Re: speedy.pif ??

[harmads]

Can someone identify following files and how they get into my system every now n then :

speedy.pif
speedy.scr

These files get quarantined by Norton and I start getting a message that these file could not be found. Delete from WIN.INI file etc. If they are virus files, then how n from where do they come in. Of course no damage takes place because of Norton.

Kaaza has already been uninstalled. Which other program could be causing it. I still have programs like Hotbar and Webshots.
Thanks

[ctrl_alt_del]

Here is something about it:

Details:

Installation and Autostart Technique

Upon execution, this worm decrypts its codes and then copies itself in the Windows directory as SPEEDY.PIF. It then transfers execution to the dropped file and deletes the executed file.

(Note: The Windows directory is usually C:\Windows or C:\WINNT.)

In order for its dropped copy to execute at Windows startup, it adds the following registry entry:

Quote:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Spees3 = %Windows%\SPEEDY.PIF

(Note: %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.)

Then, it spawns SPEEDY.PIF and registers this file as a service so that it does not appear on the Windows Taskbar. It also creates a mutex identifying itself as SpeedyDoS3 to ensure that only one copy of itself is active in memory.

Network Propagation

This worm propagates via network-shared C drives. It looks for machines that have shared drives granting full access. It repeatedly scans for machines connected to the network.

It uses the Share-Level Password vulnerability on Windows systems to propagate via network shared C drives. The vulnerability allows remote access to a Windows 95/98 or ME shared file without knowledge of the entire password assigned to that share.

For more information on this vulnerability and to get hold of the critical patches, visit the following Microsoft page:

Microsoft Bulletin MS00-072

When it finds an accesible drive, it copies itself as the file SPEEDY.PIF in the Windows directory of the remote drive. Then, it copies the remote WIN.INI to the local file C:\TOMA!!!.

It adds either of the following lines to the [windows] section of TOMA!!!:

run = C:\%Windows%\SPEEDY.PIF

It copies the contents of PUT.INI to the WIN.INI file. The change allows BRASIL.PIF or BRASIL.EXE to execute during Windows startup on the remote machine.

Other Details

This UPX-compressed malware connects to the site www.sp&ltblocked&gtdy.com.br to automatically update itself. At the time of this writing, the site is down and inaccessible.

It drops the files PODRE!! and BANDA! in the C:\ folder. It uses these files in its information exchange with the Web site.

Its decrypted code contains the following text strings:

Quote:

Queremos melheros servicos da SPEEDY

You can read about it here. You will also find it's solution there itself.

[harmads]

Thankyou for your input. I will do as suggested. If I get stuck at any point I'll contact you.
Best regards