AVG
Virus Removal Tools - new
or scan your computer online by "clicking
here"
A Red alert has
been has declared to control
the spread of this malware W32.Sasser worm: This worm exploits the Windows LSASS vulnerability, which is a buffer
overrun that allows remote code execution and enables an attacker to gain full
control of affected systems.
Download the FxSasser.exe file from: http://securityresponse.symantec.com/avcenter/FxSasser.exe.
Note: Version 1.0.1 (As shown in removal tool dialog title bar) provides support
for both W32.Sasser.B.Worm and W32.Sasser.Worm.
- Save the file to a convenient location, such as your downloads folder or the
Windows desktop, or removable media known to be uninfected.
- To check the authenticity of the digital signature, refer to the "Digital
signature" section later in this writeup.
- Close all the running programs before running the tool.
- If you are on a network or if you have a full-time connection to the
Internet, disconnect the computer from the network and the Internet.
- If you are running Windows Me or XP, then disable System Restore. Refer to
the "System Restore option in Windows Me/XP" section later in this writeup for
further details.
Caution: If you are running Windows Me/XP,
we strongly recommend that you do not skip this step.
- Double-click the FxSasser.exe file to start the removal tool.
- Click Start to begin the process, and then allow the tool to run.
- Restart the computer.
- Run the removal tool again to ensure that the system is clean.
- If you are running Windows Me/XP, then re-enable System Restore.
- Run LiveUpdate to make sure that you are using the most current virus
definitions.
Note: The removal procedure may not be
successful if Windows Me/XP System Restore is not disabled as previously
directed, because Windows prevents outside programs from modifying System
Restore.
When the tool has finished running, you will see a message
indicating whether W32.Sasser infected the computer. In the case of a removal of
the worm, the program displays the following results:
- Total number of scanned files
- Number of deleted files
- Number of repaired files
- Number of terminated viral processes
- Number of fixed registry entries
W32.Novarg.A@mm is a mass-mailing worm that arrives as an attachment with the
file extension .bat, .cmd, .exe, .pif, .scr, or .zip.
It is also know
as W32/Mydoom@MM [McAfee], WORM_MIMAIL.R [Trend], Win32.Mydoom.A [Computer
Associates], W32/Mydoom-A [Sophos], I-Worm.Novarg [Kaspersky]
When a computer is infected, the worm will set up a backdoor into the system
by opening TCP ports 3127 through 3198, which can potentially allow an attacker
to connect to the computer and use it as a proxy to gain access to its network
resources.
In addition, the backdoor can download and execute arbitrary
files.
The worm will perform a Denial of Service (DoS) starting on
February 1, 2004. It also has a trigger date to stop spreading on February 12,
2004. These two events will only occur if the worm is run between or after those
dates. While the worm will stop spreading on February 12, 2004, the backdoor
component will continue to function after this date.
Go to Symantec
(link shown below)
to download the file to fix it, scroll down to "Obtaining and running the tool"
http://www.symantec.com/avcenter/venc/data/w32.novarg.a@mm.removal.tool.html
Please
read the instructions on the page carefully........
W32.Bugbear
This multithreaded worm propagates via shared network folders and via email.
It uses its own SMTP (Simple Mail Transfer Protocol) engine to send copies
of itself. It terminates antivirus processes, acts as a backdoor server
application, and sends out cached system passwords
all of which effectively compromise the security of the infected machine.
If your computer has been infected with the
virus, a removal tool can be downloaded from the Symantec
Security Response site
There is a jdbgmgr.exe file hoax circulating, Symantec Security Response
encourages that you ignore any such messages regarding this hoax. It is harmless
and is intended only to cause unwarranted concern.
Details can be found at : http://securityresponse.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html
W32.Klez.H@mm: This worm infects executables by creating a hidden
copy of the original host file and then overwriting the original file with
itself. The hidden copy is encrypted, but contains no viral data. The name
of the hidden file is the same as the original file, but with a random
extension.
Email:This worm searches the Windows address book, the ICQ database,
and local files for email addresses. The worm sends an email message to
these addresses with itself as an attachment. The worm contains its own SMTP
engine and attempts to guess at available SMTP servers.
The subject line, message bodies, and attachment file names are random. The
From address is randomly-chosen from email addresses that the worm finds on
the infected computer.
Details can be found at : http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html
BADTRANS: This
worm/virus is currently spreading at an alarming rate. I have this week,
personally received over 40 emails containing this virus from ICISP users
who are infected!!! Apart from propogating itself by sending infected emails
to everyone in the Outlook Express address book, this worm installs a keystroke
logger which records anything resembling passwords, bank accounts, credit
card details etc.
SIRCAM:
A very nasty Network Literate VIRUS which mails documents from your My
Documents folder to people in your address book. (It attaches itself to
these documents) Additionally, it disables executable files and may
delete some/all files.
Details can be found at: http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html
MAGISTR: Similar
to SIRCAM: http://www.symantec.com/avcenter/venc/data/w32.magistr.24876@mm.html
|
