|
I cleaned a virus off an XP computer, using this simple set of instructions.
UPDATE YOUR PATCHES AND VIRUS DEFINITIONS, OR BE PREPARED TO GIVE ME $45 PER HOUR TO FIX YOUR MACHINE! (...Now waiting for all the "Mac" and "Linux" responses......)
(In case you're wondering why 2 hours charge, it's 'cause it was all the way into downtown Dallas, many miles from where I live, and I had to go pick it up and deliver it...)
:evilgrin:
------------
W32/Spybot-B
Type
Win32 worm
Detection
Detected by Sophos Anti-Virus since May 2003.
Description
W32/Spybot-B is a peer-to-peer worm that spreads via the KaZaA file sharing network.
W32/Spybot-B creates the folder <Windows system32>\kazaabackupfiles and copies itself there using the following filenames:
download_me.exe
zoneallarm_pro_crack.exe
AVP_Crack.exe
PornScreenSaver.exe
Battlefield1942_bloodpatch.exe
Unreal2_bloodpatch.exe
UT2003_bloodpatch.exe
AquaNox2
Crack.exe
NBA2003_crack.exe
FIFA2003
crack.exe
C&C Generals_crack.exe
nt_spread.exe
NetBios_Spread.exe
Dancing_Screensaver.exe
NudeDance_202Brittany.exe
DancingPlayboySpread.exe
Ejay_crack20.exe
The_REASON_CRACK_LEGIT.exe
Dance.exe
Matrix_ScreenSaver.exe
Netstat.exe
conf32.exe
sdbot_nt_mod.exe
netbios_patch.exe
Hack_scanner.exe
cisco_scan.exe
ULTIMATE_scanner.exe
Battlefield1942_Keygen.exe
ALL_WIN_osSERIAL-keygen.exe
winXP_keygen.exe
serials_2002ALLUPDATE.exe
To enable sharing of these files the registry entry
HKCU\Software\Kazaa\LocalContent\Dir0
is updated to point to this location.
In order to be run automatically on system startup W32/Spybot-B copies itself to the Windows system folder with the filename TESTING.EXE and sets the following registry entries to point to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver
While W32/Spybot-B is active it attempts to terminate the following programs:
regedit.exe
msconfig.exe
taskmgr.exe
netstat.exe
W32/Spybot-B also logs keystrokes to the file testing.txt in the Windows system folder and attempts to steal passwords.
W32/Spybot-B has an IRC backdoor component that attempts to contact an intruder announcing the infection and allowing a malicious user remote access to the computer.
Recovery
Please follow the instructions for removing worms.
You should change any passwords that may have become compromised.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver
and delete them if they exist.
Close the registry editor.
--Afternote: If you must peer-to-peer, use Kazaa LITE or Limewire... it's Kazaa FULL that lets in these nasty buggers...
|
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
