Yep...I got it, don't know how or with what !! I'm finding it difficult to find info on this one. A worm, virus, trojan maybe? Any info would be greatly appreciated. I managed to get rid of it, but I would like to know what keys to look for !! Regards, bill
Re: Pete Bill - What AV or AT program identified it to start with? No cross-references in their DB such as 'Also known as...' by other vendors? Pete
Symantec: http://securityresponse.symantec.com/avcenter/venc/dyn/33222.html W32.Hezhi Detected as: W32.Hezhi Aliases: None Area of Infection: .EXE Files No additional information [hr] TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_HEZHI.A&VSect=T In the wild: No Payload 1: Modifies Files (increases file size) Trigger condition 1: Upon execution Discovered: May. 22, 2002 Detection available: May. 29, 2002 Detected by pattern file #: 290 (still using 900-series pattern files?) Detected by scan engine #: 5.200 Language: English Platform: Windows Encrypted: No Size of virus: 12,800 Bytes Details: This polymorphic file infector uses an Entry Point Obscuring (EPO)method to infect target files. Upon execution, it infects Windows executables files and then stays resident in memory to infect other executable files that the infected user runs. To infect, it replaces the first 512 Bytes of the entry point section of the target file with its EPO code. It saves the original 512 Bytes and encrypts it in the virus body. It then attaches itself at the last section of the infected file. This virus uses five levels of encryption to avoid detection. It uses anti-debugging techniques so that it is harder to trace and analyze. This virus can infect .EXE files on network shared drives with read and write access. Description created: May. 29, 2002
Which av software reported this virus? Which files (including pathname) are infected? What is the version of your av software? What is the date of the used signature files? If available what is the version number of the scan engine? wizard
I'm using Dr Web 4.28, with the very latest updates. Engine 4.28a. I'm thinking my son may have downloaded it, but I can't find the original file. Here is a couple of files that were infected: c:\windows\logos.sys \dxtmsft3.dll \lmrt.dll \mdmrock2.cat \catalog3.cab And also a few .dll's linked to Realplayer and a few of my games. Also, in the infected file log was an IE page in the temp files. Odd or what ? thanks, bill
Hi, Infects only *.exe, non destructive No problem if it's only in your internet Temp files : just clean it. Rgds, JacK
Hi eyespy, According to the description of TrendMicro the virus can only infect *.exe files but on your maschine there are a couple of other file types infected as well. I think it might be a false positive. To make sure if this is a real infection or not send the files to the DrWeb team to cross check. EMail is: Antivir@Dials.ru wizard