WORM_ACEBOT.04

[Technodrome]

Virus type: Worm

Destructive: Yes

Aliases: Win32/Acebot.B.Worm, Win32.Acebot.04 trojan, W32/AceBot.worm, W32.HLLW.Acebo, Worm.ACEBOT.A, Troj/Bdoor-ABN, Win32/Newbiero.0_4

Pattern file needed: 411

Scan engine needed: 5.200

Description:

This memory-resident malware exhibits characteristics of both a network worm and a backdoor program. As a worm, it propagates through drives connected to a local network. As a backdoor server program, it allows a remote user to perform any of the following on the infected system:

launch a Distributed Denial Of Service (DDOS) attack via UDP (User Datagram Protocol) and IGMP (Internet Group Management Protocol)
download and run files
reboot, log off, shut down the machine
update the server program
kill the server program
get system information (ISP, username, password, phone, Windows Path)
get version number of certain applications
share drive C
log its activities and send a message via IRC
Aside from these backdoor capabilities, it also shuts down certain personal firewall applications and steals passwords from the infected system. It sends all the data it retrieves from the infected system to a remote malicious user via Internet Relay Chat (IRC), leaving the system adversely compromised.

Solution:

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_ACEBOT.04. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier as WORM_ACEBOT.04.

Open Windows Task Manager.
On Windows 9x systems, press:
CTRL+ALT+DELETE. On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Microsoft Diagnostic=%System%\[random filename].exe
*Where (%System% is the Windows system folder, which is usually C:\Windows\System, C:\WinNT\System32 or C:\Windows\System32.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Deleting the Malware Dropped files

This procedure deletes the malware dropped files during its installation.

Open Windows Explorer. Click Start>Run. Type Explorer, then press Enter.
In the left-hand panel, double-click C:\.
Locate and delete this file in the right-hand panel:
LOGGING.INI
In the left-hand panel again, locate and delete the folder C:\LOGS which contains any of the following files:
FETCHREPORT.LOG
CHECK.LOG
JOIN.LOG
MISC.LOG
SCAN.LOG
RECIVED.LOG
IPREPORT.LOG
IPS.LOG
SERVMSG.LOG
In the left-hand panel, double-click C:\WINDOWS\Start Menu\Programs\StartUp
Locate and delete the following file(s):
FFEN.EXE
TSSG.EXE
MSSG.EXE
Close Windows Explorer.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_ACEBOT.04. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

source: http://www.trendmicro.com



Technodrome