1. Follow standard procedure for virus removal
2. Delete these values and subkeys added to registry.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft Net Driver" = "%Windir%\NETSVC.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%Windir%\NETUI.EXE"
HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\"ID" = "[CURRENT DATE IN FORMAT OF DD/MM/YYYY]"
Restore these entries to their previous values, if required:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\"Shell" = "Explorer.exe %Windir%\WINVER.EXE"
Additional Information
The Worm creates these files on compromised computer. If your Anti-virus is unable to remove these files, try to remove these file manually in safe-mode
[DRIVE LETTER]:\Mobimb.exe
eg: 'E:\Mobimb.exe'
[DRIVE LETTER]:\autorun.inf
eg: 'C:\Mobimb.exe'
C:\Windows\EXPLORAR.exe
C:\Windows\NETSVC.EXE
C:\Windows\NETUI.exe
C:\Windows\WINVER.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\WINSTART.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WINSTART.exe
[CURRENT FOLDER]\Windows Explorer.url
c:\a.txt
c:\msg.txt
Source: symantec
No comments:
Post a Comment