GUEST:

At the top of this thread, at "18 Apr 04 - 11:20 PM" you'll find a link "Norton." Click that one and you'll find that Norton added signatures to their Norton AV files on April 17. If you haven't updated since then, you don't have the signature to allow Norton AV to identify the ".e" variant, but it will probably identify that a "Downloader" virus is infecting some files. It should offer to "fix, quarantine, or delete" each of these files.

Unfortunately, complete removal requires a registry edit, since this worm uses variations in the file names it puts on your machine. Until all likely variations are identified, a complete removal utility can't be written (by anybody).

You, being a little smarter than your computer, should be able to use the procedure given in the link at 19 Apr 04 - 01:54 AM to remove the .e variant, since you can tell that "anything" in the registry keys that the procedure tells you to look at is either a.) something you recognize - that probably should be there, or b.) is probably the .e virus.

It is unlikely that any of the AV suppliers are going to be in a rush to make a "one button" removal tool for this one. This, and all earlier variants of this worm have been classified as "minimally destructive," "found on few machines," "unlikely to propagate rapidly," and "easy to remove." They are likely to conclude that the removal instructions already posted for the .d variant are sufficient.

Once you have the updated signature file that identifies this thing by it's specific variant, it is likely that Norton (or any other AV) will be able to prevent it from infecting you again, but just updating now (if its already on your machine) will probably NOT give you a clean removal, since any quarantine or file deletions your AV may already have done will prevent your AV from finding "all the pieces."

Use the procedure for removal of Downloader.Dluca.D, but make allowance for the possibility that a couple of the filenames that you find in the registry may be different than shown. The Norton procedure gives you the specific keys you need to look at, so it should not be difficult to decide whether you've found the virus or if you're looking at something that's normal for your system.

John