Stration or Warezov email worms

[wazza]

Hey there

Please read the following article by CBL.

Does anyone know how to het rid of this virus.
NB: I dont want to submit a HIJack this Log or use it for that matter.
I have mulitple machines that could be infected with this virus.

Article:

Commencing approximately October 22nd, 2006, a large new "bot army" has been detected sending alarming numbers of pump&dump and pharmaceutical spam. Many ISPs are reporting 20-30% increases (and some much larger increases) in spam in a matter of days. Some ISPs appear to be struggling with this load increase, and progressively worsening service disruptions are expected with some ISPs who have difficulty coping with the load.

The CBL is presently tracking almost 300,000 hacked machines sending this junk.

It is believed that these are due to infections by the Stration or Warezov email worms. One or both of which appear to the recipient as an email from their email provider, telling them they have a virus and have to open a contained zip file to "fix the virus". But opening the zip file causes the virus to infect them. One common subject line is "Mail Server Report", another is "hello" with body: "Mail transaction failed. Partial message is available".

If you have become listed, perhaps for the first time, after this time (see the lookup link above), particularly if you recognize the above subject lines and clicked on a zip file link, chances are that you are infected with Stration/Warezov virus, and you must take immediate steps to eradicate it, ensuring that you have the latest possible anti-virus program updates.

 

[N3051M]

Well, do you have an active firewall?
As it states, having the most up to date AV definition files available helps, but also having a second opinion like an online AV scanner like Trendmicro's Housecall can pick up bits and pieces that your AV would otherwise miss.

Have a read through some of our stickies in the main page of the Security and Web forum (namely "Before you post a HJT" and "Trojan Pakes.. Preliminary removal instructions") and following them will ensure that they're as cleaned up as you can get it.

The reason why we ask for some HJT log is because there are some experts here that knows the ins and outs of how it works and can tell you what to fix and what to leave, ensuring everything is caught. You don't really need to use it, its just used to tie up loose ends and thats all..
Although you can learn how to read them and find out yourself using sites like www.hijackthis.de then just google the file names/keys that are flagged. Though make sure that you've put the program in its own folder so it will create those backups for you in case you've deleted something.

I think the main thing that you have to worry about with multiple PCs on a network is if the virus is self replicating to isolate them if you can.. then just a simple cleanup of the pc's.. temp files, mail inbox/folders (permanently delete bad emails) etc.

i've also noticed the increase of these spams and its getting that annoying that i've started to use two to three filters just to auto delete them on reception..

 

[wazza]

Hey N3051M

Thanks for the help.

I have a Cisco firewall. I am currently asking my clients to run Trend online Virsus scanner.

 

[howard_hopkinso]

Following the instructions in this thread HERE will undoubtabedly get rid of lots of different infections. However, without seeing a HJT log and an AVG antispyware log after the instructions have been completed, it`s impossible to tell whether the system is clean or not.

The whole point of HJT, is it`s capable of showing infections that have not been cleaned via traditional methods and can be used in addition to other techniques to get rid of those infections. It is in my opinion one of the best diagnostic tools available.

Regards Howard

 

[wazza]

Thanks Ill get back to you