particular characteristic of Windows XP, is not dangerous at all, although it may worry some users who are not familiar with the use of the _restore folder.
Windows XP offers the possibility of restoring the system automatically, recovering eliminated files or the system settings accidentally modified.
For that reason, Windows XP keeps all the eliminated or modified elements inside its hidden directory, called _restore, which is protected so that its contents can’t be manipulated by anybody or anything.
This feature, although sometimes advantageous, may cause the following conflict: when the antivirus performs a scan, it will detect the infected and the erased files which Windows XP stores in the _restore folder.
That is why when a new scan is performed, the antivirus will detect again the infected file in the _restore folder but it won’t be able to eliminate it because the file is protected by the operating system and is out of its reach.
How to eliminate viruses and other threats completely from the restore folder:
1. Log on as the Administrator or with the details of the user that has administrator rights.
2. Click with the right button of the mouse on My Computer.
3. Select Properties.
4. Click System Restore.
5. Check the Turn off System Restore or Turn off System Restore on all drives checkbox.
6. Click Apply and then OK.
How to reactivate System Restore option:
1. Click with the right button of the mouse on MY Computer.
2. Select Properties.
3. Click System Restore.
4. Disable the Turn off System Restore or Turn off System Restore on all drives checkbox.
5. Click Apply and then OK.
After completing these steps, carry out a full scan of your computer using the antivirus program in order to ensure that it correctly disinfected.