Wednesday, 31 October 2007

Damn spyware virus

OK, I just had a minor slugfest with one pesky piece of program that deposited kavo.exe into my c:\windows\system32 folder and did a bunch of changes to my registry, especially the ones concerning showing hidden files and such. A quick pop by Symantec shows that it was the worm called W32.Gammima.AG (that's what the guys in Symantec called it anyway).

So, How did I come across this? First of all, my Yahoo messenger crashed on login. So I went hunting around the net looking for answers. Then on a whim I went to see if there's any strange program that may be affecting yahoo messenger by checking the startup part in the registry. Lo and behold! A strange entry pointing to c:\windows\system32\kavo1.exe was staring me in the face. Another quick check through the internet identified the worm, and its characteristics. Another nasty thing it does is make each of your drives Autorun the worm program whenever you try and double-click on a drive, so it reinfects your machine if you didn't clean it out. Luckily I caught this thing before it could do its magic after a restart.

So if any of your programs start to behave strangely, be afraid...

Damn, I'm way past my bedtime :(


Archangael said...

Hi, I just ran into this problem myself. Every time I try to do a Norton antivirus scan, it doesn't seem to be able to get rid of the problem. I can't seem to manually delete it either. You seemed to have figured out how to fix it, can you help me? Thanks!

Chucky said...

Cleaning out viruses usually consists of three parts:
1. killing the virus program that is running in memory
2. Removing the .exe or whatever file that is the virus
3. Fixing some changes in the windows registry

Usually the best way to kill these virii would be to go into safe mode and delete the virus files from the computer while they're not activated, but there are some steps that will need to be executed before that.

I'll write up a generic guide soon, but no guarantees when it will be done.