Trend has elevated this one to Medium Risk. It is VERY destructive and deletes every file on the users drive. Watch out. Turn OFF the preview pane in outlook and outlook express and delete all suspicious messages that have attachments. This could be a nasty one as it has it's own smtp engine. Regards, Jim Kenzig http://thethin.net WORM_WINEVAR.A Overview Technical Details Statistics QUICK LINKS: Solution Virus type: Worm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WINEVAR .A Destructive: Yes Aliases: Win32/Winevar.A, I-Worm.Winevar, W32/Korvar, W32/Winevar@mm, W32.HLLW.Winevar Pattern file needed: 397 Scan engine needed: 5.200 Overall risk rating: Medium Reported Infections: Medium Damage Potential: High Distribution Potential: High Description: This destructive Internet worm runs on all Windows platforms. This worm propagates using its own SMTP or Simple Mail Transfer Protocol engine and sends email to addresses it gathers from HTML files on the infected system. It sends email with the following details: Subject: N`4_<Registered Organization> Message Body: <Registered Owner> - <Registered Organization> Attachments: WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM *<Registered Owner> is the registered owner of the machine and <Registered Organization> is the organization of the owner. This worm sends email using a known exploit that causes the attachment to automatically execute when the message is viewed or previewed on Internet Explorer-based email clients, such as Microsoft Outlook and Outlook Express. This exploit is known as Automatic Execution of Embedded MIME type. It is capable of terminating certain monitoring programs and antivirus products from memory. Upon restart, this worm deletes all files from local drives, except files that are currently running on the system. Solution: AUTOMATIC REMOVAL INSTRUCTIONS For Users of Trend Micro Products Download the Trend Micro System Cleaner Patch to effectively remove this malware from your system using your Trend Micro product. You must replace the file TSC.EXE in your product folder with the same file contained in this download. For OfficeScan 5.02 users, the default folder is C:\OfficeScanNT. For PC-cillin 2002 users, the default folder is C:\Program Files\Trend Micro\PC-cillin 2002. For Non-users of Trend Micro Products Download and run the Trend Micro System Cleaner Package. If you have an MD5 signature checker, you may check the MD5 hash value of this tool. Trend Micro advises users to consult the readme file, readme_sysclean.txt, which contains the description and features of this package. NOTE: Non-users of Trend Micro products must download and use the latest pattern file for the TSC package to be effective. MANUAL REMOVAL INSTRUCTIONS WARNING: If you suspect that your computer is infected with WORM_WINEVAR.A, do not restart your system before completing the removal procedure. Identifying the Malware Program Before proceeding to remove this malware, first identify the malware program. Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_WINEVAR.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner. Removing Autostart Entries from the Registry Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>RunServices In the right panel, locate and delete the entry or entries whose data value (in the rightmost column) is the malware file(s) detected earlier. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier. Close Registry Editor. Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_WINEVAR.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner. Applying Patches This malware exploits a known vulnerability in Internet Explorer 5.01 and 5.5. Download and install the security update from Microsoft. Refrain from using this product until the appropriate patch has been installed. Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC. ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm