Hi,

From what I have heard this is a rapidly spreading threat, which automatically sends itself to everybody on your contact list. I got sent a file called 'Best_Friend.scr' by one of my contacts and it turned out to be a .exe file and a virus. I have read up on the entire virus and removal instructions on http://securityresponse.symantec.com/avcenter/ven...w32.yaha.k@mm.html.

I am not sure this is the actual virus I have, but it is either this or something VERY similar.

I got to removal instruction number 3 (copying Regedit.exe to Regedit.com), but when I go Start > Run > command, the MS DOS application will not let me type in it on my laptop, but it does on this PC? (This is in Safe Mode).

Any ideas? Any help would be greatly appreciated!!

Its called the Bropia Worm, it its going through msn messenger at the moment, there have been many threads throughout the forum about it and its removal.

Here are them:

Webcam_015.pif -- Virus??
Trojan attack - mind helping?
New Virus
BROPIA
Virus on MSN
Messenger and Viruses
Virus?
I have a virus, but which?
help!! Got a virus, don't know wich!!
Virus Alert

No, it was none of the file names for that worm. I received 'Best_Friend.scr'

yes, it comes in the form of *.scr, *.pif + *.exe, not only one filetype, its an advanced worm really ... not that advanced, but its spread quickly etc.

Oh, all I need to know is how to type in DOS

I type 'command' but it won't let me type in the window that appears

press windows button + r, then type in 'cmd'... not command.

tried that too

Command + Cmd are different things... AFAIK...

But yeah, what does it say when you open up the command prompt?

It just says the normal stuff:

Microsoft<R> Windows DOS
<C>Copyright Microsoft Corp 1990-2001.

C:\DOCUME~1\USERNAME>


(this is command.com, not command.exe). Part of the virus means when a .exe file is executed, it automatically closes it as this is what it has instructed the registry to do. So when I try running 'cmd' that closes too because it's .exe, but when I try running 'cmd.com' it says cannot be found.

CAN SOMEONE PLEASE HELP ME YOU DON'T KNOW HOW MUCH THIS IS ANNOYING ME!!!!!!!!!!!!!!

Have you tried running in safe mode and seeing if anything can be fixed via. that?

Like, go to safe mode and run an antivirus or something.

I AM doing all this in Safe Mode!! As I said if I open a .exe file (e.g. AntiVirus), that will just close automatically as the worm has commanded it to do!

Hmm, I can't see why a worm would do this, have you considered formatting?

[/color][color=black][/color][color=yellow][/color][color=green][/color][color=purple][/color][color=beige][color=brown][/color][color=teal]It is part of the worm!

3. Configures itself to run each time an .exe file runs, by changing the default value of the registry key:

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
to:
C:\%System%\Nav32_loader.exe"%1 %*



5. Attempts to end the antivirus and firewall processes. The worm inventories the active processes, and if the name of the process contains one of the following, it attempts to end the process:

Why don't you just re-format the computer, if you can't run any .exe's, you can't run any anti-virus removal software, can't end any processes that are being used by the worm, therefore, not being able to delete it, re-boot and perform a re-format if I were you .

Hi,

I know I have mentioned this problem in previous posts, but to avoid any confusion I have decided to create a new thread to explain my problem in detail.

I have a worm on my computer (which I think is W32.Yaha.K@mm or something very similar - see http://securityresponse.symantec.com/avcenter/ven...32.yaha.k@mm.html). I received it through MSN Messenger, a file named 'Best_Friend.scr' (there are many variances) from a contact of mine. It is actually a .exe (executable) file disguised as a screensaver file. I regrettably accepted and ran the file, which has since edited my registry and caused numerous problems.

This worm terminates some antivirus and firewall processes. It uses its own SMTP engine to email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, and all the files whose extensions contain the letters HT. The email message has randomly chosen the subject line, message, and attachment name.

This threat is written in the Microsoft C++ language and is compressed with UPX. The uncompressed size is about 75 KB.

I have followed the removal instructions from the Symantec website, but I am stuck on the third step - typing text into the MS DOS window once the command.com prompt has been run. I have to run .com prompts instead of .exe so that the worm does not automatically terminate the process (like it does with AntiVirus etc). It has also edited the registry so useful things like 'Folder Options' from the 'Tools' menu has been removed, so I now cannot view hidden files or change file types.

Once I am able to type in DOS, I can complete the rest of the removal process. I am in desperate need of help in this situation!

Edit by WDZ: threads merged