Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
My wife and I have a home network and her computer is the host. She repeatedly receives warnings from the Norton Anti-virus that it has found a worm named Brazil.exe. She then follows the recomended proceedure and also deletes the quarantined files, but it keeps happening. The file does not turn up in any kind of search we have tried.
What can we do?
Have you disabled "system restore" when you are following recommended procedures? After you finish using the procedures re-enable "system restore". Take care and all the best!
0 
0
Did you take a look at the post I had on here?
http://www.computing.net/security/wwwboard/forum/2897.html
0
The following is a post I submitted on the "solving the OPASERV WORM" thread (this virus has also been talked about in the alever.exe thread, the W32.Opaserv.Worm virus scrsvr.exe thread, and the brasil.pif thread.)
I was one of the lucky ones who got the full blown effect of the Opaserv worm. I had scrsvr.exe, brasil.pif, and then alevir.exe. Norton Anti-Virus would always detect it trying to run, but it could never keep my system clean from it. I followed all of their directions, downloaded all of their tools, kept my win.ini file clean, made dummy scrsvr.exe files, etc. And the stupid things kept coming back!!! I wrote Norton email after email, telling them that their anti-virus software isn't stopping the virus from getting on my computer. I sent them brasil.pif on October 21, and then finally, on October 25, they listed it as a threat, claiming it was discovered on October 25. Stupid liars. And all the while, the virus kept coming back. Because of all of this, I feel that I have to resort to caps to make the following point =)
IF YOU SIMPLY USE NORTON ANTIVIRUS AND DELETE CERTAIN FILES AND REGISTRY ENTRIES THE VIRUS CREATES, THE WORM WILL COME BACK! THE VIRUS USES TO USE PORTS 137-139 ON YOUR COMPUTER TO WORK. YOU MUST CLOSE THOSE PORTS
So, I resorted to closing my ports 137-139 (Turning off NetBIOS), and my computer has not reported a virus for 6 days now. (It used to report it every 15 minutes.) Before, from what I could tell, I could clean the viruses off my system using simple techniques such as removing the lines out of win.ini and my registry. I'd stay virus free until I'd connect to the internet, and then *bang* the viruses were back, sometimes in a new morphed form (brasil.pif or alevir.exe). It appears the virus uses a security flaw in Windows (I'm running win 98), by communicating to your computer through these ports, and by turning off ports 137-139, you fix it.
I found a nice site that describes how to turn off these ports in detail, and it has simple to follow steps with handy screenshots. The site is here.
https://grc.com/x/ne.dll?bh0bkyd2Run the "Probe my Ports" test first for kicks, it should show you that your computer is vulnerable in the ports that this virus uses. Next, go to section 5 "Network bondage". That will describe how to turn off these ports. By the way, this shouldn't affect your computer's network connections at all. It just redistributes network commucation in the proper way, and you simply just close off ports 137-139 to those that shouldn't have access to it. Once you do this, the virus should be blocked from coming back every time you connect to the internet.
Good luck!
0
Thank you Brad!
Your reply was certainly an eye opener. I suppose Norton is just like any other big company, i.e. dysfunctional.
You would think that they would realize how the virus works and create a patch for their application that would prevent the virus from re-infecting. Oh well.
Some people's kids...
0
I don't know whether to hate Norton or just give them the benefit of the doubt...
On one hand, they sat on brasil.pif for 6 days while it was out, definitely 4 days for sure (I sent it to them on October 21), and yet they claim it was discovered on October 25th. Kind of makes them look good when they list the virus as being discovered on Oct 25 along with having a fix made by Oct 25).
But, the scrsvr.exe seems to work very differently than other viruses in the past. This one takes advantage of a security flaw in the way Windows binds your computers networking protocols and adapters together, along with updating itself over the internet. To me, this appears to be *outside* of Norton Anti-virus's domain. I don't think Norton should have the right to fix bugs for Microsoft, or scan your internet connection for viruses being transferred, or block certain ports (137-139) without your knowledge. This is definitely far outside the realm of what Norton Anti-Virus is intended to do, and more along the lines of security and firewalls.
The one thing I do think Norton should do is at least mention on their website that people are getting this virus over and over, and that blocking the ports seems to do the trick. Because by only using Norton's suggestions, you'll never get rid of the virus.
0
I agree.
What I meant by the patch was an update to NAV giving it a function where it could, with user permission, close the ports in question.
That, I think, would be OK with me, since I am currently struggling to figure out how to open certain ports I want open so I can host on-line games from my client computer.
0
Alright, we finally found the ultimate fix to the. Ya, others knew about this fix too, but hey, this article explains it all, and its easy to understand. It explains in detail how it works, and 3 methods you can use to stop it.
http://www.computing.net/security/wwwboard/forum/3289.html
Brad Peterson
b_peterson@yahoo.comFeel free to email me if you need any help removing this virus.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
