Jerusalem Virus? Please help removing them

[Nicholas]

it is found in this file: http://www.aasen3d.com/uploads/8.02-040505a-015447E-ATI.2.rar

more info here:
http://www.warp2search.net/modules.php?name=News&file=comments&op=showreply&tid=23614&sid=18283&pid=23576&mode=&order=&thold=#23614

I got the virus, formatted my windows partition, but afraid other partition might get infected.. avast home not detecting this new virus.

[molio]

Yea this one is a nasty one, none of the antivirus apps I tried detected it so far.

more info here http://www.dslreports.com/forum/remark,10417925~mode=flat~days=9999
also linked in the warp2search thread

[raman]

Which AV-Programm reports a "jerusalem" Virus in that RAR Package?
The only Malware with the name Jerusalem i know is da*n old (1993?)

[molio]

Well afaik it's not the Jerusalem virus at all, but has a similar working method or smt. This one is brand new I think.

[FDisk]

Don't forget who found it.  
This is a really really nasty one. I hope a cure is coming soon. Many people are getting infected.

I don't know if it's some kind of rebirth of the Jerusalem Virus. But it sure acts like one, from what I read about it.

[raman]

Okay, answer me that Question. Which of the files inside that Rar Archive is reported as infected?

[molio]

afaik all the *.exe files in the rar are infected.

Normally most of them would have a nice ATI icon (the non infected 4.6 beta drivers have this) I'm also pretty sure the files are a few KB's larger then the original.

If you were to execute one of'm you'll get infected, you'll also notice the *.exe is listed twice in taskmanger (one clone wich is the actual virus I presume)

[FDisk]

Okay, answer me that Question. Which of the files inside that Rar Archive is reported as infected?

Unrar, Click on the setup and youre INFECTED!
every "exe" file in that RAR without an icon is infected.

After you click on any othe the "exe" files ikernl error pops out and YOURE DONE.

[Nicholas]

the setup.exe file...

I ran it, then went to safe mode (really stupid of me), then my windows exe files all got infected... You can see it when the icons of the files disappeared.

[FDisk]

the setup.exe file...

I ran it, then went to safe mode (really stupid of me), then my windows exe files all got infected... You can see it when the icons of the files disappeared.

Well, don't call yourselfs stupid yet. Even if you would check the files for viruses before running them you would not find anything.  :'(

[molio]

BTW, if you get infected and it spreads don't go thinking *.exe files with icons are safe, after I reformatted I was checking some files and my 3dmark2001 installer wich looked fine launched an extra proces in taskmanager after executing. I quickly closed it and I don't think I got infected again since no other *.exe's show the symptons until now (few reboots have passed)

[FDisk]

NEWS!!!!!!!  http://www.dslreports.com/forum/remark,10417925~mode=flat~days=9999~start=40#10420163

[raman]

Jo!

I:\TEMP\8.02-040505a-015447E-ATI.2.rar\ATICIMUN.EXE ... Found the W32/HLLP.4608
virus !!!
I:\TEMP\8.02-040505a-015447E-ATI.2.rar\CHECKVER.EXE ... Found the W32/HLLP.4608
virus !!!
I:\TEMP\8.02-040505a-015447E-ATI.2.rar\SETUP.EXE ... Found the W32/HLLP.4608 vir
us !!!

Infos:
http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=Win32.Bertlea.4608&product=0

[molio]

so McAfee, eTrust EZ AV & CA VET? detect it, any of those who can clean the files or are the lost forever?

what is CA VET btw?

Nice work guys!

[molio]

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

seems to be able to clean'm ! Icons are restored and didn't detect anything else after scan.