This version's quite a pain in the a$$ to remove. I've only had to deal with one backdoor virus on my computer before, but this one slipped past Norton (though I admit the definitions are a little out of date). Basically, it adds a few registry entries claiming to be "RunDLL32" while not actually being the completely benign MS program. It also generates a couple new executables, two in the Windows\System folder along with two DLLs. The trickiest thing is that even if you delete all of those files, it regenerates itself the next time you boot up because it creates a modified version of explorer.exe and places it directly in c:\. It adds itself to the boot section of win.ini, and if you remove that line and remove the offending explorer.exe file (NOT the one in c:\windows!!!), and all the registry references and files in c:\windows\system... you should be ok. It constantly generates new files with weird names in c:\windows as long as it runs, containing the email addresses to which it sends all of the passwords stored locally on your computer. (MSIE passwords, ICQ, AIM, etc.) Change all of your passwords and remove all references and files and you should be ok. Best of luck to the rest of you victims out there.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/171/4967#4967