Main Menu

    Administration

Help

    IT Department

Virus Removal Instructions



Analysis on most common Worms & Virus infections with Solutions

DCC network controls worm & virus malicious traffic generated from various infected machines by segmentation in VLANs with addon ACLs. Most common infections observed in DCC network (especially from Student Labs) are listed below. Infection removal tool & procedure has also been placed as follows.

Nymex Worm Infection
Infection identified by Symantec as: w32.blackmal

Infection Identified by Trend Micro as : VBS_DOSNYM.A & it's variants like worm_blueworm.a

Malware Symptoms:

Continuous DOS attack on http://www.nymex.com 

Ports : 80 & 8080

How do I clean my machine?

If you are using Windows XP/ Me, system restore option needs to be disabled.

If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

Step 1: - To turn off Windows XP System Restore

  • Click Start > Programs > Accessories > Windows Explorer
  • Right-click My Computer, and then click Properties.
  • Click the System Restore tab.
  • Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box
  • Click Apply. The following message appears
  • As noted in the message, this will delete all existing restore points. Click Yes to do this.
  • Click OK.

OR

Double Click to open & execute following VB Script, it will do step 1 automatically: Disablesystemrestore.vbs

Step 2: - Download & execute following tool to remove Virus/ Worm

FxBkmalB.exe

Step 3: - Shutdown computer & restart

  • Shut down the computer and turn off the power.
  • Wait for at least 30 seconds, and then restart the computer.

Saser Worm Infection
Infection identified by Symantec as: W32.Sasser & it's variants W32.Sasser.Worm W32.Sasser.B.Worm , W32.Sasser.C.Worm , W32.Sasser.D , W32.Sasser.E.Worm , W32.Sasser.G

Malware Symptoms:

  • Systems Affected : Windows 2000, Windows XP; NT
  • Uses the LSASS vulnerability. This vulnerability is described in http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx 
    Port : TCP ports 5554, 9996, and 445
  • IPC$ share, followed by an RPC request to the Directory Services directed to the \lsarpc-named pipe
  • Displays two identical session setups in quick succession
  • SMB probe that seems to originate from a Windows 2000 system.

How do I clean my machine? Step 1: - To turn off Windows XP System Restore

  • Click Start > Programs > Accessories > Windows Explorer
  • Right-click My Computer, and then click Properties.
  • Click the System Restore tab.
  • Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box
  • Click Apply. The following message appears
  • As noted in the message, this will delete all existing restore points. Click Yes to do this.
  • Click OK.

Double Click to open & execute following VB Script, it will disable automatically step 1: Disablesystemrestore.vbs

Step 2: - Download & execute following tool to remove Virus/ Worm FxSasser.exe

Steps to remove Sasser Worm:

  • Please read the Microsoft Advisory
  • Download and apply the Windows patch MS 04-011 (For Win-XP)
  • Download the removal tool and run it
  • Please note that these steps will only protect your machines from the Sasser worm. You are requested to visit Windows Update Site and apply all the critical security patches for your machine.

Step 3: - Restart the computer. Run the removal tool again to ensure that the system is clean


MyDoom Worm Infection
Infection identified by Symantec as:W32.Mydoom variants like; W32.Mydoom.A@mm W32.Mydoom.B@mm W32.Mydoom.F@mm W32.Mydoom.G@mm W32.Mydoom.H@mm W32.Mydoom.L@mm W32.Mydoom.M@mm W32.Mydoom.Q@mm W32.Mydoom.AM@mm W32.Mydoom.AX@mm W32.Mydoom.AZ@mm W32.Mydoom.BA@mm Backdoor.Zincite.A W32.Zindos.A Backdoor.Nemog Backdoor.Nemog.D

Malware Symptoms:

  • Systems Affected : Windows 2000, Windows XP;
  • mass-mailing worm, using smtp engines, email attachments with a .bat, .cmd, .com, .exe, .pif, .scr, or .zip extension
  • backdoor on TCP port 1042

How do I clean my machine? Step 1: - To turn off Windows XP System Restore

  • Click Start > Programs > Accessories > Windows Explorer
  • Right-click My Computer, and then click Properties.
  • Click the System Restore tab.
  • Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box
  • Click Apply. The following message appears
  • As noted in the message, this will delete all existing restore points. Click Yes to do this.
  • Click OK.

OR

Double Click to open & execute following VB Script, it will complete step 1 automatically: Disablesystemrestore.vbs

Step 2: - Download & execute following tool to remove Virus/ Worm
FxMydoom.exe

Step 3: - Restart the computer. Run the removal tool again to ensure that the system is clean



NetSky Worm Infection
Infection identified by Symantec as: W32.Netsky variants like W32.Netsky.B@mm W32.Netsky.C@mm W32.Netsky.D@mm W32.Netsky.E@mm W32.Netsky.K@mm W32.Netsky.P@mm W32.Netsky.Q@mm W32.Netsky.S@mm W32.Netsky.T@mm W32.Netsky.X@mm W32.Netsky.Y@mm W32.Netsky.Z@mm W32.Netsky.AB@mm

Malware Symptoms:

  • Systems Affected : Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
  • mass-mailing worm, using smtp engines, email attachments with msg, .oft, .sht, .dbx, .tbb, .adb, .doc, .wab, .asp, .uin, .rtf, .vbs, .html, .htm, .pl, .php, .txt, .eml extension

How do I clean my machine? Step 1: - To turn off Windows XP System Restore

  • Click Start > Programs > Accessories > Windows Explorer
  • Right-click My Computer, and then click Properties
  • Click the System Restore tab.
  • Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box
  • Click Apply. The following message appears
  • As noted in the message, this will delete all existing restore points. Click Yes to do this.
  • Click OK.

OR

Double Click to open & execute following VB Script, it will complete step 1 automatically: Disablesystemrestore.vbs

Step 2: - Download & execute following tool to remove Virus/ Worm
FxMydoom.exe

Step 3: - Restart the computer. Run the removal tool again to ensure that the system is clean


Best Solution to avoid infection
Contact helpdesk at Ext 810 or 811

Make sure, you have installed corporate antivirus client https://10.120.0.4/officescan/console/ClientInstall/WhichPlatform.htm . U
pdate your antivirus signature

Your machine must be updated with latest patches. You can download patches from http://www.windowsupdate.com 

What is Adware & Spyware
Adware Programs that facilitate delivery of advertising content to the user through their own window, or by utilizing another program's interface. Used to gather information from the user's computer, Internet browser usage or other computing habits, and relay this information back to a remote computer or other location in cyber-space.

Gets downloaded from Web sites (typically in shareware or freeware), email messages, and instant messengers. Additionally, a user may unknowingly receive and/or trigger adware by accepting an End User License Agreement from a software program linked to the adware or from visiting a website that downloads the adware with or without an End User License Agreement.

* UninstallAdWareWhenUsearchBar * Use Adware Removal tools like

Dialers Malware Programs that use a computer or modem to dial out to a toll number or internet site, typically to accrue charges. These may perform their dialing activity without a user’s specific consent prior to dialing.

Hack Tools Tools that can be used by a hacker or unauthorized user to attack, gain unwelcome access to or perform identification or fingerprinting of your computer. While some hack tools may also be valid for legitimate purposes, their ability to facilitate unwanted access makes them a risk. Hack tools also generally: Attempt to gain information on or access hosts surreptitiously, utilizing methods that circumvent or bypass obvious security mechanisms inherent to the system it is installed on, and/or keystroke logger -- a program that tracks and records individual keystrokes and can send this information back to the hacker.

Joke Program Programs that alter or interrupt the normal behavior of your computer, creating a general distraction or nuisance. Joke programs generally do not themselves engage in the practice of gathering or distributing information from the user's computer.

Spyware Programs that have the ability to scan systems or monitor activity and relay information to other computers or locations in cyber-space. Among the information that may be actively or passively gathered and disseminated by Spyware: passwords, log-in details, account numbers, personal information, individual files or other personal documents. Spyware may also gather and distribute information related to the user's computer, applications running on the computer, Internet browser usage or other computing habits.

Tips to fight against Spams

  • Do not respond to suspicious spammed emails. A response only confirms the accuracy of your email address, and may result in even more messages filling up your In-box.
  • If you are suspicious, do not click on the link asking to be taken off the sender's list, as the senders often use that as a ploy to confirm the recipient's address, resulting in even more spammed email
  • Never submit your credit card details or other personal information to non-secure Web sites (there should be a locked padlock icon that appears in yellow, or in a yellow box, on the bottom bar of the order form Web browser).
  • Do not send your email address through chat rooms, instant message services or Internet bulletin boards and newsgroups
  • Report suspicious online promotions/ Spam/ Hoax by e-mail to postmaster@kfupm.edu.sa 
    Do not forward chain email. This special type of email is considered spam. It is unsolicited, intrusive and may clog up email servers and slow down Internet traffic
    Quick Links
 
    Tutorials

    Policies

    IT Services

    Downloads


Contract Info

Syed Noaman Ali
IT Manager
Room#287
Tel: +966 13 8683300 ext. 853
syedali@dcc.kfupm.edu.sa

 
Sitemap | Contact Us | Webmaster | KFUPM  
Dammam Community College | Dhahran, 31261 | Saudi Arabia | +966 (3) 868 3300