The manual way to remove the files is to boot to Safe Modehttp://www.murad.webnode.com
Check whether if hard disk has the following file, from command prompt: Goto run, type cmd
Type dir /ah in the respective directory, to check whether if the file exists
· C:\autorun.inf
· C: \net.exe
· C:\windows\system32\exloroe.com
· C:\windows\system32\notepod.exe
· C:\windows\system32\rsvp.exe
· C:\windows\system32\dllcadhe\lsoss.exe
· C:\windows\system32\odbcjtr32.dll
If the worm files exist, you will need to change the file attribute before you can delete them off. Example if you see, c:\autorun.inf
You will need to type attrib –s –r –h c:\autorun.inf,
To delete the file, type del c:\autorun.inf
Currently, we have reported to Symantec. We are waiting for their definition to get update.
We receive reports that the following virus is infecting PCs, laptop and USB storage device (e.g. thumbdrive, ipod, portable harddisk, etc)
Symantec - Trojan.Falupan/Trojan.Astryhttp://www.symantec.com/security_response/writeup.jsp?docid=2007-111500-1533-99&tabid=1
F-secure - IndoVirus.a, Virus.Win32.IndoVirus.ahttp://www.f-secure.com/v-descs/virus_w32_indovirus_a.shtml
Symantec Antivirus Corporation with virus defintion file dated 20/11/2007 rev.2 .will be able to detect a infected PC when a virus scan is performed
However, SAV can only terminate the trojan processes but is unable to remove trojan files as they are held by the operating system.If the trojan are not remove then they will executed once the PC startup and the PC is again infected and will infect any USB storage device that is attached to the PC.
The manual way to remove the files is to boot to Safe Modehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true
Delete the trojan files list below (must enable viewing of hidden file)%UserProfile%\system.exe%UserProfile%\winlogon.exe%CurrentFolder%\explorer.exe%System%\scvhost.exe%Windir%\astry.exe%Windir%\Network-IPv6\network.exe%Windir%\scvhost.exeC:\Documents and Settings\All Users\Desktop\msvbvm60.dll%Windir%\msvbvm60.dll
Next, apply the attach registry patch. Download this zip file and run the patch.
System16. virus and Auto.exe
How to check whether you have gotten the virus:- Open Services snap-in (services.msc)- Look for a service called windows_rejoice2007_91. If you have this service, means you're infected with SYSTEM16 virus .- Look for another service that has 8 hexadecimal digits, eg 3527A07C (the actual service name may vary, but is always 8 hex chars). If you have this service, you're infected with AUTO virus . The instruction to remove AUTO virus is not part of this guide, however you can protect against it in step 5G of this mailer.
Removal techniques (print this out for convenience)
1. Preferred - disable System Restore!!! Right click My Computer, go to System Restore tab to disable for all drives. If you prefer not to disable, do not restore to any saved entries before removal date. Otherwise you will reverse the removal effort.
2. Download registry patch from Inspiration first.Surf to http://inspiration.nyp.edu.sg/virus.html, download and extract the file mentioned in the page to a temporary location in C:\, eg C:\temp. The patch will enable you to view hidden files again, which the system16 virus modified to permanently disable in registry.
3. File removal- Go to Safe Mode (F8)- UNHIDE and Delete the following files- Unhide command: attrib -s -h -r
3a. AUTORUN.INF in root of ALL REMOVABLE DRIVES, such as HDD, thumb drives3b. SYSTEM16.EXE in root ALL REMOVABLE DRIVES, such as HDD, thumb drives3c. C:\Program Files\SYSTEM16.EXE 3d. C:\Program Files\Common Files\Microsoft Shared\msinfo\_SYSTEM16.EXE
4. Registry removal- Delete the following service from Registry4a. HKLM\System\CurrentControlSet\Services\ windows_rejoice2007_914b. HKLM\System\CurrentControlSet1\Services\windows_rejoice2007_914c. HKLM\System\CurrentControlSet2\Services\windows_rejoice2007_914d. HKLM\System\CurrentControlSet3\Services\ windows_rejoice2007_91
- Apply the registry patch that you have extracted earlier to C:\temp
5. Prevention of virusThe current method that is confirmed to be working is to insert a file hash of SYSTEM16.EXE into Local/Group Security Policy. Assuming that the virus does not mutate and computer is cleaned, the virus should not gain entry again.
For local policy, follow the steps5a. Run secpol.msc5b. Expand Security Settings --> Software Restriction Policies 5c. At the Action menu, Create New Policies (if policy is created, ignore this step)5d. Under Additional Rules, create a new Hash Rule5e. Enter the file hash of 767baf4600d97ef2a98323ca0380b4df:373248:32771 5f. Security Level: Disallowed
5g. For additional prevention of AUTO virus, the file hash is 6a19a8475f715cdedf5482276fbfc699:17424:32771
NotesThe registry may be affected in more ways, but not known at this time. Also, AUTO virus might have 2 strains, thus the hash value may differ.
SYSTEM16.exe file informationsystem16.exe373,248 bytes9/2/2007 12:44:10 AM
AUTO.exe file informationauto.exe17,424 bytes10/21/2007 04:36 PM
Also, after the file hash protection, infected thumbdrives may not open with double-click. There will be an error message as Windows couldn't execute the file. Just do a right click and explore. To clean the thumbdrive, follow step 3, 3A and 3B.
How to check whether you have gotten the virus:- A hidden RECYCLER folder is created in your thumbdrive- Thumbdrive's icon is changed to a folder icon in My Computer- May not be able to surf Internet from Windows Explorer
Removal techniques (print this out for convenience)
1. Preferred - disable System Restore!!! Right click My Computer, go to System Restore tab to disable for all drives. If you prefer not to disable, do not restore to any saved entries before removal date. Otherwise you will reverse the removal effort.
2. Removal from PC- Go to Safe Mode (F8)- Run "regedit" (Registry Editor)- Navigate to HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache- Use the "Find" function to search for "xop32".- Delete ALL value(s) that have "xop32" in it
- Navigate to HKLM\Software\Microsoft\Active Setup\Installed Components- Use the "Find" function to search for "xop32"- Delete ALL subfolder(s) that have "xop32" in it. Be careful, do NOT delete "Installed Components" folder but the affected one under it- Close the editor.
- Go to Windows Explorer.- At the menu bar, go to Tools--> Options. - At the View tab, select the radio button "Show hidden files and folders"
- Still in Windows Explorer, navigate to C:\RECYCLER- You can see many subfolders with long names with recycler bin icons- Delete all of them (your deleted items will be flushed)- Restart the PC
3. Removal from thumbdrive- Make sure you have done steps 2 and 4, otherwise the virus will reinfect the system- UNHIDE and Delete the following files- Unhide command: attrib -s -h -r
3a. AUTORUN.INF in root folder3b. XOP32.exe in RECYCLER\S-?????? folder
4. Prevention of virusThe current method that is confirmed to be working is to insert a file hash of XOP32 into Local/Group Security Policy. Assuming that the virus does not mutate and computer is cleaned, the virus should not gain entry again.
Note: Vista Business may not support file hashes
For local policy, follow the steps5a. Run secpol.msc5b. Expand Security Settings --> Software Restriction Policies 5c. At the Action menu, Create New Policies (if policy is created, ignore this step)5d. Under Additional Rules, create a new Hash Rule5e. Enter the file hash of f255837b7f9c2c461af9459712d12c16:8704:327715f. Security Level: Disallowed
Also, after the file hash protection, infected thumbdrives may not open with double-click. There will be an error message as Windows couldn't execute the file. Just do a right click and explore. To clean the thumbdrive, follow step 3, 3A and 3B.
Regards
No comments:
Post a Comment