Virus mytob in network

Discussion in 'NOD32 version 2 Forum' started by yod, Apr 14, 2005.

Thread Status:
Not open for further replies.
  1. yod

    yod Guest

    i have virus mytob.y run in my PC and i used NOD32 for clean it can't clean and now i have more packet for recive can you ash me step for clean virus
     
  2. Happy Bytes

    Happy Bytes Guest

    Manual cleaning progress, write up by Happy Bytes :D

    Ok... first thing - how many machines are connected to the network?
    Mytob uses exploiting technologies LSASS buffer overflow vulnerability and DCOM RPC vulnerability.

    That said: As long as other mytob's running on other machines in the same network environment you might get infected again and again...

    You have to disconnect all the infected machines first before you try to clean the network - assuming that you might have unpatched systems.

    Boot in SAFE MODE - after that, locate a file called "rnathchk.exe" in the System32 Folder - delete it!

    Then delete the following files from the root directory:

    “pic.scr”
    “see_this!.pif”
    “my_picture.scr”


    Open the registry editor and delete the following keys:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    “RealPlayer Ath Check” = “rnathchk.exe”

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    “RealPlayer Ath Check” = “rnathchk.exe”

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    “RealPlayer Ath Check” = “rnathchk.exe”

    HKLM\Software\Microsoft\OLE
    “RealPlayer Ath Check” = “rnathchk.exe”

    HKCU\Software\Microsoft\OLE
    “RealPlayer Ath Check” = “rnathchk.exe”

    HKLM\System\CurrentControlSet\Control\Lsa
    “RealPlayer Ath Check” = “rnathchk.exe”

    HKCU\System\CurrentControlSet\Control\Lsa
    “RealPlayer Ath Check” = “rnathchk.exe”

    Note: If the worm runs it watches continuously for the presence of these registry keys and recreates them if they are not present anymore.


    KEEP THE MACHINE DISCONNECTED FROM THE NETWORK UNTIL ALL CLIENTS ARE CLEAN! OTHERWISE THEY MIGHT GET INFECTED AGAIN!

    BTW... How could this happen?! NOD32 does detect Mytob.Y - all possible variants of this worm were also detected via generic detection so far - so i assume NOD32 was not installed during infection process.

    8^) HB.
     
Thread Status:
Not open for further replies.