GLB1A2B.EXE virus
Brigid
weird stuff similar to the bymer virus but it also interferes with IE
access...it blocks port 90. The bymer fixit fixes the problem until next
time I boot. And then I get a screen saying c:/windows.wininit.exe a line
and a half of heiroglyphics and "press any key to continue". Hitting any
key delivers " It's now safe to turn your computer off"" Tho this screen
appears by default after a minute even if I dont press any key. INitialy I
was just deleting winin.* from dos and this would allow windows to
load. Until next time I had to boot. And then with some help I discovered
that winint.exe executed this damn GLB1A2B.EXE.
Something is regenerating it and it gets executed from wininit.exe. At the
moment its in my temp directory (where it put itself) renamed GLB1A2B.EX_.
Untill I format Im hoping that it wont be regenerated while it still appears
to be on my HD
Any info on this thing would be verrrrrry gratefully received. I dont want
to hafto format at the moment. Ive got heaps of work files and assignments
and stuff. I dont want to take the time out to format and reset every
thing.
tankee
Brigid
Robin
Details - This is a combo worm and virus - and is transmitted by e-
mail that will include a file attachment that appears to be a text file.
The file is - in fact - text, but is a Program Information File (which
usually carries a .pif file extension). When executed it will dump a
payload file into the \windows\temp directory (or whatever your
default temp directory is!) with the file name GLB1A2B.EXE and
then execute this program.
To save you all the gory details - the short version is that GLB1A2B
will add the files MTX_.EXE and IE_PACK.EXE to the windows
directory, as well as a file titled WININIT.INI. Every time windows is
started the WININIT file will load the other programs, and the
computer will attempt to call home. If the programs fail to reach the
author, they will repeat the attempt every two minutes until
successful.
GLB1A2B also fixes a hidden attribute to many of the files so that
they are 'typically' invisible to the end user.
Once MTX_ or IE_PACK run - as many as 60 other files can be
infected - making the virus virtually impossible to remove manually
Detection - Start Windows Explorer, click on View and then folder
options. Click on the view tab, and then click on the radio button next
to "show all files". Click on apply and then OK. Next click
on Tools,
Find Files and Folders. Conduct a search on Drive C for a tile titled
MTX_.EXE and / or IE_PACK.EXE.
If either of these files are located, disconnect the computer from it's
internet access and obtain a copy of Mcafee's Anti-Virus program,
including the update version 4094.
Mcafee was the first company (and the only one I know of at this
time) that has virus definitions for this one - the bug was discovered
on 8/30/00. McAfee's antivirus program will rename and / or delete
the infected files - but you may need to manually reinstall certain
Windows programs such as REGEDIT, NOTEPAD, CALC, etc.
Transmission - via e-mail manually, or via Microsoft e-mail programs
in the same manner as the love-bug. There are several (as many as
a hundred or so) different e-mail subject lines, most of which
reference MP3 files, Napster, or pornographic image files.
Closing information - we haven't figured out what information is sent
back to the point of origin, or the exact point of origin, other than
to
say that it's in Germany somewhere! Additional information is
available from
as well as the latest virus definitions. One extremely interesting
feature of the bug is that if you are infected, and you attempt to
access mcafee.com or datafellows.com in an effort to obtain virus
information or definitions etc. the bug will cause Internet Explorer
(versions 4.X and 5.X at least) to crash. We haven't tested it with
Netscape.