Virus type: Worm
Aliases: Win32/Acebot.B.Worm, Win32.Acebot.04 trojan, W32/AceBot.worm, W32.HLLW.Acebo, Worm.ACEBOT.A, Troj/Bdoor-ABN, Win32/Newbiero.0_4
Pattern file needed: 411
Scan engine needed: 5.200
This memory-resident malware exhibits characteristics of both a network worm and a backdoor program. As a worm, it propagates through drives connected to a local network. As a backdoor server program, it allows a remote user to perform any of the following on the infected system:
launch a Distributed Denial Of Service (DDOS) attack via UDP (User Datagram Protocol) and IGMP (Internet Group Management Protocol)
download and run files
reboot, log off, shut down the machine
update the server program
kill the server program
get system information (ISP, username, password, phone, Windows Path)
get version number of certain applications
share drive C
log its activities and send a message via IRC
Aside from these backdoor capabilities, it also shuts down certain personal firewall applications and steals passwords from the infected system. It sends all the data it retrieves from the infected system to a remote malicious user via Internet Relay Chat (IRC), leaving the system adversely compromised.
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.
Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_ACEBOT.04. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier as WORM_ACEBOT.04.
Open Windows Task Manager.
On Windows 9x systems, press:
CTRL+ALT+DELETE. On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
In the right panel, locate and delete the entry:
Microsoft Diagnostic=%System%\[random filename].exe
*Where (%System% is the Windows system folder, which is usually C:\Windows\System, C:\WinNT\System32 or C:\Windows\System32.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Deleting the Malware Dropped files
This procedure deletes the malware dropped files during its installation.
Open Windows Explorer. Click Start>Run. Type Explorer, then press Enter.
In the left-hand panel, double-click C:\.
Locate and delete this file in the right-hand panel:
In the left-hand panel again, locate and delete the folder C:\LOGS which contains any of the following files:
In the left-hand panel, double-click C:\WINDOWS\Start Menu\Programs\StartUp
Locate and delete the following file(s):
Close Windows Explorer.
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_ACEBOT.04. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Classic Trance Hit: PPK - Resurrection
|« Previous Thread | Next Thread »|
|Thread Tools||Search this Thread|