Virus problem (how do you un-embed code?)

[gigamosh57]

Using an internet cafe here in the Philippines I found, when trying to open a .doc file and print it, that all my .doc files had been relabelled as .scr files and all .jpg had become .exe.

Doing a bit of research and finding other things on the computer that should not be there, I came up with this virus as the root cause: W32/Zaflen.a

I have been able to edit the extensions of many of the files and return them to their proper formats, but the problem I am having now is that many of the files will no longer open... Word (and Openoffice too, for all you M$ haters) gives me an error that it cannot interpret the file and shows me the binary equivalent of a big pile of diarrhea.

Symptoms -

Changing of the file icon for the file types - png, jpg, gif to M.S.Word icon.

Increase in file size by 172067 bytes for the infected files.
Presence of the files and registry entries mentioned.

I can fix symptoms 1 and 3, but not 2 and AVG just wants to delete the file as a method of "Healing" it.

How do I: (a) find what malicious code is embedded in the file and (b) remove it?

I know a large number of people with the same virus, so a fix would be saintly. If you know anything about this, including what to look for that is out of the ordinary in hex code for word, jpeg, rtf, gif or png files, PLEASE HELP!

 

[Snowknight26]

Find a small, infected file that is common in various Windows installations and compare it to an uninfected file. See where the code starts/ends. Then compare it a second file and see if the start/stop offset is the same for both files. If it is, you can easily clean out the code.

 

[gigamosh57]

The main problem is that I can't see the code itself, all I can see is the hex values. There is no actual code that I can see but I know that data has been added.

 

[Ranma_Sao]

This family is a destructive "infector"... There is no way to get the original file back, as it just copy's itself over the top. (Or at least the variant I looked at did that.)

Sorry.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Snowknight26]

The main problem is that I can't see the code itself, all I can see is the hex values. There is no actual code that I can see but I know that data has been added.

Sorry, I meant to say compare the hex values.

 

[gigamosh57]

An in-depth scan of the files by NOD32 (as recommended by their customer service department) came up with all of them as being infected with:

"probably a variant of Win32/VB.BP"

Still emailing with them, but they have followed up with me to make sure that I am using their program correctly and assisting me at every turn to resolve this issue...I might actually BUY the program if their customer service remains this good.

 

[Ranma_Sao]

Ok... My post means nothing?
Worm:Win32/Zaflen.A@mm is written in Visual Basic.

The samples I have are destructive. There is no way to get the file back after it's infected...

If you want more help then that let me know. If you scan it with safety.live.com it will be deleted since we cannot recover the original file.
(Or Microsoft Forefront or One Care)

This posting is provided "AS IS" with no warranties, and confers no rights.