PDA

View Full Version : spybot.dn worm



Douglas
26-11-2004, 09:50 AM
How do I remove this from a PC? Can I open the Registry and remove every entry of w32usb2.exe Thanks Doug

godfather
26-11-2004, 09:58 AM
Welcome to PF1.

Removal instructions are here, click on this link (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.DN)

Murray P
26-11-2004, 10:00 AM
Looks like your on the right track, as per Trend Micro (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.DN), you'll need to patch your OS. What antivus programme are you using?

Spacemannz
26-11-2004, 10:00 AM
Yup this is what u do here. It's also a GOOD idea to keep your system up to date. I WOULD also get off the net, until you do the following.



This worm propagates via network shares. It takes advantage of the following known Windows vulnerability:

Windows LSASS vulnerability

For detailed information about these vulnerability, refer to the following Microsoft page:

Microsoft Security Bulletin MS04-11

This worm also has backdoor functionalities. It comes with a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel and wait for commands from a malicious user. It processes the commands on the local machine giving remote users virtual control of the infected system.

This worm also steals the CD keys of certain game applications.

It runs on Windows 2000 and XP.

Solution:

Restarting in Safe Mode

» On Windows 2000

1. Restart your computer.
2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

» On Windows XP

1. Restart your computer.
2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
Win32 USB2.0 Driver= "W32USB2.EXE"
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Runservices
5. In the right panel, locate and delete the entry:
Win32 USB2.0 Driver= "W32USB2.EXE"
6. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Runonce
7. In the right panel, locate and delete the entry:
Win32 USB2.0 Driver= "W32USB2.EXE"
8. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
9. In the right panel, locate and delete the entry:
Win32 USB2.0 Driver= "W32USB2.EXE"
10. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Runonce
11. In the right panel, locate and delete the entry:
Win32 USB2.0 Driver= "W32USB2.EXE"
12. In the left panel, locate and delete the following keys:
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es
\Win32 USB2.0 Driver
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\R oot
\LEGACY_WIN32_USB2.0_DRIVER
* HKEY_LOCAL_MACHINE\System\ControlSet001\Services
\Win32 USB2.0 Driver
* Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_SPYBOT.DN. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Applying Patches

This malware exploits known vulnerabilities on certain platforms. Download and install the critical pathes from the following links: