Dear
Students,
If you think
that your system has virus, please do the following:
The manual way to remove the files is to boot to Safe Mode
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true
Check whether if hard disk has the following file, from command
prompt: Goto run, type cmd
Type dir
/ah in the respective directory, to check whether
if the file exists
·
C:\autorun.inf
·
C: \net.exe
·
C:\windows\system32\exloroe.com
·
C:\windows\system32\notepod.exe
·
C:\windows\system32\rsvp.exe
·
C:\windows\system32\dllcadhe\lsoss.exe
·
C:\windows\system32\odbcjtr32.dll
If the worm files exist, you will need to change the file attribute
before you can delete them off. Example if you see, c:\autorun.inf
You will need to type attrib
–s –r –h c:\autorun.inf,
To delete the file, type del c:\autorun.inf
Currently, we have reported to Symantec. We are waiting for their
definition to get update.
We receive reports that the following virus is infecting PCs, laptop and
USB storage device (e.g. thumbdrive, ipod, portable harddisk, etc)
Symantec - Trojan.Falupan/Trojan.Astry
http://www.symantec.com/security_response/writeup.jsp?docid=2007-111500-1533-99&tabid=1
F-secure - IndoVirus.a,
Virus.Win32.IndoVirus.a
http://www.f-secure.com/v-descs/virus_w32_indovirus_a.shtml
Symantec Antivirus Corporation with virus defintion
file dated 20/11/2007 rev.2 .will be able to detect a infected PC when a
virus scan is performed
However, SAV can only terminate the trojan
processes but is unable to remove trojan files as
they are held by the operating system.
If the trojan are not remove then they will
executed once the PC startup and the PC is again infected and will infect
any USB storage device that is attached to the PC.
The manual way to remove the files is to boot to Safe Mode
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true
Delete the trojan files list below (must
enable viewing of hidden file)
%UserProfile%\system.exe
%UserProfile%\winlogon.exe
%CurrentFolder%\explorer.exe
%System%\scvhost.exe
%Windir%\astry.exe
%Windir%\Network-IPv6\network.exe
%Windir%\scvhost.exe
C:\Documents and Settings\All Users\Desktop\msvbvm60.dll
%Windir%\msvbvm60.dll
Next, apply the attach registry patch. Download
this zip file and run the patch.
System16. virus and Auto.exe
How to check whether you have gotten the virus:
- Open Services snap-in (services.msc)
- Look for a service called windows_rejoice2007_91. If you have this
service, means you're infected with SYSTEM16 virus .
- Look for another service that has 8 hexadecimal digits, eg 3527A07C (the actual service name may vary, but is
always 8 hex chars). If you have this service, you're infected with AUTO virus . The instruction to remove AUTO virus is not part
of this guide, however you can protect against it in step 5G of this
mailer.
Removal techniques (print this out for convenience)
1. Preferred - disable System Restore!!! Right click My Computer, go to System Restore tab to disable for all
drives. If you prefer not to disable, do not restore to any saved entries
before removal date. Otherwise you will reverse the removal effort.
2. Download registry patch from Inspiration first.
Surf to http://inspiration.nyp.edu.sg/virus.html, download and extract the file
mentioned in the page to a temporary location in C:\, eg
C:\temp.
The patch will enable you to view hidden files again, which the system16
virus modified to permanently disable in registry.
3. File removal
- Go to Safe Mode (F8)
- UNHIDE and Delete the following files
- Unhide command: attrib -s -h -r <filename here>.
3a. AUTORUN.INF in root of ALL REMOVABLE DRIVES, such as HDD, thumb
drives
3b. SYSTEM16.EXE in root ALL REMOVABLE DRIVES, such as HDD, thumb drives
3c. C:\Program Files\SYSTEM16.EXE
3d. C:\Program Files\Common Files\Microsoft Shared\msinfo\_SYSTEM16.EXE
4. Registry removal
- Delete the following service from Registry
4a. HKLM\System\CurrentControlSet\Services\
windows_rejoice2007_91
4b. HKLM\System\CurrentControlSet1\Services\windows_rejoice2007_91
4c. HKLM\System\CurrentControlSet2\Services\windows_rejoice2007_91
4d. HKLM\System\CurrentControlSet3\Services\ windows_rejoice2007_91
- Apply the registry patch that you have extracted earlier to C:\temp
5. Prevention of virus
The current method that is confirmed to be working is to insert a file hash
of SYSTEM16.EXE into Local/Group Security Policy. Assuming that the virus
does not mutate and computer is cleaned, the virus should not gain entry
again.
For local policy, follow the steps
5a. Run secpol.msc
5b. Expand Security Settings --> Software Restriction Policies
5c. At the Action menu, Create New Policies (if policy is created, ignore
this step)
5d. Under Additional Rules, create a new Hash Rule
5e. Enter the file hash of 767baf4600d97ef2a98323ca0380b4df:373248:32771
5f. Security Level: Disallowed
5g. For additional prevention of AUTO virus, the file hash is
6a19a8475f715cdedf5482276fbfc699:17424:32771
Notes
The registry may be affected in more ways, but not known at this time.
Also, AUTO virus might have 2 strains, thus the hash value may differ.
SYSTEM16.exe file information
system16.exe
373,248 bytes
9/2/2007 12:44:10 AM
AUTO.exe file information
auto.exe
17,424 bytes
10/21/2007 04:36 PM
Also, after the file hash protection, infected thumbdrives
may not open with double-click. There will be an error message as Windows
couldn't execute the file. Just do a right click and explore. To clean the thumbdrive, follow step 3, 3A and 3B.
How to check whether you have gotten the virus:
- A hidden RECYCLER folder is created in your thumbdrive
- Thumbdrive's icon is changed to a folder icon
in My Computer
- May not be able to surf Internet from Windows Explorer
Removal techniques (print this out for convenience)
1. Preferred - disable System Restore!!! Right click My Computer, go to System Restore tab to disable for all
drives. If you prefer not to disable, do not restore to any saved entries
before removal date. Otherwise you will reverse the removal effort.
2. Removal from PC
- Go to Safe Mode (F8)
- Run "regedit" (Registry Editor)
- Navigate to HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
- Use the "Find" function to search for "xop32".
- Delete ALL value(s) that have "xop32" in it
- Navigate to HKLM\Software\Microsoft\Active Setup\Installed Components
- Use the "Find" function to search for "xop32"
- Delete ALL subfolder(s) that have "xop32" in it. Be careful, do NOT delete "Installed Components"
folder but the affected one under it
- Close the editor.
- Go to Windows Explorer.
- At the menu bar, go to Tools--> Options.
- At the View tab, select the radio button "Show hidden files and
folders"
- Still in Windows Explorer, navigate to C:\RECYCLER
- You can see many subfolders with long names with recycler bin icons
- Delete all of them (your deleted items will be flushed)
- Restart the PC
3. Removal from thumbdrive
- Make sure you have done steps 2 and 4, otherwise the virus will reinfect the system
- UNHIDE and Delete the following files
- Unhide command: attrib -s -h -r <filename here>.
3a. AUTORUN.INF in root folder
3b. XOP32.exe in RECYCLER\S-?????? folder
4. Prevention of virus
The current method that is confirmed to be working is to insert a file hash
of XOP32 into Local/Group Security Policy. Assuming that the virus does not
mutate and computer is cleaned, the virus should not gain entry again.
Note: Vista Business may not support file hashes
For local policy, follow the steps
5a. Run secpol.msc
5b. Expand Security Settings --> Software Restriction Policies
5c. At the Action menu, Create New Policies (if policy is created, ignore
this step)
5d. Under Additional Rules, create a new Hash Rule
5e. Enter the file hash of f255837b7f9c2c461af9459712d12c16:8704:32771
5f. Security Level: Disallowed
Also, after the file hash protection, infected thumbdrives
may not open with double-click. There will be an error message as Windows
couldn't execute the file. Just do a right click and explore. To clean the thumbdrive, follow step 3, 3A and 3B.
Regards
|