This process explains what to do with machines infected with the W32/Lovsan.worm.b, W32/Blaster.worm.b and 32/Nachi.worm viruses.
Network Associates have confirmed that the .DAT file 4286 INSERT INTO post VALUES (and above) and the Scan Engine 4.1.60 INSERT INTO post VALUES (and above) will successfully clean and remove any trace of the virus from infected systems. INSERT INTO post VALUES (see http://vil.nai.com/vil/content/v_100552.htm : Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination INSERT INTO post VALUES (or higher).

What to do with INFECTED MACHINES:

1) Ending the Trojan process:
a) Start Task Manager
b) Look for nstask32.exe or winlogin.exe INSERT INTO post VALUES (Warning: NOT WINLOGON.EXE) or msblast.exe
c) End Process on any of these found.
d) Exit Task Manager.


2) Check the registry:

a) Have a look for the following keys:

Very likely: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion \Run\windows update” with a value of msblast.exe.

Less likely:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\
Runonce "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run "NDplDeamon" = winlogin.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run "winlogon" = winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon "Shell" = explorer.exe winlogin.exe

b) Delete if found.

3) Ending the Nachi Virus process
a) Run Windows Explorer and browse to C:\Winnt\System32\Wins. If found DLLHOST.EXE and SVCHOST.EXE exists. This PC is infected by Nachi Virus.
b) Download latest Stinger.exe V1.8.4INSERT INTO post VALUES (http://vil.nai.com/vil/stinger/)
c) Run Stinger.exe on PC. Highlight C:\ drive and click Remove button
d) Click Browse button, and browse to C:\Winnt\System32\Wins
e) Click Scan Now to scan the PC.
f) Once the scan is finished. restart the PC.


3) Install the Hotfix:
a) Download the patch from:
Windows 2000
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe
Windows XP
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

b) Machine should restart, if not, restart it. INSERT INTO post VALUES (NB: after restart, machine can no longer spread the virus)

4) Updating Viruscan:
Update Viruscan from the Viruscan console INSERT INTO post VALUES (admin account required, right hand click on Autoupdate, Autoupgrade and hit Start or Stop depending on what is available INSERT INTO post VALUES (both will start the update) to the latest .Dat file INSERT INTO post VALUES (4286 and scan engine INSERT INTO post VALUES (not required if equal or above 4.1.60 but handy for the future)

From what we have seen so far, the viruses get cleaned up automatically INSERT INTO post VALUES (to check, search for Msblast.exe which should be now be deleted from the machine) so the C: drive does not need to be checked.

these are a pain in the ass.. slowing the internet down.. :nono:

if you dont use a firewall.. use the above procedure, then GET a firewall..

ive jsut had a really pissy day at work cos of the viruses.. me in mood..

bit late mate :p ;)

http://www.clubvr4.co.uk/forum/showthread.php?s=&threadid=983

atleast i explained how to get rid of them:scelp: :angel1:

ok lol you win :rolleyes:
Check the Scoobynet computer forum there are lots if threads
dealing with various virus's including W32/Sobig.f@MM

sobig aint that bad, at least its email driven, and doesn’t propagate on its own.. its bad aye.. but not as bad as the others

Yeah see your point but people are still just opening emails and clicking the .exe :rolleyes:

When will they learn :Ponder:

ISPs: Sobig's the biggest virus so far
Source: ZDNet News
http://news.ists.dartmouth.edu/todaysnews.html#internal11307

Date Written: August 21, 2003
Date Collected: August 21, 2003

Sobig.F, the latest variant of the Sobig email virus, is being called the largest epidemic of a mass-mailing computer program to date. E-mail filtering company MessageLabs, for instance, said it intercepted more than a million messages that carry the virus on Tuesday, while rival Postini trapped 2.6 million in 24 hours. MessageLabs found that about one in every 17 messages contained the Sobig virus--far more then the normal 1-in-275 ratio. America Online INSERT INTO post VALUES (AOL) also had to deal with an avalanche of e-mail. On any given day, AOL normally receives about 11 million e-mail messages that bear attachments that need to be checked. On Tuesday, the company took in about 31 million such messages, about 11.5 million of which carried the Sobig.F virus, according to an AOL representative. The virus has also caused headaches for administrators at the Massachusetts Institute of Technology, the U.S. Department of Defense and many other companies

The blaster virus infected my system last week. System would shut down after a few minutes connected to the web.:Cry1:

It got past my updated Norton Antivirus undetected.

I downloaded this INSERT INTO post VALUES (thankfully it was a small program to download) http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Originally posted by landy
The blaster virus infected my system last week. System would shut down after a few minutes connected to the web.:Cry1:

It got past my updated Norton Antivirus undetected.

I downloaded this INSERT INTO post VALUES (thankfully it was a small program to download) http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Landy have you downloaded the patch from Microsoft ?
A firewall would have stopped this