I thought you all needed to be warned about the worm Win32.polip.A that is getting around at the moment. If you get it no mater how hard you try you only have one option to remove it fully and that is format.

No backing up of anything at all will help as it sits dormant in exe files that you may have stored on your computer. I found out today all about it after receiving a notification email from Daz about a reply on their forum and i clicked on the link, my anti-virus program went into overdrive after that. 400+ models and program exe files were infected by the worm. I am at the moment in the middle of re-installing things back on my computer, its11pm West Australian time and i have been at this for 2-3 hours now.

Anyway guys and gals, just a kind warning to you all that not even backing up things will help you unless you do it early...but then how does one know when the correct time is for making backups.

http://pack.google.com/ is the place to get the google pack, a set of essential tools to keep your computer running. One of them is Norton Antivirus with a 6 months FREE subscription. Norton Antivirus currently has a fix and will defend you against this virus.

Cheers

m

drac baby, i hate to inform you of this but there is no other way to remove this little blighter other than to format. Trust me mate there is a large thread on it at Daz.

W32.Polip is a polymorphic virus that infects .exe and .scr files when they are opened or executed on the compromised computer.

Also Known As: Polipos.a [F-Secure], P2P-Worm.Win32.Polip.a [Kaspersky Lab], W32/Polipos [McAfee], W32/Polipos-A [Sophos], PE_POLIP.A [Trend Micro]   Type: Virus Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
- Virus Definitions (LiveUpdate™ Plus)

April 23, 2006

- Virus Definitions (LiveUpdate™ Daily)

April 23, 2006

- Virus Definitions (LiveUpdate™ Weekly)

April 24, 2006

- Virus Definitions (Intelligent Updater)

April 23, 2006

Wild

• Number of infections: 50 - 999
• Number of sites: More than 10
• Geographical distribution: Medium
• Threat containment: Easy
• Removal: Difficult

Threat Metrics

Wild:
Low

Damage:
Medium

Distribution:
Medium

Damage

• Payload Trigger: n/a
• Payload: Infects .exe and .scr files and lowers security settings. - Large scale e-mailing: n/a
• Deletes files: n/a
• Modifies files: n/a
• Degrades performance: n/a
• Causes system instability: n/a
• Releases confidential info: n/a
• Compromises security settings: n/a

Distribution

• Subject of email: n/a
• Name of attachment: n/a
• Size of attachment: n/a
• Time stamp of attachment: n/a
• Ports: n/a
• Shared drives: n/a
• Target of infection: Infects .exe and .scr files.

When W32.Polip is installed, it performs the following actions:

1. Infects .scr and .exe files when they are opened or executed on the compromised computer.
2. Hides its presence on the compromised computer by injecting its code into running processes.
3. Attempts to spread by sharing infected files on the Gnutella file sharing network, even if the Gnutella software isn't installed on the compromised computer.
4. Tries to lower security settings by deleting certain files relating to antivirus software.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.

oh yeah, and link: http://www.symantec.com/avcenter/venc/data/w32.polip.html

and what else... yeah, DAZ isn't the place to get your info, trust me :)

LOL did you know it took symatech 5 hours to post a fix for it..

Anyway i have formatted hard-drive and lost a few things i can't replace but in the long run its better than losing everything

DrWeb's CureIt can remove it in 99% of the cases. There's a few files that it couldn't fix, but most of them are fine.

And yes, I got it too :( grumble

having no probs shifting the little sod here with DrWeb
got 1 machine cleaned and safe .. now for my main machine...

What does this worm do (apart from perpetuate itself)?
How do I know if I've got it?
How does it infect?

Cheers,
(slightly worried)...
Diolma

erm Diolma? read up.. Drac posted all the info...

is there a link to this DrWeb

http://download.drweb.com/drweb+cureit/

Thanks!

sorry to hear that you had to format CrazyDawg ... Hmmmm. . . .I wonder if re-formatting would help my cat - she doesn't know if she wants to be in or out.

I just fell for that one as well its a real pain.  Just fininshed reinstalling my computer from scratch.  Even more anoying is I don't know where I picked it up from.  I'm security mad with up to date antivirus, a fire wall the lot but it still got me. 

By the way you'll know if you've got it because just about ever exe file on the computer gets trashed.

the only positive i can find in this is that i was about due for a clean install anyway as windows was playing up and i kept putting it off, this forced my hand. 

Also a chance to organise my poser runtimes better!

By the way I tried the instuctions from norton

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.

it didnt do any good still said it could,nt fix it

artbyphil i read on another forum that you can have the worm on your system for ages before it starts to really infect the exe files. my bet is that when windows started playing up you had it and on the 4/25/2006 it really went to work and did the major damage to your system.

i noticed they didn't say how it spreads only that it targets exe/scr files. my w95 and me computers are clean it did catch the steal this book cdrom "corbomites"  when AVG didn't . I noticed a full scan took an hour on my 10 gig drives.  The larger ones  . . ..

Khai?

I did read what Drac posted.

In particular the bit:

" When W32.Polip is installed, it performs the following actions:

1. Infects .scr and .exe files when they are opened or executed on the compromised computer.
2. Hides its presence on the compromised computer by injecting its code into running processes.
3. Attempts to spread by sharing infected files on the Gnutella file sharing network, even if the Gnutella software isn't installed on the compromised computer.
4. Tries to lower security settings by deleting certain files relating to antivirus software.

".
That doesn't tell me what effect it has on the .exe/scr  files, how I recognise it nor how I know if I've got it.

I'm going to run a scan tonight, just in case (it has to be overnight, I have 2 x 120 gig drives and it takes about 6 hrs for a full scan..).

But I don't use Norton. McCaffee may or may not find it.....

Cheers,
Diolma

ok what it does. nothing visible. it insinutates itself into the EXE / SCR file and is not visible to the user.
it then sits in memory in some processes and infects more EXE files.
then it opens a channel to Gnutella while lowering your AV defences.

ewrm.. thats exacty what you quoted. so... I dunno what your actually asking?

with me it stoped all the infected exe files from working.  When I tried I just got the windows magnifing glass thing then it said it couldnt locate the programme.

Ah, OK Khai.

I'm out of my depth. I have no idea what Gnutella is. My knowledge of worms/trojans/parasites etc. is extremely limited (I understand the basics, not the details).

I do understand that opening channels (w/o my consent) is a bad thing....

From what I've read above, this worm is contracted by installing (and running) an already infected .exe/.scr file.

Is this correct? Or there other ways the pest can proliferate?

Just trying to get an idea of what it's all about....

Cheers,
Diolma

(and thanks for being patient with me)

Ran my weekly dual scan (McAfee VSO followed By TrendMicro's HouseCall) on both machines early just to check.

The stuff I have read says you get it from P2P networks. Since the only .exe I have downloaded since I bought this computer 1 1/2 months ago was from DAZ3D I suspect the possibity of the infection coming from there. Where they got it, if that is where it came from, heaven knows.

But things happen....

KY

Attached Link: http://market.renderosity.com/mod/forumpro/showthread.php?thread_id=2645490

Cheers,
Diolma

(PS. McAfee found nothing. Am currently running Dr. Webs CureIt. Nothing wrong with both belt + braces...)

AVG found some stuff just junk. DrWeb is really slow so run one directory at a time windows,docandsettings and prog files clean so far so good.

any other free AVs that are any good? especially ones that will dl updates to files or will work across a home network ?

diolma,

looking over the refd thread I realized I had a couple daz freebees the treefrog and the python

that jus wouldn't unload.
I deleted them and got the treefog again this time no probs,I think AVG and either Adaware or spybot caught the bugger before it did too much damage. I wish I'd have been paying attention.  

I also noticed the point of vunerability seemed to be shared (network) files. now the main computer only has one share and it is empty

so I guess I was hit - I pity the poor virus writer when the corbomites finally track him down.

Yes I suspect someone didn't want h2 to come out especially at $1.99 the timing was too

coidencidental.

-TJ

bikermouse
I used one once called Avast, it has real time scanning and that was the main reason for me not using it any more.

I know that sounds strange but i found it annoying when it kept scanning every website i went to.

CrazyDawg,

not at all. kerio Sunbelt firewall was doing that to me too while it was learning - but not one intrusion got by it. If i ever get a credit card it will be my first purchase - will say it is the best firewall I've tried  Right now I/m using Comodo but so far I'm not even impressed - sofar it's  been like a guarddog who just watches while dingos steal the baby.

Ya Avast I heard of it but something on their page steered me away from it - it might be useful for cyber-shatenjaegering though if someone wre wreckless enough to actively seek out site with viri . ..   I'll look back into it. 

ok Comodo just caught something (must of overheard me.)

bikermouse

this is one thing that really confuses me about using software firewalls on xp. taking in the fact i ran ZoneAlarm Pro and Black Icedefender on my computer when i used win 98SE.

I have seen this warning on plenty of sites recently.

Important Tips -- Before installing personal firewall software on a Windows XP computer, be sure that the firewall built into Windows XP is turned off. Never use two software firewalls at the same time.

yep turn xp firewall off when using another  firewall. I'd use kerio sunbelt (or zonealarm if you don't have a home network).The problem is that two firewalls WILL conflict with each other on xp sp2. They probably did in w98 too but since security was not as big a part of w98 you might not have noticed or blackice might have diabled or monitored zonealarm or visaversa.  

oh god i run a hardware firewall at the moment with win xp one.

Hardware firewall is part of the router i use so i don't touch that.

A hardware firewall isn't quite the same thing. I would think you need to get nfo from the router manufacturer on that 

bikermouse;

all i can get from them is that the router firewall does this

NAT for basic Firewall support

Packet Filtering Firewall Support

Stateful Packet Inspection Support

Protection against Denial of Service attacks

Password Authentication to Modem

not sure if any of that is good or not

A hardware firewall on the router should not interfere with zonealarm on the individual box. As long as you ide the in/out stuff to each it should work fine.

Okay, I've run norton and Dr. Web and neither one of them found anything...is that good??? Does this thing just pop up??? I mean, I have installed Daz stuff over the past week, so should it be visible??

izy, if you had it on your system you would know it by now.

I only found out because i had opened IE and my Anti virus program popped up scanning my system and placing all infected files in the quarantine folder.

Dr web does not pop up, it is not an installer but just and exe file you run from desktop and use to scan your system.

Izy,

Exellent.a full scan with Norton completely updated should take care of this thingaccording to them. If it does find it you'll need to run a full scan in safe mode with system restore off. be aware it hides; it is injected into exe "empty spaces" so you should update and run Norton often until you're sure it's no longer infecting your files,

I ran Dr web on my whole network - it found an average of two viri per computer including one on an old w95 game, and the example files for hacking exposed,steal this book and a couple of security book cds I have on the Win ME computer. My only complaints about Dr Web is that it is slow is easily crashed and it isn't resident on the computer - but otherwise it seems very good. 

CrazyDawg,

I ran across what .Incarnidine said when I was trying to figure out how to set up my network.- googles on the protocal you are using say tcp/ip (look in neworks in control panel to see what your computer uses)should net you a wealth of information.

-TJ

Yes, I've scanned and double scanned and just to be safe, gonna scan again today. LOL....Im so worried Im gonna lose stuff, I went and bought tons of DVDs yesterday to back up everything!!! People that invent this stuff should be shot and hung from a pole for all to see. Its just cruel.

http://free.grisoft.com/freeweb.php/doc/2

http://www.snapfiles.com/Freeware/security/fwvirus.html

Here above is the avg site - one of the best free av programs out there and some others from snapfiles.

There is also something called truesword (no link) but I'd watch that one.