Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
Effect on the system:When W32.SillyFDC is executed, it may copy itself to the following folder locations:
- %System%
- %Windir%
- %Temp%
- %UserProfile%
- %ProgramFiles%
- %SystemDrive%
- %CommonProgramFiles%
- %CurrentFolder%
Using any of the following file names with a .com or .exe extension:
- CALC
- calc
- mscalc.exe
- startupfolder
- config_
- startupfolder.com
- config_.com
It then scans the compromised computer to create copies of itself in various folders. It will use the existing folder name as its new file name. For example, ABC folder will have a copy of the virus inside the folder as ABC.exe.
The worm may copy itself in drives A: through Z:.
Next, it may add a value to the following registry subkeys so that it runs every time Windows starts.:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows”load”
The worm may attempt to copy itself to removable drives and mapped drives, as well as creating the following file so that the worm runs every time the removable drive is attached to a computer:
[REMOVABLE DRIVE]:Autorun.inf
How to remove??:
1.First disable the system restore temporarily.
To disable the system restore Right click on My computer and select properties. On the System Restore tab, check Turn off System Restore on all drives.And then click apply and ok.
2.Restart the system in safe mode.
To start your pc in safe mode restart your pc and pree F8 while boot up. You will see something like this on your screen.
Select safe mode from the list.
3.Kill the malicious tasks using task manager.
Press Ctlr+Alt+Del and select Process tab. Kill the following tasks if there.
password_viewer.exe
CALC
calc
mscalc.exe
startupfolder
config_startupfolder.com
config_.com.
4.Delete the autorun files:
I will recommend you to scan your system using any good antivirus. But if you don’t have any antivirus installed then follow the steps given below.
Open cmd. Type c:
This will take you to the root of c drive. Now type attrib -s -h -r autorun.inf
and then run edit autorun.inf. This will open the autorun.inf file in dos mode.It will look like
***********************************
[autorun]
open=file.exe
shellOpenCommand=file.exe
shellopenDefault=1
shellExploreCommand=file.exe
shellAutoplaycommand=file.exe
************************************
Now see the path of the file which is executed using this file. Now navigate to the desired file using dos.
Now type attrib -s -h -r filename.exe
Delete filename.exe
Note: Chnage the filename.exe with the file name which was there in autorun.inf file.
5.Delete temporary files, temporary internet files and clear recycle bin.:
To do this go to Start > All Programs > Accessories >System Tools, click Disc Cleanup.
Check the following: Downloaded Program Files, Temporary Internet Files, Offline Webpage, Recycle Bin and Temporary Files.
6.View hidden system files and folders:
To do this go to Tools->Folder Options->View
Select Show hidden files and Folders and uncheck “Hide Protectted System Files”
Click apply and ok.
7.Now search for the remaining virus files:
e.g
- CALC
- calc (DO NOT DELETE THE ONE WHICH IS IN WINDOWS/SYSTEM32)
- mscalc.exe
- startupfolder
- config_
- startupfolder.com
- config_.com
- password_viewer.exe
and delete them.
8.Repair registry:
Go to Registry Editor and navigate to following keys.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows”load”
and in the right side pan select and delete the values associated with the virus.
Install or update your antivirus as soon as possible.
and
ENJOY
Source of information: http://www.symantec.com/security_response/writeup.jsp?docid=2006-071111-0646-99&tabid=3 http://www.symantec.com/security_response/writeup.jsp?docid=2006-071111-0646-99&tabid=2
No comments:
Post a Comment