Spyware: Clear the Talking Email Amus Worm. (How are you. I am back.)

Home -> Windows

8865 views

From the computer of: davak (396 recipes)
Created: Sep 13, 2004


Add a comment

Add to:
Add to stumbleuponAdd to del.icio.usDigg itAdd to FURL

You clicked on an email and now your computer is talking to you. You have the amus worm. Here's how you clear it.

You clicked on an email, and your computer says:

Quote:
How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule.

Sound file:
http://www.f-secure.com/weblog/archives/amus.wav

Here is the evil it can do:
    - On the 1, 6, 20 and 25 of each month, it will replace the home page URL in Internet Explorer with the following text:
      Konneting du pepil and dizkoneting you. Anlami: Baglansan ne olacak, baglanmasan ne olacak. Zaten hatlar burada rezalet.

    - On the 2, 15 and 17 of each month it will try to delete all .ini files in the Windows folder.
    - On the 10 and 23 of each month, it will try to delete all .dll files in the Windows folder.

The email address of the infected person who sent it to you is not forged.
The attachment name is Masum.exe.
The subject name of the email is Listen and Smile
Uses Microsoft Outlook to send itself to all your contacts.

The body of the email will read...
Hey. I beg your pardon. You must listen.

You can confirm that you have this malware by looking in the root directory of your c: drive. It should contain a file named masum.exe.

It frequently also copies itself into as the following files in your /windows folder:

    Adapazari.exe
    Ankara.exe
    Anti_Virus.exe
    Cekirge.exe
    KdzEregli.exe
    Messenger.exe
    Meydanbasi.exe
    My_Pictures.exe
    Pide.exe
    Pire.exe

It places the two following registry keys:

    [HKCU\SOFTWARE\Microsoft\Masum\Who]
    "Who"="OnEmLi_DeGiL"

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microzoft_Ofiz"="%WINDIR%\KdzEregli.exe"

To correct this infection, use CTRL-ALT-DEL and kill any of the files listed above that are actively running. Then delete all the files involved. Remove the registry keys as well.

Most antivirus programs are now finding this creature. Update your antivirus and let it clear your system. You'll probably need to manually remove the leftovers from the registry.

Subscribe to the Tech-Recipes Newsletter

You can get tips like this delivered in your email every week!

Enter your Email

We will never, ever sell your email address or spam you.





Related recipes:

  Disappearing or Closing Task Manager from AIM Virus/Trojan/Worm
  Turn off System Restore When Cleaning Spyware That Keeps Coming Back
  How to run Microsoft Word in Safe Mode
  WMP 10: Prevent Saving of File and URL History in Windows Media Player
  Remove spyware running on your PC
  Never Click ANYTHING In A Spam E-mail (Scroll-bar Exploit Description)
  Hotmail Opens with Blank Page after Removal of AIM virus or Spyware
  NT/2000/XP: Clearing relaunching spyware processes
  Download Free AntiSpyware Software from Microsoft
  Web Page Cannot Be Displayed After Removing Spyware

 

Sponsored links

 

Affiliated Sites


Certification Journals
Free certification exam study guides and help

Tech-Recipes Blogs
More tips and news from the tech-recipes authors

 

Login

Nickname

Password

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.