W32/Toal-A

Make a note of the names and locations of the files you delete.

Editing system.ini

At the taskbar, click Start|Run and type Sysedit. Bring System.ini to the front. In the 'shell=' line in the [Boot] section, search for any references to the files you deleted. Delete only that reference, not any other text.

Reboot your computer.

Replacing files

You may need to replace system files that were damaged by the virus. You should obtain clean copies from backups or original media.

Installing the patch

Microsoft has issued a patch which secures against the incorrect MIME header vulnerability and the IFRAME vulnerability. This can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.)

Removing sharing

You may also wish to remove sharing of the C: drive. To do this edit the following registry entry. At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\\Network\LanMan\BinLaden

and remove the reference to BinLaden.

Close the registry editor.

W32/Toal-A is an email-aware virus that arrives as an attachment called:

BinLaden_Brasil.exe.

The subject of the email will be related to the conflict in Afghanistan. This is chosen randomly from a large selection including:

Bin laden toillete paper !!
Sadam hussein & binladen in love
Bush fucks bin laden hardly <:p
Is osama bin laden bad-loved ?
Usa against geneva convention ?
Anthrax mail is true(not a joke)
Biological weapons: preventing !
Fucking a mullah in islamabad
O papel higienico do bin laden !
Sadam e binladen apaixonados
Bush fudendo bin laden <:p
Sers que o osama s mal-amado ?
Eua agride convencao de genova ?
Antraz pelo correio (verdade)
Armas biologicas: previna-se !
Fudendo um muls em islamabad
Bin landen toalettpapper
Sadam hussein & binladen fr fRflskade
Bush knullar bin laden hxrt <:p
Fr osama bin laden inte flskad ?
R usa emot geneve Verenskommelsen ?
Anthrax brevet existerar(det fr inget s
Biologiska vapen: fRhindra !
Knulla en muslim i islamabad
Papier toillette bin laden
Sadam & binladen en amour
Bush nique r donf bin laden <:p
Osama bin laden mal aims ?
Usa contre la convention de geneve?
Le courrier anthrax existe vraiment
Arme biologique: prsventions!
Baiser un mullah r islamabad
Xarti toualetas bin landen !!
Hussein & bin laden, erastes
O bush gamaei agria ton bin laden
Einai o osama apotuximenos ston erwta?
Amerikh enantia sto synedrio tis genova H epistoles me antraka,einai gegonos
Biologika wpla: prostasia !
Gamontas ena moula sto islamabad

The message body of the email is blank.

The MIME header of the email has been coded to exploit a vulnerability in Internet Explorer 5.01/5.5 (but not 5.01 with Service Pack 2). The vulnerability allows the attachment to run automatically when the email is viewed. Microsoft has issued a patch to protect against this vulnerability at http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this virus.)

If the attached file is executed, it drops the library file INVICTUS.DLL to the Windows System directory and the virus itself to the Windows directory, using a random 3-letter name consisting of the upper case characters 'A-O'. The virus may also make a copy of itself in the C:\ directory. These copies of the virus will have their file attributes set to hidden and read-only.

When first run the virus adds its pathname to the "shell=" line in the [Boot] section of <Windows>\System.ini (this line will normally be shell=explorer.exe under Win9x). This causes the virus to be run automatically each time the machine is restarted.

The virus makes the C: drive shareable by setting various subkeys of:

HKLM\Software\Microsoft\Windows\
CurrentVersion\Network\LanMan\BinLaden\

The virus will infect the files HH.EXE and Explorer.exe (both in the Windows directory) and may go on to infect further selected files. In particular, it will normally target Netstat.exe and Calc.exe. Each time you launch Windows Explorer, the virus will run.

The virus looks for active anti-virus products scanners and attempts to terminate them. The scanners affected are products from Kaspersky Labs, Network Associates and Symantec. The virus also attempts to terminate processes called Zone Alarm, Freedom and Avconsol, if they are running.

On rare occasions that the virus is run it will activate a visual payload. Various colourful slogans will be displayed across the desktop, along with a message box. The message box is titled 'Worm/I-Worm/W32.BinLaden' and contains the following text:

Bush, you need more hashish in your life
Why to take the Amazon from brazil. if you like polution ?
Brazilian ppl wants the USA destruction, not likeour president, smelling Bush's balls
You are not the cops of the world, and World Trade Center was the first
Now you take the freedom from your own people, and the world is laughing ...
Ohhhh is this the famous American Way of Life ? HAHAHAHA !!!

Ohhhhhh i am sorry.. It isn't sweet ?

The virus tries to connect to a remote ICQ site and download information about other computer users. It does this by searching "white pages" (pages displaying information on various subjects and people) for a list of keywords including the following: "history", "friends", "airplane", "ferrari", "orgasm", "friendship", and "sports".

The virus will then send itself to email addresses that it finds within the found pages.

The virus process will normally terminate itself after 5-10 minutes, but can also be terminated using the Task Manager (the virus process always runs from the Windows Temp directory using a name beginning 'sfc').