W32.spybot. worm kill log

Source: Internet
Author: User

In the past, when I was a bachelor, I installed a system almost once a month. In last July, I installed an e-text version of XP. I didn't expect it to be used now. During this period, I experienced shock waves and shock waves, and they were safe and sound, it is a miracle. However, there are too many items to be installed, and there are only a few MB left on the C drive. There is no space to squeeze out from the Qing Dynasty, so I had to make up my mind to reload the system. With previous experience, we have switched out the network cable when installing the system, installed Norton, and then connected to the Internet. We will immediately update the virus database and install patches for Windows. However, this Fleeting opportunity is still being captured by pervasive viruses. Today, the system is found to be very slow at startup, and Norton finds w32.spybot. worm Virus, but can not be killed, had to search at night, the following is a solution, after verification, is indeed feasible.

I. Features of w32.spybot. Worm Virus

Virus name: win32.spybot
Alias: w32.spybot. worm (Symantec), W32/Spybot. worm. gen (McAfee), win32.spybot. Gen, Win32/P2P. Spybot. variant. Worm

Type: Win32
Type: Worm

Madness: low
Destructive: Medium
Popularity: Medium

Features

Win32.spybot is an open source code worm for online chatbots (BOTS). Its openness and management methods all come from these distributed robots, these broad robot variables are slightly different. The remote user's online chat system can control at most some management functions of a computer, it also has the ability to spread to P2P networks (P2P networks ).

In addition to the hidden functions of these marks, it also has the following features:

■ Collects configuration information about the local computer, including the connection type, CPU speed, and local driver information;
■ Files installed and deleted on the local computer;
■ Execute various commands on the local computer;

Win32.spybot also has the following capabilities (depending on different variables)

■ Transmission path: point-to-point network, backdoor Trojan, Kuang Trojan, And Sub Seven Trojan
■ Keyboard operation records (for example, computer keyboard hitting logs)
■ Destroy firewall and anti-virus software programs to avoid being noticed
■ Act as a program service agreement

SpyBot installs itself to the Registry. The following is the default modification list:

HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/runonce
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run

These robots (BOTS) are usually used to guide Denial-of-distribution service programs, although they can also use numbers and make some illogical practices, such as port scanning and selling information (spam) spread untrusted objects.

Symantec is set to Level 2 with no exclusive tool. Many people are infected during this time, and Symantec can only find that the virus cannot be cleared. (It can only be cleared in security mode ). However, the garbage in the registry must be manually cleared. W32.spybot. worm is a worm spreading through KaZaA File Sharing and mIRC. It also spreads through the backdoor of infected computers. By connecting to the special IRC server, w32.spybot. worm can execute different backdoor functions and add different channel listening commands.
Chinese: w32.spybot. Worm Variants use the following vulnerability to spread:
MS03-026
Http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx)
Dcom rpc vulnerability using TCP port 135.
MS04-011
(Http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx) Micro
Soft Local Security Authentication Service Remote Buffer Vulnerabilities
MS02-061
Http://www.microsoft.com/technet/security/bulletin/MS02-061.mspx)
Verify weakness with UDP port 1434 MS-SQL 2000 or MSDE 2000
MS03-007
Http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx)
WebDAV vulnerabilities of TCP port 80
MS01-059
Http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx)
UPnP notification buffer Vulnerabilities
MS03-049
Http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx)
Wks using TCP port 445 are vulnerable to buffer overflow,
Windows XP users only need to install MS03-043
Http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx)
To avoid this weakness, Windows 2000 users must install MS03-049

Type: Worm
Infection length: Not certain
Affected Systems: Windows 2000, Windows 95, Windows 98, Windows ME, Windows NT,
Windows Server 2003, Windows XP
Unaffected system DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows
3. x
Hazards:
1. Send personal data to IRC
2. Run unauthenticated commands on infected computers
3. Local lan network congestion
Ii. Clearing steps
1. Isolate computers: disconnect networks from all computers and clear each computer one by one.
So that every computer in the network will not be spared.
2. Clear viruses:
(1) disable the "System Restore" function of WINXP and winme systems, right-click "my computer "-
-> Attribute --> System Restore --> disable the system restore function on all disks
(2) Update Symantec antivirus software to the latest virus definition code
(3) restart the computer to safe Mode
(4) perform manual full scanning on the computer
(5) record the infected file name and delete the infected file (the antivirus software may delete the file or
To manually delete the file) the key step is to delete the file infected with the virus.
(6) backup Registry: start -- run --> enter "Regedit" --> registry --> Import
Exit Registry File
(7) check items in the Registry
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/R
UN
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/R
Unonce
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/R
Unservices
HKEY_CURRENT_USER/software/Microsoft/Windows/currentver
Sion/run
Delete the key value of the file name
(8) install the patches I listed for different operating systems.
Install so many patches as follows:
Win2k: first install SP4 and then install the following Hotfix, which can be searched and downloaded by Microsoft.
Windows2000-KB824146-x86-CHS.exe
Windows2000-KB835732-x86-CHS.EXE
Windows2000-KB828749-x86-CHS.exe
Windows2000-KB828035-x86-CHS.exe
WINXP: first install SP1 and then install the hotfix listed below (SP2 can be directly
Installing SP2 saves a lot of trouble ):
WindowsXP-KB824146-x86-CHS.exe
WindowsXP-KB828035-x86-CHS.exe
WindowsXP-KB835732-x86-CHS.EXE
(9) set the password of a user with system administrator permissions to more than 7 complex passwords.
Note that installing the provided patch can only prevent the spread of the worm,
The system is still insecure and it is necessary to update other key updates through Windows Update.


NOTE: Refer to Symantec's analysis of the virus.
August 2004 October
Write by Kernel
Http://bbs.netbuddy.org)

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.