cvot.txt Yaha.E?

This file cvot.txt was found in c:\windows along with cvotcvot.dll. I believe my brother got an email in his hotmail account and decided to click on the .BAT attachment and McAfee inbuilt virus scanner stopped him and said it's a virus. Does the existence of these 2 strange files mean the PC is infected?

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

iNDian sNakes pResents yAha.E

iNDian hACkers,Vxers c0me & w0Rk wITh uS & **** tHE GFORCE-pAK shites

bY

sNAkeeYes,c0Bra

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

 

Download the free removal tool: clrav.com.
[Latest update: June-27-2002, v6.2.3]
This removal tool can also be used to remove the following viruses:

I-Worm.BleBla.b
I-Worm.Navidad
I-Worm.Sircam
I-Worm.Goner
I-Worm.Klez.a,e,f,h
Win32.Elkern.c
I-Worm.Lentin.a,b,c,d,e,f,g (aka) Yaha

http://www.avp.ch/mindex.stm

 

So it does look my brother's PC is infected. But how come the McAfee virus alerted him when he decide to open the attachment but the PC is still infected. This was using web-based Hotmail. He doesn't use OE or Outlook.

 

Huh? Don't follow. Could you rephrase your statement please. Do I have to remove the virus ASAP - will it "damage" my PC more if I don't remove?
The proof of the pudding McaAfee indeed did the job, is checking the system - fe using the free app MN proposed in this thread

 

Polo,

I will not tell you what to do with any system you or anyone else own..but I will give you this link at this forum about this virus and you can decide for yourself what you wish to do.

https://www.wilderssecurity.com/showthread.php?t=1948

If you want more info on the McAfee problem tell me the OS of the system and what version of McAfee he has...the lastest update he has and how he has it set to read web based email or email as a client when he downloads his email.

I can not answers blind questions..and I do not have time to guess..never get much place with that in any case.
But I will be glad to help you put the mystery to bed.

 

The machine in Win98 and IE 5.5. The version of McAfee is just the inbuilt one in Hotmail. If you use Hotmail you'll know.

"The proof of the pudding McaAfee indeed did the job, is checking the system - fe using the free app MN proposed in this thread"

Who/what is MN and what does "fe" mean? Confused!

 

Who/what is MN and what does "fe" mean? Confused!

He was refering to my post and I guess I would say that the "fe" is a typo and should be "re" so....


Polo, why don't you consider downloading and run the tool that NM=MyNethingyman post. The standalone tool is called clrav.com and it will detect and clean a PC that is infect with that worm.


I sugguest he install something on his machine other than the McAfee you mentioned.

 

I''ll download the tool. You recommend the Kaspersky one over any other one from another AV company? Should he not use the PC at all until the worm is removed? Or can he use it for non-Internet work like using Microsoft Word?

 

Polo,
I like these free standalone tools also....Wilders has some available here ..but I will give you this link.


http://www.pandasoftware.es/library/pqremove_en.htm

Just remember that YAHA has another name LENTIN and at panda they use the latter.


Name: W32/Lentin.E
Alias: W32/Yaha.E


They are not the way to go to stop the exploit..but when you are in a fix they do a nice job.

Also ,if you are running Win 98 and the machine does
have a GOBACK system to recover files...the virus/worm/Trojan could also end up in there..Since the files are compressed in that area to save space, they are in a forum that most AV's will not clean..but they will notify you that something is still amiss even after you clean.

In this case you will have to manually clean and reset the goback to begin again at a present time..so one does not be re infected..or in the case for some.."their AV telling them that files of the badboy can not be clean.

WinME and XP users have that problem all the time and it is confusing for them.

 

http://www.sophos.com/tools/readmes/readrmya.txt

Is the Sophos removal tool good?

http://www.microsoft.com/technet/security/bulletin/MS01-027.asp

I understand from this that IE5 or 5.5 WITHOUT the patch are vunerable even if "launching IFRAME" is Disabled

 

Hmmm, the Sophos removal tool looks a bit complicated to "install" compared to Kaspersky's clrav.com -- running clrav.com deleted the keys in the registry relating to the EXE file in the c:\recycled which is run start up. The EXE is deleted too.

However c:\windows\temp\kitkat isn't and this shows up as infected in a Kaspersky AVP scan. The TXT and DLL file in c:\windows which this worm creates don't come up as infected... Why?

It seems to me scanners and removal tools only look and delete for the important files (EXE COM etc) and you have to readup and delete the other less important files

 

Hi Polo,

You are an excellent Detective and this last statement is so very well persented for a Synopsis for this thread. You are beginning to be an EXPERT.

I can tell you stoires still about Nimda and KLEZ where some of the well know AV products leave some of the setting and "pointer" on your system and people have run the Panda Tool..found them and could then clean them off.

So it is a two way street. But you have to realize what is going on. All of these Fine product out there and then the tools..are doing the best they can to help all of us. The first goal in cause we DO get infect is to STOP IT so our systems do not crash or let the exploit continue. But since all of these" BADBOYS" are constantly in a state of being modified and bits added to them..it is so very hard to get all the scraps.

That is why Paul and all the other MODS here at Wilders have their favorite AV/AT programs. They know the people who design the product..they know which ones work the best..and it is a constant struggle for all of the vendors to get the entire signature that is out there in the wild..and then to find the cure for EACH OS we are all running, much less clean off all the bit if infected.


Good job Polo. Hang in there>

 

I noticed that after running the Kaspersky remover that on booting up the DLL file is showing the last modified date prior to the remover running i.e. when the EXE and RUN key existed. So it isn't changing anymore and thus being used? In any case it can be deleted...

Erm. should I run the Sophos one as a backup or I've removed all the important files as outlined in my previous post?

 

In fact this Yaha.E also goes by a different name W32/Lentin.E and you can get another tool free from panda that I know cleans off this one...

W32/Lentin.E (Panda).


http://www.pandasoftware.es/library/pqremove_en.htm




http://service.pandasoftware.es/servlet/panda.pandaInternet.EntradaDatosInternet;jsessionid=2431911035027562632?operacion=EV2FichaVirus&pestanaFicha=0&idioma=2&nombreVirusFicha=W32/Lentin.E


How can I find out if my computer is infected?


How can I protect my computer from W32/Lentin.E?


How to repair the effects caused by W32/Lentin.E

see here

http://www.pandasoftware.com/library/W32LentinE_en.htm

 

I removed this worm using Kaspersky's tool but wanted to double check using Sophos. I was able to run RMYAHA.EXE *without* renaming it to .COM and get 0 results as expected ---I don't understand this:

http://www.sophos.com/tools/readmes/readrmya.txt
"If you removed the infected files prior to running RMYAHA, RMYAHA will not be able to run. In order to be able to run it, you should rename RMYAHA.EXE to RMYAHA.COM."

BTW, how important is it to copy the files to a floppy on an uninfected PC, is this more of a precaution, as Kaspersky's didnt require this.