Analysis on most common Worms & Virus infections
with Solutions
DCC network controls worm & virus malicious traffic
generated from various infected machines by
segmentation in VLANs with addon ACLs. Most common
infections observed in DCC network (especially from
Student Labs) are listed below. Infection removal
tool & procedure has also been placed as follows.
Nymex Worm Infection
Infection identified by Symantec as: w32.blackmal
Infection Identified by Trend Micro as :
VBS_DOSNYM.A & it's variants like worm_blueworm.a
Malware Symptoms:
Continuous DOS attack on
http://www.nymex.com
Ports : 80 & 8080
How do I clean my machine?
If you are using Windows XP/ Me, system restore
option needs to be disabled.
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System
Restore. Windows Me/XP uses this feature, which is
enabled by default, to restore the files on your
computer in case they become damaged. If a virus,
worm, or Trojan infects a computer, System Restore
may back up the virus, worm, or Trojan on the
computer.
Windows prevents outside programs, including
antivirus programs, from modifying System Restore.
Therefore, antivirus programs or tools cannot remove
threats in the System Restore folder. As a result,
System Restore has the potential of restoring an
infected file on your computer, even after you have
cleaned the infected files from all the other
locations.
Also, a virus scan may detect a threat in the System
Restore folder even though you have removed the
threat.
Step 1: - To turn off Windows XP System
Restore
- Click Start > Programs > Accessories >
Windows Explorer
- Right-click My Computer, and then click
Properties.
- Click the System Restore tab.
- Check the "Turn off System Restore" or "Turn
off System Restore on all drives" check box
- Click Apply. The following message appears
- As noted in the message, this will delete
all existing restore points. Click Yes to do
this.
- Click OK.
OR
Double Click to open & execute following VB
Script, it will do step 1 automatically:
Disablesystemrestore.vbs
Step 2: - Download & execute following tool to
remove Virus/ Worm
FxBkmalB.exe
Step 3: - Shutdown computer & restart
- Shut down the computer and turn off the
power.
- Wait for at least 30 seconds, and then
restart the computer.
Saser Worm Infection
Infection identified by Symantec as: W32.Sasser &
it's variants W32.Sasser.Worm W32.Sasser.B.Worm ,
W32.Sasser.C.Worm , W32.Sasser.D , W32.Sasser.E.Worm
, W32.Sasser.G
Malware Symptoms:
- Systems Affected : Windows 2000, Windows XP;
NT
- Uses the LSASS vulnerability. This
vulnerability is described in
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Port : TCP ports 5554, 9996, and 445
- IPC$ share, followed by an RPC request to
the Directory Services directed to the \lsarpc-named
pipe
- Displays two identical session setups in
quick succession
- SMB probe that seems to originate from a
Windows 2000 system.
How do I clean my machine? Step 1: - To turn
off Windows XP System Restore
- Click Start > Programs > Accessories >
Windows Explorer
- Right-click My Computer, and then click
Properties.
- Click the System Restore tab.
- Check the "Turn off System Restore" or "Turn
off System Restore on all drives" check box
- Click Apply. The following message appears
- As noted in the message, this will delete
all existing restore points. Click Yes to do
this.
- Click OK.
Double Click to open & execute following VB
Script, it will disable automatically step 1:
Disablesystemrestore.vbs
Step 2: - Download & execute following tool to
remove Virus/ Worm FxSasser.exe
Steps to remove Sasser Worm:
- Please read the
Microsoft Advisory
- Download and apply the Windows patch MS
04-011 (For
Win-XP)
- Download the
removal tool and run it
- Please note that these steps will only
protect your machines from the Sasser worm. You
are requested to visit
Windows Update Site and apply all the
critical security patches for your machine.
Step 3: - Restart the computer. Run the
removal tool again to ensure that the system is
clean
MyDoom Worm Infection
Infection identified by Symantec as:W32.Mydoom
variants like; W32.Mydoom.A@mm W32.Mydoom.B@mm
W32.Mydoom.F@mm W32.Mydoom.G@mm W32.Mydoom.H@mm
W32.Mydoom.L@mm W32.Mydoom.M@mm W32.Mydoom.Q@mm
W32.Mydoom.AM@mm W32.Mydoom.AX@mm W32.Mydoom.AZ@mm
W32.Mydoom.BA@mm Backdoor.Zincite.A W32.Zindos.A
Backdoor.Nemog Backdoor.Nemog.D
Malware Symptoms:
- Systems Affected : Windows 2000, Windows XP;
- mass-mailing worm, using smtp engines, email
attachments with a .bat, .cmd, .com, .exe, .pif,
.scr, or .zip extension
- backdoor on TCP port 1042
How do I clean my machine? Step 1: - To turn
off Windows XP System Restore
- Click Start > Programs > Accessories >
Windows Explorer
- Right-click My Computer, and then click
Properties.
- Click the System Restore tab.
- Check the "Turn off System Restore" or "Turn
off System Restore on all drives" check box
- Click Apply. The following message appears
- As noted in the message, this will delete
all existing restore points. Click Yes to do
this.
- Click OK.
OR
Double Click to open & execute following VB
Script, it will complete step 1 automatically:
Disablesystemrestore.vbs
Step 2: - Download & execute following tool to
remove Virus/ Worm
FxMydoom.exe
Step 3: - Restart the computer. Run the removal tool
again to ensure that the system is clean
NetSky Worm Infection
Infection identified by Symantec as: W32.Netsky
variants like W32.Netsky.B@mm W32.Netsky.C@mm
W32.Netsky.D@mm W32.Netsky.E@mm W32.Netsky.K@mm
W32.Netsky.P@mm W32.Netsky.Q@mm W32.Netsky.S@mm
W32.Netsky.T@mm W32.Netsky.X@mm W32.Netsky.Y@mm
W32.Netsky.Z@mm W32.Netsky.AB@mm
Malware Symptoms:
- Systems Affected : Windows 2000, Windows 95,
Windows 98, Windows Me, Windows NT, Windows XP
- mass-mailing worm, using smtp engines, email
attachments with msg, .oft, .sht, .dbx, .tbb, .adb,
.doc, .wab, .asp, .uin, .rtf, .vbs, .html, .htm,
.pl, .php, .txt, .eml extension
How do I clean my machine? Step 1: - To turn
off Windows XP System Restore
- Click Start > Programs > Accessories >
Windows Explorer
- Right-click My Computer, and then click
Properties
- Click the System Restore tab.
- Check the "Turn off System Restore" or "Turn
off System Restore on all drives" check box
- Click Apply. The following message appears
- As noted in the message, this will delete
all existing restore points. Click Yes to do
this.
- Click OK.
OR
Double Click to open & execute following VB
Script, it will complete step 1 automatically:
Disablesystemrestore.vbs
Step 2: - Download & execute following tool to
remove Virus/ Worm
FxMydoom.exe
Step 3: - Restart the computer. Run the removal tool
again to ensure that the system is clean
Best Solution to avoid
infection
Contact helpdesk at Ext 810 or 811
Make sure, you have installed corporate antivirus
client
https://10.120.0.4/officescan/console/ClientInstall/WhichPlatform.htm
. U
pdate your antivirus signature
Your machine must be updated with latest patches.
You can download patches from
http://www.windowsupdate.com
What is Adware & Spyware
Adware Programs that facilitate delivery of
advertising content to the user through their own
window, or by utilizing another program's interface.
Used to gather information from the user's computer,
Internet browser usage or other computing habits,
and relay this information back to a remote computer
or other location in cyber-space.
Gets downloaded from Web sites (typically in
shareware or freeware), email messages, and instant
messengers. Additionally, a user may unknowingly
receive and/or trigger adware by accepting an End
User License Agreement from a software program
linked to the adware or from visiting a website that
downloads the adware with or without an End User
License Agreement.
* UninstallAdWareWhenUsearchBar * Use Adware Removal
tools like
Dialers Malware Programs that use a computer
or modem to dial out to a toll number or internet
site, typically to accrue charges. These may perform
their dialing activity without a user’s specific
consent prior to dialing.
Hack Tools Tools that can be used by a hacker
or unauthorized user to attack, gain unwelcome
access to or perform identification or
fingerprinting of your computer. While some hack
tools may also be valid for legitimate purposes,
their ability to facilitate unwanted access makes
them a risk. Hack tools also generally: Attempt to
gain information on or access hosts surreptitiously,
utilizing methods that circumvent or bypass obvious
security mechanisms inherent to the system it is
installed on, and/or keystroke logger -- a
program that tracks and records individual
keystrokes and can send this information back to the
hacker.
Joke Program Programs that alter or interrupt
the normal behavior of your computer, creating a
general distraction or nuisance. Joke programs
generally do not themselves engage in the practice
of gathering or distributing information from the
user's computer.
Spyware Programs that have the ability to
scan systems or monitor activity and relay
information to other computers or locations in
cyber-space. Among the information that may be
actively or passively gathered and disseminated by
Spyware: passwords, log-in details, account numbers,
personal information, individual files or other
personal documents. Spyware may also gather and
distribute information related to the user's
computer, applications running on the computer,
Internet browser usage or other computing habits.
Tips to fight against Spams
- Do not respond to suspicious spammed emails.
A response only confirms the accuracy of your
email address, and may result in even more
messages filling up your In-box.
- If you are suspicious, do not click on the
link asking to be taken off the sender's list,
as the senders often use that as a ploy to
confirm the recipient's address, resulting in
even more spammed email
- Never submit your credit card details or
other personal information to non-secure Web
sites (there should be a locked padlock icon
that appears in yellow, or in a yellow box, on
the bottom bar of the order form Web browser).
- Do not send your email address through chat
rooms, instant message services or Internet
bulletin boards and newsgroups
- Report suspicious online promotions/ Spam/
Hoax by e-mail to
postmaster@kfupm.edu.sa
Do not forward chain email. This special type of
email is considered spam. It is unsolicited,
intrusive and may clog up email servers and slow
down Internet traffic
|