1. /
  2. Security Response/
  3. W32.MFG.Tassos@mm Hoax

W32.MFG.Tassos@mm Hoax

Risk Level 1: Very Low

Discovered:
June 4, 2003
Updated:
June 4, 2003 4:33:58 PM
Systems Affected:
Windows XP, Windows NT, Windows 2000
W32.MFG.Tassos@mm is a hoax email message currently circulating. The hoax instructs recipients to delete legitimate files from their systems such as ntdetect.com and .msc files. Deleting these files may prevent Windows NT/2000/XP systems from starting properly or cause loss of functionality.

The hoax email message typically appears as follows:
From: NAV_INFORMATION_CENTER
Subject: New Virus! be patient!

Message Text:
"Dear all,

I am sorry to tell you that one of our mail-server was infected by W32.MFG.Tassos@mm. I had this Virus on my PC. You may be have received
this virus if you read or send any mail the last 9 days. A infection is only possible on windows systems. The virus would be detected by NAV if
you have the latest definition list. Infected mails seems to be clean, but they run a pernicious local windows-script that modifies or deletes the rundll32.exe and the aspi4.dll. It also modifies some registry entries. This virus makes copys of his sefl till your harddrive is totally full. Any mail can be infected. After cleaning your system, install the latest Definition list from symantec. The virus reads your Outlook-contacts, and will be sended to any one of them, if there is an e-mail address registered. There are 2 ways to check if you are infected, and if yes, to resolve this infection:

1) Automatic Recovery Tool from Symantec:

Go to following link and follow the instructions:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mfg.tassos@mm..removal.tool.html Please be sure that you run this tool in save mod.


WARNING!!!
FOLLOWING STEP DESCRIBES MODIFYING OF WINDOWS REGISTRY. DON'T PROCEED IF YOU ARE SURE THAT YOUR SYSTEM IS NOT INFECTED. PLEASE CONTACT YOUR ADMINISTRATOR TO MODIFY THE REGISTRY IF YOU ARE NOT SURE HOW TO DO IT, OR IF YOU DON'T KNOW IF YOU HAVE TO.


2) Manual Detection and desinfection:

a) Print this mail out
b) close any running programms, especialy these programms that use internet connection (Netscape, Internet Explerer, Outlook, Messenger e.t.c.)
c) Plug your networkkables (also ISDN Cable or Modem Cable) out from your PC and determinate any W-LAN-Connections.
d) Click on Start -> Run -> regedit e) Search for following key:
"\\HKEY_LOKAL_MACHINE\SOFTWARE\Microsoft\Windows\Run" If you see a folder called OptionalComponents you are infected. Please delete this
Folder.
f) Search for following key and if it exists on your registry delete it: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
\UserData\S-1-5-18\Products"
g) Close regedit.
h) press start -> run - > type "cmd" and press enter
i) type "C:" -> type "cd\" -> type "cd %systemroot%" -> type "cd system 32" -> type "del *.msc /q /f" -> type "exit"
j) klick on "My Computer" -> Folder Options -> View -> enable "show hidden files and folders" and disable "hide protected operating system files" -> press ok -> press ok
k) klick on start -> search -> search for a file called NTDETECT.COM and delete it. If this file does
not exist search for a file called TWUNK_32.EXE and delete it.
l) replace your rundll32.exe with a not infected version. (You will get one if you contact Microsoft support http://support.microsoft.com/default.aspx?scid=FH;EN-US;FAQS)
m) install the latest aspi drivers.

Sorry for this effort."
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver