Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Steele on February 28, 2004, 10:28:52 PM

Title: WORM_BEREB.B
Post by: Steele on February 28, 2004, 10:28:52 PM

How do I get rid of this virus/worm?

http://www.techsupportforum.com/computer/topic/13096-1.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BEREB.B

I got it through WinMX when downloading a zip file. Interesting how Avast4Home did not pick it up with the resident sheild.  :'(

Title: Re:WORM_BEREB.B
Post by: Vlk on February 28, 2004, 10:31:41 PM

And the on-demand did detect it?

Title: Re:WORM_BEREB.B
Post by: Steele on February 28, 2004, 10:35:25 PM

I have isolated the file as "SVCKERNELL.COM". It also created a folder called "startrwin" and places "startrwin" in the WINDOWS folder.

SVCKERNELL.COM is listed in the processes (in Windows 98SE) when I press ctrl-alt-del...ONLY BEFORE Windows completes loading my desktop. I caught it intime to find out what the forign startup program was called. I think it tries to hide itself.

Should I send it to you VLK? I've never tried sending a virus before??  ???

VLK: Let me try a THOUROUGH scan option first.

Title: Re:WORM_BEREB.B
Post by: Vlk on February 28, 2004, 10:37:40 PM

Yes please zip the file with a password and send it (together with the password) to the address

virus (AT) avast (DOT) com

The analysts will take a look at it.

Thanks
Vlk

Title: Re:WORM_BEREB.B
Post by: Steele on February 29, 2004, 12:08:02 AM

VLK :)

I sent the virus to them in a password protected .ZIP file.

Thanks for you help.
the virus was later detected... but the resident on access sheild did not.... despite it being a .EXE entension.

This information was helpful from TrendMicro:

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Taskmanager = “C:\Windows\taskmgr.com”
OR
Svckernell=”c:\windows\svckernell.com”
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory, as described in the previous procedure, restart your system.

The svckernell.com was in my registry. I removed it.

Title: Re:WORM_BEREB.B
Post by: Lisandro on February 29, 2004, 02:35:16 PM

Quote from: Steele on February 29, 2004, 12:08:02 AM

The virus was later detected... but the resident on access sheild did not.... despite it being a .EXE entension.

Just a curiosity: have you installed Norton SystemWorks (or NAV) anytime - even in the past - in your computer?
It messes your registry and you would be in danger with on-access scanning of .exe files...

You can read more here (http://www.avast.com/forum/index.php?board=2;action=display;threadid=1687).

Title: Re:WORM_BEREB.B
Post by: Vlk on February 29, 2004, 02:37:07 PM

Steele you may also consider moving the On-Access scanner sensitivity slider to the High position. Otherwise, the files are not usually scanned unless they're executed (i.e. the virus is trying to activate).

Title: Re:WORM_BEREB.B
Post by: Steele on March 04, 2004, 12:41:00 AM

That's a good idea. Thank you VLK!  ;D

Also, I sent my virus into avast. There going to add it into furture detections A.S.A.P.

~Steele Wolf~

Title: Re:WORM_BEREB.B
Post by: Steele on March 04, 2004, 12:42:48 AM

Also no. I have NEVER used another AntiVirus product.

A did a recent clean install of XP then just installed AVAST4HOME.  ;D

Norton?  ???
Yuck! :o
Never!!  ;D