Name this Virus....

[pochrist1]

I can't get a lock on what this Virus is called but it's a good one, on a customers computer. Here are the characteristics:

Replicates through E-mal
Loads up on Restart (on Win me) if I go to the "Close Program" dialog box (Crtl-Alt-Del) it show up in 5 characters ex. QJ2Td, JISD25,etc. Never the same combonation.

If I let the system sit for about 3 minutes after windows desktop is fully loaded, all the Icons and taskbar disappear

Worst of all, it eats hard drive space up like a wild fire. When I first got the computer from the customer, Windows reported low disk space on C: , only 2.3mb left, I cleared off 300mb, after a restart, that number dropped to around 200mb, and with every restart the size drops till I get "low disk space" warnings. I can only operate without problems in safe mode, for now. I want to find out what it is, destroy it then attempt to backup some files and format and re-partition. Anybody got a clue. I remeber reading about some like this recently, but can't remember enough to help myself, Norton Antivirus couldn't stop it, because somebody dissabled the live update in January 2002. So I hope you guys can help. TIA

[blink]

pochrist1 i think i had the same type of virus last week-8/18.norton's didn't have a remedy then.see post "virus"

[geoscomp]

You may have more than one problem working here..there is a winME problem with system restore that causes more and more disk space to disappear:
http://support.microsoft.com/default...;en-us;Q299266

If you have a file infector virus, in combination with this..you could have the problems you describe. I would make the assumption that the virus infection was about the same time that the autoupdate feature was disabled, since this is currently a favorite trick of a number of virus types.
You need to find a set of boot disks to check for mem resident viruses as well as clean the maching before it boots up. I use panda platinum on a win 98 machine to make these boot disks, and this gives me the ability to upgrade the antivirus definitions to the latest ones before scanning, but I do think there are other ones out there you can use.

[Stalemate]

Sounds a bit like W32.Magistr when pertaining to dektop icons, but the randomly generated "executable" doesn't fit it's profile - that sounds more like Klez.

Have you thought about submitting this problem to your antivirus vendor?

[geoscomp]

I thought about that as well, Adept, but klez (at least the latest versions) use a wink***.exe that you usually find with ctrl/alt/del and the desktop icon problems that I have seen with virii don't usually wait a while and then disappear. I think the random exe files have to be virus related, but am wondering if the other problem has to do with system instability due to a vanishing swap file. I have seen all sorts of weird problems related to this, and if he is starting with only 200mb free, it is conceivable that he has no room for the swap file at all after system restore starts writing it's files

[pochrist1]

***UPDATE***
Well did a Format/restore, Updated Norton, Setup Customers E-mail account and she was flooded with 360 e-mails, 320 were quarentined all infected with W32.Klez.H@mm .

[Stalemate]

Live and learn...