Win32.Luder-F THIS NEEDS ATTENTION ASAP!

This thing is NO JOKE!! I cannot F8, I cannot remove it, I cannot qurantine it, it disables your firewalls, it is horrible. PLEASE HELP!! There is NO info for this god damn thing anywhere.

HEEEEELLLPPPPPPPPPPPPP!!!

Which is the name of the file (and its path) infected?
Did you run a boot-time scanning?

f8 does not work. I have Microsoft OneLive and it says I am at risk but I cant even open it now? Just like avast before I deleted it, it took avast by the balls and made it useless.

HELP!!

Spybot found Smit-FraudC and it will NOT go. I have no idea if this has anything to do with whats going on but it all started at the same time.

Cmon now, someone has to know something about this? Is this Duel using analaias? PLEASE HELP!! This damn thing is KILLING me.

I’ve got exactly the same problem as you! No Bullshit!
I just caught it up for a couple of hours and it’s already damn active… Avast is no more running, it also corrupts sygate P Firewall, Adobe photoshop, Mirage, almost every programs i have are no more running and it creates hundreds of hidden files like this: aaadfgs.t in my .exe folders. It’s a nightmare every where i go on my computer it automatically creates new fuckin files!!! I’m going crazy about this and as you i can’t find any damn thing about it on the web!!! I think it could be a new virus…
Their names : Win32 Luder-F and Win32 Barnwarum-M
If someone could help???
I just continue to fight against these bastard worms!!

I’ve found this (http://www.enciclopedia-virus.com/virus/vervirus.php?id=3541) for Win32 Luder-F maybe it could work but …

INSTRUCCIONES PARA ELIMINARLO

  1. Desactive la restauración automática en Windows XP/ME.

  2. Reinicie en Modo a prueba de fallos.

  3. Ejecute un antivirus actualizado y repare o elimine los archivos infectados.

  4. Desde Inicio, Ejecutar, escriba REGEDIT y pulse Enter para acceder al Registro del sistema.

  5. Elimine bajo la columna “Nombre”, la entrada “Win32_Duel”, en la siguiente clave del registro:

HKCU\Software\Microsoft\Windows
\CurrentVersion\Run

  1. Elimine bajo la columna “Nombre”, la entrada “Win32_Duel_v2”, en la siguiente clave del registro:

HKCU\Software\Microsoft\Windows
\CurrentVersion\Run

  1. Elimine bajo la columna “Nombre”, la entrada “Win32_Duel”, en la siguiente clave del registro:

HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run

  1. Elimine bajo la columna “Nombre”, la entrada “Win32_Duel_v2”, en la siguiente clave del registro:

HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run

  1. Elimine bajo la columna “Nombre”, la entrada “x32x”, en la siguiente clave del registro:

HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run

  1. Cambie el valor a “2” en la clave “Start” de la siguiente entrada del registro:

HKLM\SYSTEM\CurrentControlSet
\Services\SharedAccess

  1. Cierre el editor del Registro del sistema.

  2. Reinicie el equipo y ejecute un antivirus actualizado para eliminar toda presencia del virus.

Great but I speak and read only english, this is ZERO help and as the min go by my comp is getting more and more FUCKED!

Yeah sorry in fact it didn’t help me too anyway because the method still requires a working antivirus and mine doesn’t!
I’ m goin’ mad now!!!

Get the MS Live OneCare this sems to be working for me since the POS avast doesnt.

This is an E-mail worm here is the advisory http://vil.nai.com/vil/content/v_138841.htm

W32/Duel@MM is a parasitic file infector and mass mailing worm that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. W32/Duel@M is written using Microsoft Visual C++ and also contains limited IRC functionaly for unauthorized remote access.

Upon execution, it creates a copy of itself into the Windows system directory:

%Windir%%SYSDIR%\Duel.exe

Adds the following values to the registry to auto start itself when Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
“Win32_Duel” = “%Windir%%SYSDIR%\Duel.exe”

Modifies the following registry key to disable the Firewall services of Windows Xp.

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
“Start” = “4”

Attempts to end processes having the following names:

mcafee
taskmgr
hijack
f-pro
lockdown
msconfig
firewall
blackice
vsmon
zonea
spybot
nod32
reged
troja
viru
anti

Attempts to end processes having the following window titles.

Registry Editor
Anti
Anti-Malware

Creates the following mutex to ensure that only one instance of W32/Duel@MM can run on a computer at any time.

Win32.Duel (c) 2006

Creates a detailed log file containing information on every successful and failed infection, email addresses harvested etc.

%Windir%\Duel.log

Queries www.google.com to check if the infected machine is connected to the internet.

Attempts to join an IRC server and channel on TCP port 6667 and announce its presence.

irc.under[Removed].org
#england

Symptoms
W32/Duel@MM uses slack space to infect executable files, therefore infected files will not increase in size. It does not infect files if sufficient slack space is not found at the end of first section.

It searches for PE files and infects them as follows:

Insert its viral code at the end of the first section. Changes the original entry point to the start of its viral code. Inserted code acts as a jump to the original entry point. Modifies the timestamp of the original host file. Drops a copy of itself named “random file.duel” in the same location as that of the original host file. Once the file has been infected, this virus avoids reinfecting it by using the timestamp its infection marker.

Note: Due to a bug in the viral code, the infected files do not execute after infection.

W32/Duel@MM also searches for .rar archives and adds a copy of itself into the existing archive. It has its own rar engine and does not need WinRar to be installed on the infected machine.

Method of Infection
Propagation via Mail:

Mailbody:

W32/Duel@MM harvests e-mail addresses to mail itself to by searching the current user’s Windows address book (WAB) file.

It finds the WAB file by reading the following registry value:

HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name

Constructs an email message with the following characteristics:

From: (Any of the following)

W32/Duel@MM uses email addresses found the windows address book and also the following list of names contained in the virus body.

Aldora
Alysia
Amorita
Anita
April
Aretina
Barbra
Becky
Bella
Bettina
Blenda
Briana
Bridget
Caitlin
Camille
Cara
Carla
Carmen
Chelsea
Clarissa
Damita
Danielle
Daria
Diana
Donna
Dora
Doris
Ebony
Eden
Eliza
Emily
Erika
Evelyn
Faith
Gale
Gilda
Gloria
Haley
Helga
Holly
Idona
Iris
Isabel
Ivana
Ivory
Janet
Jewel
Joanna
Julie
Juliet
Kacey
Kali
Kara
Kassia
Katrina
Kyle
Lara
Laura
Linda
Lisa
Lolita
Lynn
Maia
Mary
Melody
Mimi
Myra
Nadia
Naomi
Natalie
Nicole
Nina
Nora
Nova
Olga
Olivia
Pamela
Peggy
Queen
Rachel
Rita
Rosa
Ruby
Sharon
Silver
Valda
Valora
Vanessa
Vicky
Violet
Vivian
Wendy
Willa
Xandra
Xenia
Xylia
Zenia
Zilya

Subject: (Any of the following)

Love…
Valentine (a little late)
A kiss for a smile
Me and you
True feelings
My heart
Yours forever
Thee and me

Message body: (Any of the following)

I wrote your name in the sky,
but the wind blew it away.
I wrote your name in the sand,
but the waves washed it away.
I wrote your name in my heart,
and forever it will stay.

I love the way you touch me,
Always sending chills down my spine.
I love that you are with me,
And glad that you are mine.

I love the way you make me so happy,
And the ways you show you care.
I love the way you say, I Love You,
And the way you’re always there.

I love the way you look at me,
Your eyes so bright and blue.
I love the way you kiss me,
Your lips so soft and smooth.

If I could have just one wish,
I would wish to wake up everyday
to the sound of your breath on my neck,
the warmth of your lips on my cheek,
the touch of your fingers on my skin,
and the feel of your heart beating with mine…
Knowing that I could never find that feeling
with anyone other than you.

My love, I have tried with all my being
to grasp a form comparable to thine own,
but nothing seems worthy;

And though at times a thread may break
A new one forms in its wake
To bind us closer and keep us strong
In a special world, where we belong.

Its fingers spread like fine spun gold
Gently nestling us to the fold
Bonds like this are meant to last.

A special world for you and me
A special bond one cannot see
It wraps us up in its cocoon
And holds us fiercely in its womb.

Attachment: (Any of the following)

WantsU.exe
My heart.exe
A smile.exe
Forever.exe
My love.exe
My desire.exe
My hope.exe
My wish.exe
The sky.exe

Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants
Variants
N/A

This isnt the same thing? Mine is called Win32.Luder-M? Not the same!!!

If you don’t speak Spanish (I can’t), then use a translation service like http://babelfish.altavista.com/, you won’t get a perfect translation but it should be workable.

INSTRUCTIONS TO ELIMINATE IT
1, Desactive the automatic restoration in Windows XP/ME.
2. Reinitiate on approval in Way of failures.
3. Execute an updated antivirus and you repair or you eliminate the infected archives.
4. From Beginning, To execute, writes REGEDIT and presses Enter to accede to the Registry of the system.
5. Eliminate under the column “Name”, the entrance “Win32_Duel”, in the following key of the registry: HKCU\Software\Microsoft\Windows \CurrentVersion\Run
6. Eliminate under the column “Name”, the entrance “Win32_Duel_v2”, in the following key of the registry: HKCU\Software\Microsoft\Windows \CurrentVersion\Run
7. Eliminate under the column “Name”, the entrance “Win32_Duel”, in the following key of the registry: HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\Run
8. Eliminate under the column “Name”, the entrance “Win32_Duel_v2”, in the following key of the registry: HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\Run
9. Eliminate under the column “Name”, the entrance “x32x”, in the following key of the registry: HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\Run 10. Change the value to “2” in the key “Start” of the following entrance of the registry: HKLM\SYSTEM\CurrentControlSet \Services\SharedAccess
11. It closes the publisher of the Registry of the system.
12. Reinitiate the equipment and you execute an updated antivirus to eliminate all presence of the virus.

Again this isnt DUEL!!!

Had you visited the page Posted by: ringer and checked it, even though you said couldn’t read the language you would have seen at the top of the page a list of aliases (in English) and Win32.Dual is an alias of WIN32.LUDER family.

So the instructions may well have a relevance and checking those registry keys you may well have seen either the same name or one related to Luder, so please don’t simply write things off and check.

:slight_smile: Hi :

 WHY don't you try using a Good antiSPYWARE/antiTROJAN program like the
 FREE version of "SUPERantispyware" from www.superantispyware.com !?

Just tried it. Didn’t do anything. Luder-F is still alive!

Try DrWeb CureIT!

http://download.drweb.com/drweb+antivirus+free+services/

If that fails you will need to follow the instructions here:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_LUDER.A-O&VSect=Sn

Kill the running process with Process Explorer as described and edit the registry as recommended.

If DrWeb is successful, you would still be well advised to reverse the registry changes made by the worm.

EDIT: SmitFraud is a separate infection for which you will need to run SmitFraudFix:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php