Spybot worm

Discussion in 'malware problems & news' started by stuartie, Aug 14, 2003.

Thread Status:
Not open for further replies.
  1. stuartie

    stuartie Registered Member

    Jun 1, 2003
    I have the spybot worm infecting a file called wuaumqr.exe.

    "Access denied" when I try to delete this file
    When I try to open the regedit editor it just closes instantly.

    Task Manager also closes instantly when I try to open it.

    I had the Blaster worm yesterday but got rid of that with the Norton worm tool.

    Help please
  2. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Hi stuartie,
    Are you able to rename the thing into wuaumqr.tmp so it can't run anymore?
    In the file properties you'll see it tries to tell us it's a legal Microsoftfile with version number and all, but it is not! it is a nasty spybot, 27kb probably.
    Then you might be able to delete it.
    If you can't rename it as it's in use you might do so after reboot in the safe mode or under MSDOS.
    If you can delete if from there, the better.
    After please scan your system deep! online, or with TDS, as you had the other nasty the other day you said.
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia
    TDS should detect this one, you need to kill the running process for it to be deleted. Can you send a copy to submit@diamondcs.com.au anyway ?

    Process List (CTRL O in TDS) right click the running trojan, choose kill process and delete file
  4. Andrew B.

    Andrew B. Registered Member

    Jul 17, 2003
    You could reboot in safe mode. Search for the file. Delete all copies, or move it into a zip for safe keeping and testing later. If you feel comfortable running regedit, find and remove it from its RUN spot. Or use a third-party startup manager to remove it. But just deleting it (or zipping it) will disable it anyway.

    Next, this probably made a bunch of copies of itself as bait files into a folder called "kazaabackupfiles" under one of the system folders. Search for this folder by name and delete it and its contents (or move to zip for testing later).

    After you restart your computer in regular mode, check to see if it is still running (just in case). Check your network neighborhoold to see if you can reach anything on your computer from there. If you can, and you are not on a network, you have become shared and you need to turn the shares for what you see.
Thread Status:
Not open for further replies.