Trojan, variant Generic.ca

[Guest]

A virus scan result with McAfee scanning engine v4.4.00 (virus data file
v4553 created 08 Aug 2005) revealed the presence of a trojan or variant
Generic.ca in C:\Program Files\WordWeb\wordweb.exe\WWEB32.EXE .

I downloaded WordWeb in December 2004 which I use infrequently. Previous
scan results never indicated a problem.

Other scan engines such as Sophos v3.96.0 and Trend 3.9 (both updated Aug
05), Spyware Doctor, Spybot S&D, Ad-Aware se, AntiVir, AVG, MS AntiSpyware
and Norton 2003 have not detected this problem. Spyware Blaster is also
checked daily for updates but it seems this trojan slipped through the cracks.

The Virus Scan Report File generated by McAfee states to send a copy of the
WordWeb File to McAfee which I did but no response from them.

Also, when I downloaded WordWeb a icon was placed in the service tray of my
computer I consequently removed by deleteing the appropriate registry keys. I
placed a shortcut Icon on my dektop. The appearance of this shortcut icon has
changed from the distinctive red "W" to a generic windows type icon.

I also send a copy of the file to Virustotal but it the scan was refused as
the file is too big - 6.10 MB.

Would sombody please advise as how to get rid of this virus and if I should
delete WordWeb from my computer.
Thanks.

 

[Carey Frisch [MVP]]

Please consult the experts in the virus removal newsgroup:
news://msnews.microsoft.com/microsoft.public.security.virus

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

-------------------------------------------------------------------------------------------

:

| A virus scan result with McAfee scanning engine v4.4.00 (virus data file
| v4553 created 08 Aug 2005) revealed the presence of a trojan or variant
| Generic.ca in C:\Program Files\WordWeb\wordweb.exe\WWEB32.EXE .
|
| I downloaded WordWeb in December 2004 which I use infrequently. Previous
| scan results never indicated a problem.
|
| Other scan engines such as Sophos v3.96.0 and Trend 3.9 (both updated Aug
| 05), Spyware Doctor, Spybot S&D, Ad-Aware se, AntiVir, AVG, MS AntiSpyware
| and Norton 2003 have not detected this problem. Spyware Blaster is also
| checked daily for updates but it seems this trojan slipped through the cracks.
|
| The Virus Scan Report File generated by McAfee states to send a copy of the
| WordWeb File to McAfee which I did but no response from them.
|
| Also, when I downloaded WordWeb a icon was placed in the service tray of my
| computer I consequently removed by deleteing the appropriate registry keys. I
| placed a shortcut Icon on my dektop. The appearance of this shortcut icon has
| changed from the distinctive red "W" to a generic windows type icon.
|
| I also send a copy of the file to Virustotal but it the scan was refused as
| the file is too big - 6.10 MB.
|
| Would sombody please advise as how to get rid of this virus and if I should
| delete WordWeb from my computer.
| Thanks.

 

[David H. Lipman]

From: "Kayman" <[email protected]>

| A virus scan result with McAfee scanning engine v4.4.00 (virus data file
| v4553 created 08 Aug 2005) revealed the presence of a trojan or variant
| Generic.ca in C:\Program Files\WordWeb\wordweb.exe\WWEB32.EXE .
|
| I downloaded WordWeb in December 2004 which I use infrequently. Previous
| scan results never indicated a problem.
|
| Other scan engines such as Sophos v3.96.0 and Trend 3.9 (both updated Aug
| 05), Spyware Doctor, Spybot S&D, Ad-Aware se, AntiVir, AVG, MS AntiSpyware
| and Norton 2003 have not detected this problem. Spyware Blaster is also
| checked daily for updates but it seems this trojan slipped through the cracks.
|
| The Virus Scan Report File generated by McAfee states to send a copy of the
| WordWeb File to McAfee which I did but no response from them.
|
| Also, when I downloaded WordWeb a icon was placed in the service tray of my
| computer I consequently removed by deleteing the appropriate registry keys. I
| placed a shortcut Icon on my dektop. The appearance of this shortcut icon has
| changed from the distinctive red "W" to a generic windows type icon.
|
| I also send a copy of the file to Virustotal but it the scan was refused as
| the file is too big - 6.10 MB.
|
| Would sombody please advise as how to get rid of this virus and if I should
| delete WordWeb from my computer.
| Thanks.
|

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

When you click on the file "WWEB32.EXE", how big is it ?

If the file handle is held open then then you may not be able to submit it to Virus Total as
the error message will be the same if it is too big or "zero byes" which will happen if the
file is in use.


You can use the following Multi AV Command Line Scanner front end utility to scan your
computer

After you execute Multi_AV.exe you'll find a folder called; C:\AV-CLS

In the folder C:\AV-CLS you will find the file; killproc.txt [ C:\AV-CLS\killproc.txt ]

Open it in your text editor (double click on the killproc.txt file) and append to the list
WWEB32.EXE and then save the file.

It should then have the following contents...

iexplore.exe
firefox.exe
WWEB32.EXE


Then follow the rest of the below instructions but start with the Mcafee module...




Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Guest]

Re: VirusTotal Response.
"The attached file is too big. Only up to 5MB files will be scanned."

The WWEB32EXE file is 6.10MB and was closed/not in use when submitting it to
VirusTotal.

Re:Multi AV Command Line Scanner.

The MULTI_AV.EXE was downloaded successfully.

Prior double clicking 'Start Menu' the software FireWall was disabled.

The components were downloaded as follows:-
McAfee.
The download was successful. (I noticed that a "Download Progress
Indicator/Monitor" identical to Trend and Spophos is installed).
After downloading operation a window popped up asking if a scanning should
start, I clicked "No".

I rebooted and successfuly downloaded Trend. After downloading operation I
clicked "Exit" to the Trend scanning application.

I rebooted and sucessfully downloaded Sophos. After downloading operation a
window popped up asking if scanning should start, I clicked "No".

My F8 key will not for some reasons prompt Safe Mode operation. In order to
go to Safe Mode I click Start==>Run then type msconfig into the space
provided==>Ok, The System Configuration Utility will appear. I then click the
tab BOOT. INI and under Boot Options place a tick in the \SAFE BOOT box. Then
click Ok, a re-start window pops up, click Ok which brings me to SAFE MODE.

Using the default folder C:\AV-CLS I re-ran the menu. As per your
instructions I added and saved WWEB32.EXE to killproc.txt . Then I started
with the McAfee module by hitting #3 on my keyboard. The following message
popped up:
c:\AV-CLS\McAfee\update.ini not opened for READ, error code: [1]
I tried several times, the same message pops up.

While still in safe mode I was able to scan with Trend and Sophos. The scans
however did not reveal any problems/viruses.

I rebooted in normal mode and downloaded Mcafee one more time ensuring that
the software FireWall (Norton 2003) was disabled.
ftp://ftp.nai.speedera.net/pub/antivirus/superdat/intel/sdat4555.e 'sdat
4555.exe'
Resolving ftp.nai.speedera.net[209.133.111.2051:21 ... connected .
Logging in as anonymous ... Logged in !
==>SYST .. done. ==>PWD .. done,
==>Type I .. done. ==>CWD /pub/antivirus/superdat/intel .. done.
==>PASV .. done. ==>RETR sdat 4555.exe .. done.
Lenghts: 7,316,571 (unauthoritative).
All this was followed by the new "Download Progress
Indicator/Monitor".

After download a window popped up asking if scanning should start. This time
I clicked "Yes". The scanning operation started and was completed after 27'
34".
One (1) file possibly infected.
C:\Program Files\WordWeb\wordweb.exe\WWEB32.EXE ... Found trojan or variant
Generic.ca . Please send a copy of the file to McAfee (which I did not do
this time).

After this scanning operation I rebooted in Safe Mode, opened the default
folder C:\AV-CLS, re-ran the menu and hit #3 to run Mcafee.
Unfortunately the same message popped up as previously.

Well, I rebooted in normal mode and tried to update the McAfee scanning
engine which following your recommendation I downloaded 10 July 2005 for
removing the SPR/Madtol.C Virus.
I was able to update this scanning engine 9 August 2005 with virus data file
v4553 created Aug 08 2005 but failed to update the latest creation of Aug 10
2005. Something is somehow blocking or disallowing the updating/downloading
process.
Again, thank you in advance for your kind assistance.

From: "Kayman" <[email protected]>

| A virus scan result with McAfee scanning engine v4.4.00 (virus data file
| v4553 created 08 Aug 2005) revealed the presence of a trojan or variant
| Generic.ca in C:\Program Files\WordWeb\wordweb.exe\WWEB32.EXE .
|
| I downloaded WordWeb in December 2004 which I use infrequently. Previous
| scan results never indicated a problem.
|
| Other scan engines such as Sophos v3.96.0 and Trend 3.9 (both updated Aug
| 05), Spyware Doctor, Spybot S&D, Ad-Aware se, AntiVir, AVG, MS AntiSpyware
| and Norton 2003 have not detected this problem. Spyware Blaster is also
| checked daily for updates but it seems this trojan slipped through the cracks.
|
| The Virus Scan Report File generated by McAfee states to send a copy of the
| WordWeb File to McAfee which I did but no response from them.
|
| Also, when I downloaded WordWeb a icon was placed in the service tray of my
| computer I consequently removed by deleteing the appropriate registry keys. I
| placed a shortcut Icon on my dektop. The appearance of this shortcut icon has
| changed from the distinctive red "W" to a generic windows type icon.
|
| I also send a copy of the file to Virustotal but it the scan was refused as
| the file is too big - 6.10 MB.
|
| Would sombody please advise as how to get rid of this virus and if I should
| delete WordWeb from my computer.
| Thanks.
|

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

When you click on the file "WWEB32.EXE", how big is it ?

If the file handle is held open then then you may not be able to submit it to Virus Total as
the error message will be the same if it is too big or "zero byes" which will happen if the
file is in use.


You can use the following Multi AV Command Line Scanner front end utility to scan your
computer

After you execute Multi_AV.exe you'll find a folder called; C:\AV-CLS

In the folder C:\AV-CLS you will find the file; killproc.txt [ C:\AV-CLS\killproc.txt ]

Open it in your text editor (double click on the killproc.txt file) and append to the list
WWEB32.EXE and then save the file.

It should then have the following contents...

iexplore.exe
firefox.exe
WWEB32.EXE


Then follow the rest of the below instructions but start with the Mcafee module...




Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Guest]

Correction to my last paragraph - I originally downloaded the McAfee scanner
July 04 '05 for removing the "Lien Van de Kelderrr" virus.key-logger.

Re: VirusTotal Response.
"The attached file is too big. Only up to 5MB files will be scanned."

The WWEB32EXE file is 6.10MB and was closed/not in use when submitting it to
VirusTotal.

Re:Multi AV Command Line Scanner.

The MULTI_AV.EXE was downloaded successfully.

Prior double clicking 'Start Menu' the software FireWall was disabled.

The components were downloaded as follows:-
McAfee.
The download was successful. (I noticed that a "Download Progress
Indicator/Monitor" identical to Trend and Spophos is installed).
After downloading operation a window popped up asking if a scanning should
start, I clicked "No".

I rebooted and successfuly downloaded Trend. After downloading operation I
clicked "Exit" to the Trend scanning application.

I rebooted and sucessfully downloaded Sophos. After downloading operation a
window popped up asking if scanning should start, I clicked "No".

My F8 key will not for some reasons prompt Safe Mode operation. In order to
go to Safe Mode I click Start==>Run then type msconfig into the space
provided==>Ok, The System Configuration Utility will appear. I then click the
tab BOOT. INI and under Boot Options place a tick in the \SAFE BOOT box. Then
click Ok, a re-start window pops up, click Ok which brings me to SAFE MODE.

Using the default folder C:\AV-CLS I re-ran the menu. As per your
instructions I added and saved WWEB32.EXE to killproc.txt . Then I started
with the McAfee module by hitting #3 on my keyboard. The following message
popped up:
c:\AV-CLS\McAfee\update.ini not opened for READ, error code: [1]
I tried several times, the same message pops up.

While still in safe mode I was able to scan with Trend and Sophos. The scans
however did not reveal any problems/viruses.

I rebooted in normal mode and downloaded Mcafee one more time ensuring that
the software FireWall (Norton 2003) was disabled.
ftp://ftp.nai.speedera.net/pub/antivirus/superdat/intel/sdat4555.e 'sdat
4555.exe'
Resolving ftp.nai.speedera.net[209.133.111.2051:21 ... connected .
Logging in as anonymous ... Logged in !
==>SYST .. done. ==>PWD .. done,
==>Type I .. done. ==>CWD /pub/antivirus/superdat/intel .. done.
==>PASV .. done. ==>RETR sdat 4555.exe .. done.
Lenghts: 7,316,571 (unauthoritative).
All this was followed by the new "Download Progress
Indicator/Monitor".

After download a window popped up asking if scanning should start. This time
I clicked "Yes". The scanning operation started and was completed after 27'
34".
One (1) file possibly infected.
C:\Program Files\WordWeb\wordweb.exe\WWEB32.EXE ... Found trojan or variant
Generic.ca . Please send a copy of the file to McAfee (which I did not do
this time).

After this scanning operation I rebooted in Safe Mode, opened the default
folder C:\AV-CLS, re-ran the menu and hit #3 to run Mcafee.
Unfortunately the same message popped up as previously.

Well, I rebooted in normal mode and tried to update the McAfee scanning
engine which following your recommendation I downloaded 10 July 2005 for
removing the SPR/Madtol.C Virus.
I was able to update this scanning engine 9 August 2005 with virus data file
v4553 created Aug 08 2005 but failed to update the latest creation of Aug 10
2005. Something is somehow blocking or disallowing the updating/downloading
process.
Again, thank you in advance for your kind assistance.

From: "Kayman" <[email protected]>

| A virus scan result with McAfee scanning engine v4.4.00 (virus data file
| v4553 created 08 Aug 2005) revealed the presence of a trojan or variant
| Generic.ca in C:\Program Files\WordWeb\wordweb.exe\WWEB32.EXE .
|
| I downloaded WordWeb in December 2004 which I use infrequently. Previous
| scan results never indicated a problem.
|
| Other scan engines such as Sophos v3.96.0 and Trend 3.9 (both updated Aug
| 05), Spyware Doctor, Spybot S&D, Ad-Aware se, AntiVir, AVG, MS AntiSpyware
| and Norton 2003 have not detected this problem. Spyware Blaster is also
| checked daily for updates but it seems this trojan slipped through the cracks.
|
| The Virus Scan Report File generated by McAfee states to send a copy of the
| WordWeb File to McAfee which I did but no response from them.
|
| Also, when I downloaded WordWeb a icon was placed in the service tray of my
| computer I consequently removed by deleteing the appropriate registry keys. I
| placed a shortcut Icon on my dektop. The appearance of this shortcut icon has
| changed from the distinctive red "W" to a generic windows type icon.
|
| I also send a copy of the file to Virustotal but it the scan was refused as
| the file is too big - 6.10 MB.
|
| Would sombody please advise as how to get rid of this virus and if I should
| delete WordWeb from my computer.
| Thanks.
|

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

When you click on the file "WWEB32.EXE", how big is it ?

If the file handle is held open then then you may not be able to submit it to Virus Total as
the error message will be the same if it is too big or "zero byes" which will happen if the
file is in use.


You can use the following Multi AV Command Line Scanner front end utility to scan your
computer

After you execute Multi_AV.exe you'll find a folder called; C:\AV-CLS

In the folder C:\AV-CLS you will find the file; killproc.txt [ C:\AV-CLS\killproc.txt ]

Open it in your text editor (double click on the killproc.txt file) and append to the list
WWEB32.EXE and then save the file.

It should then have the following contents...

iexplore.exe
firefox.exe
WWEB32.EXE


Then follow the rest of the below instructions but start with the Mcafee module...




Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[David H. Lipman]

From: "Kayman" <[email protected]>

| Correction to my last paragraph - I originally downloaded the McAfee scanner
| July 04 '05 for removing the "Lien Van de Kelderrr" virus.key-logger.

Since we last communicated, I updated the Mcafee module such that it would not use the OS
FTP.EXE utility to download the needed Mcafee files but would instead use the WGET.EXE
utilities FTP capablility.

 

[Guest]

Thank you for advising the updating issue with respect to the McAfee module.
I presume that this response is relating to my message "Correction to my last
paragraph".

Prior to my message concerning "Correction to my last paragraph" I answered
your question with respect to the file size of WWEB.32EXE (VirusTotal
related) and reported the results with respect to Multi-AV.

Please advise if my response with respect to the failed attempt scanning
with McAfee in F8 mode within Multi-AV set-up is not detailed enough.

As I am unable to run McAfee within the Multi-Av set-up, would it be
possible downloading the new version of McAfee v4.40 .00 as a stand alone
application?

Should I try to re-send the virus scan results (normal mode) to McAfee?

 

[David H. Lipman]

From: "Kayman" <[email protected]>

| Thank you for advising the updating issue with respect to the McAfee module.
| I presume that this response is relating to my message "Correction to my last
| paragraph".
|
| Prior to my message concerning "Correction to my last paragraph" I answered
| your question with respect to the file size of WWEB.32EXE (VirusTotal
| related) and reported the results with respect to Multi-AV.
|
| Please advise if my response with respect to the failed attempt scanning
| with McAfee in F8 mode within Multi-AV set-up is not detailed enough.
|
| As I am unable to run McAfee within the Multi-Av set-up, would it be
| possible downloading the new version of McAfee v4.40 .00 as a stand alone
| application?
|
| Should I try to re-send the virus scan results (normal mode) to McAfee?
|
| "David H. Lipman" wrote:
|

Send the scan results to McAfee ? No. They want the file.
Zip the file and password protect the file with the password = infected.

Send the apssword protected ZIP file to; (e-mail address removed)

Either thator submit is to McAfee/AVERT Web Immune - https://www.webimmune.net/default.asp

However, I think the file is too big to submit and Web Immune.

 

[Bernardo Quintero]

I also send a copy of the file to Virustotal but it the scan was refused as

the file is too big - 6.10 MB.

We have changed the maximum limit to 10MB.

Test again, please.

Thanks,

Bernardo Quintero

 

[Guest]

Thank you very much for your advice, I appreciate this very much.
Very best regards,

 

[Guest]

VirusTotal have increased the file size limits from 5MB to 10MB. Their scan
results confirmed the presence of "Generic.ca" which was found by McAfee
version 4556 updated 08.11.2005. Another scanning engine called Fortinet
version 2.36.0.0 updated 08.12.2005 reported "suspicious". All other scan
engines reported "no virus found".
A password protected zip file of WWE32.EXE was submitted to virus_research
but no response as yet.
Thanks for continued assistance.

 

[David H. Lipman]

From: "Bernardo Quintero" <[email protected]>


|
| We have changed the maximum limit to 10MB.
|
| Test again, please.
|
| Thanks,
|
| Bernardo Quintero


Thanx for bowsing the MS News Groups. I hope that you also include...

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus
alt.privacy.spyware