virus I can't find instructions to remove

Viruses and worms
1

When doing a routine scan on my system, I discovered that a file that I received as an attachment in my email (both on my laptop and on my desktop computers) has a virus in it. I was surprised that it was not picked up by the email scanning, but it was not. For curiousity I tried sending it to myself, and it does not show as a virus when it attempts to send. It does show when I scan. The virus is Whale-9216. I have had the file since Feb and I am not sure if I ever opened it or not. It was to be an ad that a school was placing in a publication that I was doing and either I could not open it at all, or it did not open properly, and I wrote and told the school and they sent me instead a word file. The extension on the file with the virus is .pub
Avast (latest version updated automatically) recommends putting it in the chest, which I attempted to do.
When I try, I get the message that “the operation is not supported for this type of archive.” On the laptop I figured that I would just delete the file then.
However, in searching on the internet, it would seem that this is not the best thing to do. I am at quite a loss though as to know how to get rid of this virus.

I am only running avast on my computer.
The sites that I did find that talk about this virus were confusing to me. I did find something at McAfee but it didn’t work, and I suspect that has much to do with the fact that I don’t have McAfee on my computer.

I don’t seem to be exhibiting the symptoms that it says one might, but the biggest seems to be slowdown, and since all systems slow down after time, I can’t really tell if it is slowed down really at all.

Both the laptop and the desktop show only one file (the same one in each) that has the virus.

Any ideas.
Donna

2

Hi hsmom,

You have landed you a nice little infection there, patch your software fully. Here is the info about whale and the removal instructions:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=1383

Whenever you are clean, immediately get all patches automatically:
http://pcworld.about.com/gi/dynamic/offsite.htm?site=http://windowsupdate.microsoft.com

polonus

3

Thanks but that is exactly the page that I had tried on and when I enter the command scanpm… I just get a bad command or file name. This was why I thought I might need to have McAfee on my computer to make it work. I have tried it from the root directory as well as from the windows directory.

Any other ideas of what to do?

4

Hi hsmom,

Copy this remote scanner from here: http://download.drweb.com/drweb+cureit/

This can be used next to the installed avast scanner.
Run it. Try to delete it in this way.

If you have the whale virus, you can establish this like the
available free memory will be decreased by 9,984 bytes. Most utilities which display memory usage will also indicate a value for total system memory which is 9,984 bytes less than what is actually installed.

Why is this virus a tricky one for scanners?
Antiviral detection is directly based on the capability to have malware codes at one’s disposal and to study them by disassembly means. Thus, viral databases can be updated and antiviral engines can be upgraded.

A few malware writers try to make this task more difficult by implementing various techniques which aim at delaying the knowledge and the understanding of their codes: obfusctating, rewriting, encryption… These codes are denoted armoured codes. The first and most famous one is probably the Whale virus appeared in the early nineties. More recently, the MyDoom virus very naively tries to complicate antiviral experts’ work by implementing basic encryption techniques. Up to now, none of the known malware succeeded in preventing code analysis.

The main explanation for this failure lies on two facts:

* antiviral experts always manage to obtain a malware copy (infected file). As they are widely dissiminated, malware code samples (viruses, worms...) are always very easily available. This comes from the fact that limited virulence1 is not a feature inherent to malicious codes.
* When present, techniques aiming at making code analysis more difficult are bound to fail. The main reason is that the related problems (that is to say, problems to be solved in order to bypass code protection) belong to polynomial complexity class. As an example, encryption techniques are always relatively easy to break since the key space is too limited and allows an exhaustive search approach. Moreover, encryption algorithms that have been found in known malware codes are either very naive or do not offer high level of security.

polonus

5

Welcome to the forums, hsmom. :slight_smile:

Please let us know if you are able to use the above suggestions by Polonus to solve your problem.

6

I tried Dr. Web on both computers using the link you sent and it showed clean on both computers.
Then I did the scan on just the file that comes up with the virus using Avast and it shows it clean as well. So I am a little confused.

I tried to download the free trial of Dr Web after doing just the scan that you sent, but it says not to install with any other virus program on so I don’t want to mess up the Avast.

I am not sure what to use to check the memory. Just checking it in windows shows the right amount but then the amount it will differ is small compared to the whole memory and all that shows is windows is a round number.

Looking at it in dos doing mem doesn’t give me any recognizable numbers either. Conventional shows as 640 with 95 used and 545 free and extended as 326,368 free with nothing used. So if I am figuring this out right that means I show 640 + 326,368 or 327,008. I have 320 mgs x 1024 should be 327,680. That is a difference of only 672. That doesn’t fit, so I can’t quite figure what to do.

Donna

7

Hi hsmom,

In Win 9x, me I would say run scandisk, but the equivalent in XP is a more complicated:
his one took some real thought over at the Microsoft campus on how to make things simple… Start, Control Panel, Performance and Maintenance, Administrative Tools, Computer Management, Disk Management, Storage, right-click the Volume, Tools, Options, Check Now button, Select Options, Start.

Start, All Programs, Accessories, Windows Explorer (right where it is really handy!), Expand My computer, right-click the drive, Properties, Tools, Check Now…, Select Options, Start.

Start, right-click My Computer, Manage, Storage, Disk Management, right-click the Volume, Properties, Tools, Check Now…, Select Options, Start.

Double-click My computer on the Desktop (or Start, My Computer), select drive, File, Properties, Tools, Check Now…, Select Options, Start.

My Computer, right-click the drive, Properties, Tools, Check Now…, Select Options, Start.

You may be prompted to restart Windows before it will run.

So you can check now if there is really a virus eating part of your mem.

polonus

8

Actually I have Win98SE and so I tried a scan disk, but it comes up fine on both computers. But I don’t see where it shows the memory amount on the scan disk.

9

Hi hsmon,

If you have this OS, I recommend to you that you update to this:
http://exuberant.ms11.net/98sesp.html
Take this download link: http://www.majorgeeks.com/download4131.html

With the 98 SE Unofficial Service Pack, your computer performs better, you have the drivers for USB 2.0. You have to update the IE, and Outlook yourself, but the OS will be lots safer.
I have run this 98SE SP myself, and it was a revelation.

polonus

10

and will this show me the memory amount.

I am still unsure how to clear the virus off.
If I was convinced that it is not in the memory, I would just delete the file that has the virus because I don’t even need it.
I am checking the exuberant right now.

11

Avast can test memory for you when you start the program. It will not show the memory amount, though.

Right click the “a” ball in the task tray, click on Program Settings…, and when the user interface opens, you should see the below or click on Common in the left pane if it is not already showing on the right. Make sure the first box is checked and click on OK.

Now, right click the “a” ball again, click on Start avast! Antivirus. A memory test should now start before the main user interface opens. The main user interface will open immediately after the memory scan if no problem is found. You can then close the main user interface.

12

Charley
You are right that it does scan the memory, so therefore I assume that you are saying that if it doesn’t see it is in the memory, that the virus is not active, and therefore I can just delete the file that Avast says contains the virus.

Another thing is that I found on a program called spy sweeper that you could download the program and scan. I did and then found out that to have it remove anything I had to pay for it, so I looked at what it said were the manual instructions.
It claims that Whale-2 is one of Dropper spywares, and that McAfee and FProt call it Whale.9216 but I haven’t seen evidence of that on anything else that I read. Anyway, I did follow the manual instructions from this link http://www.spywaredb.com/remove-whale-2/ but it came up with nothing.

13

Yes, if the memory scan completed and you got no warnings, then it should not be in memory.

I would not delete it yet if you can put it in the Chest. It will be safe in the Chest and can do no harm.
If you can not put it in the Chest, then I guess you will have to delete it.

14

Just take care that Spy Sweeper could remove avast! startup entries and could bring you problems…