"Backdoor-AMA" virus: WTF?

[RickJay]

Sigh. Dad calls; he started his computer and McAfee says the file

c:\windows\explorer.exe

is infected with a “Backdoor-AMA” virus.

But of course, McAfee cannot fix it. It simply recommends he delete the file. Umm… isn’t that kind of an important file?

What do we do? Can I just send him a copy of my explorer.exe and have him replace it?

[xash]

From McAfee:

http://hq.mcafeeasap.com/dispVirus.asp?virus_k=99984

When run, this trojan copies itself locally as "EXPLORER.EXE " in the Windows directory. It uses this file-name to appear to be a vital Windows file. A space is used at the end of its file-name so that there are not conflicts with the real “EXPLORER.EXE” which is also found in the Windows directory. The trojan uses a standard executable-file type icon, which will also differentiate it from the true “EXPLORER.EXE” which uses its own specific icon.

Two data files are downloaded by the trojan: Two copies of one image and one file containing IRC nicknames. These files will be located in the Windows directory as well, and named “EXPLORE.DAT”, “EXPLORE1.DAT” and “EXPLORE2.DAT”.

Click the link for complete removal instructions. But, basically, you can safely delete the virused file.

[RealityChuck]

Information and cleaning instructions are at McAfee. Basically, the “explorer.exe” file it mentions is actually "explorer.exe " – with a space at the end – and can be deleted safely. Read the article about what needs to be cleaned in the registry, too.