WORM_ACEBOT.04

Discussion in 'malware problems & news' started by Technodrome, Dec 14, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Virus type: Worm

    Destructive: Yes

    Aliases: Win32/Acebot.B.Worm, Win32.Acebot.04 trojan, W32/AceBot.worm, W32.HLLW.Acebo, Worm.ACEBOT.A, Troj/Bdoor-ABN, Win32/Newbiero.0_4

    Pattern file needed: 411

    Scan engine needed: 5.200

    Description:

    This memory-resident malware exhibits characteristics of both a network worm and a backdoor program. As a worm, it propagates through drives connected to a local network. As a backdoor server program, it allows a remote user to perform any of the following on the infected system:

    launch a Distributed Denial Of Service (DDOS) attack via UDP (User Datagram Protocol) and IGMP (Internet Group Management Protocol)
    download and run files
    reboot, log off, shut down the machine
    update the server program
    kill the server program
    get system information (ISP, username, password, phone, Windows Path)
    get version number of certain applications
    share drive C
    log its activities and send a message via IRC
    Aside from these backdoor capabilities, it also shuts down certain personal firewall applications and steals passwords from the infected system. It sends all the data it retrieves from the infected system to a remote malicious user via Internet Relay Chat (IRC), leaving the system adversely compromised.

    Solution:

    Identifying the Malware Program

    Before proceeding to remove this malware, first identify the malware program.

    Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_ACEBOT.04. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

    Terminating the Malware Program

    This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier as WORM_ACEBOT.04.

    Open Windows Task Manager.
    On Windows 9x systems, press:
    CTRL+ALT+DELETE. On Windows NT/2000/XP systems, press
    CTRL+SHIFT+ESC, and click the Processes tab.
    In the list of running programs*, locate the malware file or files detected earlier.
    Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    Do the same for all detected malware files in the list of running processes.
    To check if the malware process has been terminated, close Task Manager, and then open it again.
    Close Task Manager.
    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Microsoft Diagnostic=%System%\[random filename].exe
    *Where (%System% is the Windows system folder, which is usually C:\Windows\System, C:\WinNT\System32 or C:\Windows\System32.
    Close Registry Editor.
    NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
    Deleting the Malware Dropped files

    This procedure deletes the malware dropped files during its installation.

    Open Windows Explorer. Click Start>Run. Type Explorer, then press Enter.
    In the left-hand panel, double-click C:\.
    Locate and delete this file in the right-hand panel:
    LOGGING.INI
    In the left-hand panel again, locate and delete the folder C:\LOGS which contains any of the following files:
    FETCHREPORT.LOG
    CHECK.LOG
    JOIN.LOG
    MISC.LOG
    SCAN.LOG
    RECIVED.LOG
    IPREPORT.LOG
    IPS.LOG
    SERVMSG.LOG
    In the left-hand panel, double-click C:\WINDOWS\Start Menu\Programs\StartUp
    Locate and delete the following file(s):
    FFEN.EXE
    TSSG.EXE
    MSSG.EXE
    Close Windows Explorer.
    Additional Windows ME/XP Cleaning Instructions

    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and delete all files detected as WORM_ACEBOT.04. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

    source: http://www.trendmicro.com



    Technodrome
     
Thread Status:
Not open for further replies.