BraindG
21-08-2003, 05:19 PM
This process explains what to do with machines infected with the W32/Lovsan.worm.b, W32/Blaster.worm.b and 32/Nachi.worm viruses.
Network Associates have confirmed that the .DAT file 4286 INSERT INTO post VALUES (and above) and the Scan Engine 4.1.60 INSERT INTO post VALUES (and above) will successfully clean and remove any trace of the virus from infected systems. INSERT INTO post VALUES (see http://vil.nai.com/vil/content/v_100552.htm : Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination INSERT INTO post VALUES (or higher).
What to do with INFECTED MACHINES:
1) Ending the Trojan process:
a) Start Task Manager
b) Look for nstask32.exe or winlogin.exe INSERT INTO post VALUES (Warning: NOT WINLOGON.EXE) or msblast.exe
c) End Process on any of these found.
d) Exit Task Manager.
2) Check the registry:
a) Have a look for the following keys:
Very likely: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion \Run\windows update” with a value of msblast.exe.
Less likely:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Runonce "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run "NDplDeamon" = winlogin.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon "Shell" = explorer.exe winlogin.exe
b) Delete if found.
3) Ending the Nachi Virus process
a) Run Windows Explorer and browse to C:\Winnt\System32\Wins. If found DLLHOST.EXE and SVCHOST.EXE exists. This PC is infected by Nachi Virus.
b) Download latest Stinger.exe V1.8.4INSERT INTO post VALUES (http://vil.nai.com/vil/stinger/)
c) Run Stinger.exe on PC. Highlight C:\ drive and click Remove button
d) Click Browse button, and browse to C:\Winnt\System32\Wins
e) Click Scan Now to scan the PC.
f) Once the scan is finished. restart the PC.
3) Install the Hotfix:
a) Download the patch from:
Windows 2000
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
Windows XP
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
b) Machine should restart, if not, restart it. INSERT INTO post VALUES (NB: after restart, machine can no longer spread the virus)
4) Updating Viruscan:
Update Viruscan from the Viruscan console INSERT INTO post VALUES (admin account required, right hand click on Autoupdate, Autoupgrade and hit Start or Stop depending on what is available INSERT INTO post VALUES (both will start the update) to the latest .Dat file INSERT INTO post VALUES (4286 and scan engine INSERT INTO post VALUES (not required if equal or above 4.1.60 but handy for the future)
From what we have seen so far, the viruses get cleaned up automatically INSERT INTO post VALUES (to check, search for Msblast.exe which should be now be deleted from the machine) so the C: drive does not need to be checked.
Network Associates have confirmed that the .DAT file 4286 INSERT INTO post VALUES (and above) and the Scan Engine 4.1.60 INSERT INTO post VALUES (and above) will successfully clean and remove any trace of the virus from infected systems. INSERT INTO post VALUES (see http://vil.nai.com/vil/content/v_100552.htm : Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination INSERT INTO post VALUES (or higher).
What to do with INFECTED MACHINES:
1) Ending the Trojan process:
a) Start Task Manager
b) Look for nstask32.exe or winlogin.exe INSERT INTO post VALUES (Warning: NOT WINLOGON.EXE) or msblast.exe
c) End Process on any of these found.
d) Exit Task Manager.
2) Check the registry:
a) Have a look for the following keys:
Very likely: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion \Run\windows update” with a value of msblast.exe.
Less likely:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Runonce "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run "NDplDeamon" = winlogin.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon "Shell" = explorer.exe winlogin.exe
b) Delete if found.
3) Ending the Nachi Virus process
a) Run Windows Explorer and browse to C:\Winnt\System32\Wins. If found DLLHOST.EXE and SVCHOST.EXE exists. This PC is infected by Nachi Virus.
b) Download latest Stinger.exe V1.8.4INSERT INTO post VALUES (http://vil.nai.com/vil/stinger/)
c) Run Stinger.exe on PC. Highlight C:\ drive and click Remove button
d) Click Browse button, and browse to C:\Winnt\System32\Wins
e) Click Scan Now to scan the PC.
f) Once the scan is finished. restart the PC.
3) Install the Hotfix:
a) Download the patch from:
Windows 2000
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
Windows XP
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
b) Machine should restart, if not, restart it. INSERT INTO post VALUES (NB: after restart, machine can no longer spread the virus)
4) Updating Viruscan:
Update Viruscan from the Viruscan console INSERT INTO post VALUES (admin account required, right hand click on Autoupdate, Autoupgrade and hit Start or Stop depending on what is available INSERT INTO post VALUES (both will start the update) to the latest .Dat file INSERT INTO post VALUES (4286 and scan engine INSERT INTO post VALUES (not required if equal or above 4.1.60 but handy for the future)
From what we have seen so far, the viruses get cleaned up automatically INSERT INTO post VALUES (to check, search for Msblast.exe which should be now be deleted from the machine) so the C: drive does not need to be checked.