http://www.sunbelt-software.com/ntsysadmin_list_charter.htm-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 1:48 PM
To: NT System Admin Issues
Subject: RE: .BHFfrom symantec.com
System Modifications
When executed the worm determines from where it is being executed. The worm
then overwrites MMC.EXE in the Windows Directory or creates a copy of itself
in the Windows Temporary Directory.The worm then infects commonly used executables listed in the registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersThe worm hooks the system by modifying the system.ini file as follows:
Shell = explorer.exe load.exe -dontrunold
It also replaces the file Riched20.dll. Riched20.dll is a legitimate Windows
.DLL used by applications such as Microsoft Word. By replacing this DLL, the
worm is executed each time applications such as Microsoft Word are executed.The worm copies itself as the file:
%Windows\System%\load.exe
NOTE: %Windows\System% is a variable. The worm locates the \Windows\System
folder (by default this is C:\Windows\System) and copies itself to that
locationThe worm then attempts to modify files with the extension .htm, .html., and
.asp or filenames matching default, index, main and readme on the local
system that are shared with other network computers. .EXE files are infected
and .EML and .NWS files are replaced by the virus.Next, the worm creates open network shares for all drives on the computer by
modifying the registry key:HKLM\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\[C$ -> Z$]
A reboot of the computer is required for these settings to take effect.
The worm searches for all open shares on the network by iterating through
the Network Neighborhood. All files on any open network shares are examined
for possible infection. .EXE files are infected by the worm except
WINZIP32.EXE. .EML and .NWS files are copied to the open network shares and
the worm copies itself over as riched20.dll to any directory with .DOC
files.During execution, the worm may attempt to delete copies of itself. If the
file is in use or locked, the worm will create WININIT.INI with an entry to
delete itself upon reboot.The worm contains bugs and can be resource intensive. Thus, not all actions
may occur and system instability may be noticable.
-----Original Message-----
From: David Coffey [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 11:37 AM
To: NT System Admin Issues
Subject: .BHF
Hi everyone,
As most did we too got hit with the NIMDA virus. Has anyone experienced
problems with Windows Explorer.exe after cleaning up your nt server?
Also, I'm now getting a message at startup that says: "Windows is
searching for Connect from ouside.BHF. To locate the file yourself, click
Browse." I can't find any information on this .bhf file and I am
wondering if it's virus related. Lastly when I get the Dr. Watson for
explorer.exe I also lose the Norton icon from the tray?
Thanks,
Davehttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Title: Message
Sounds
like a reload!
