GoFuckYourself.com - Adult Webmaster Forum - View Single Post

SABAI · 05-25-2003, 04:47 PM

If W32.Wotron.Worm is executed, it does the following:

It copies itself as %System%\Wininet.exe.

If the password-stealing component was enabled, it creates the following files:

\%System%\Sysd.dll
\%System%\Exelib.dll

Also, if the password-stealing component was enabled, the worm sends passwords that it finds on the infected computer to the worm's creator. The file that contains the stolen passwords is Exelib.dll.

In the registry key

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\ open\command

it changes the (Default) value to

%System%\wininet.exe"%1" %*

This causes the worm to run when you attempt to run an .exe file.

The worm can also be configured to stop personal firewall and antivirus programs, and to display a message the first time that it is run.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

To remove this worm:

1. Update the virus definitions, run a full system scan, and delete all files that are detected as W32.Wotron.Worm.
2. If the worm has run, restore the value in the registry key

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\ open\command

to

"%1" %*

For details on how to do this, read the following instructions.

To scan with Norton AntiVirus and delete the infected files:

NOTE: If the worm has already run, you may have to do this last. If programs such as Norton AntiVirus no longer start, first follow the instructions in the section "How to restore the default value of the registry key HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command," which follows this section.

1. Obtain the most recent virus definitions. There are two ways to do this:
Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files.
NAV Consumer products: Read the document How to configure Norton AntiVirus to scan all files.
NAV Enterprise products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Wotron.Worm.

How to restore the default value of the registry key
HKEY_LOCAL_MACHINE\Software\
CLASSES\exefile\shell\open\command
The worm modifies the registry so that an infected file is executed every time that you run an .exe file. Follow these instructions to fix this.

Copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you cannot run .exe files. You must first make a copy of the Registry Editor as a file with the .com extension and then run that file.

1. Do one of the following, depending on which version of Windows you are running:
Windows 95/98: Click Start, point to Programs, and click MS-DOS Prompt.
Windows Me: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
Windows NT/2000/XP:
a. Click Start, and click Run.
b. Type the following, and then press Enter:

command

A DOS window opens.
c. Type the following, and then press Enter:

cd \winnt

d. Go on to the next step.

2. Type the following, and then press Enter:

copy regedit.exe regedit.com

3. Type the following, and then press Enter:

start regedit.com

1. Proceed to the section "To undo the changes that the worm made to the registry" only after you have accomplished the previous steps.

NOTE: The Registry Editor will open in front of the DOS window. After you finish editing the registry and have exited Registry Editor, close the DOS window.

To undo the changes that the worm made to the registry:

CAUTION: Symantec strongly recommends that you back up the system registry before you make any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed; consult a qualified computer technician for more information.

1. Navigate to and select the following key:

HKEY_LOCAL_MACHINE\Software\CLASSES\
exefile\shell\open\command

CAUTION: This key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.
Do not modify the HKEY_LOCAL_MACHINE\Software\CLASSES\.exe key.
Do modify the HKEY_LOCAL_MACHINE\Software\CLASSES\
exefile\shell\open\command subkey that is shown in the following figure:

<<hahahaha= NOTE: Modify this key.

2. Double-click the (Default) value in the right pane.
3. Delete the current value data, and then type "%1" %*
(That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

NOTES:
On Windows 95/98/NT, the Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"
On Windows 2000/XP, the additional quotation marks will not appear. In these environments, the (Default) value should look exactly like this: "%1" %*

4. Make sure that you completely delete all value data in the \command key prior to typing the correct data. If you accidentally leave a space at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ <path and file name>."
5. Exit the Registry Editor. If you have not run the full system scan as directed in the previous section, do so now.

05-25-2003, 04:47 PM
SABAI Confirmed User Join Date: Jan 2001 Location: footmaniac.com Posts: 2,880	If W32.Wotron.Worm is executed, it does the following: It copies itself as %System%\Wininet.exe. If the password-stealing component was enabled, it creates the following files: \%System%\Sysd.dll \%System%\Exelib.dll Also, if the password-stealing component was enabled, the worm sends passwords that it finds on the infected computer to the worm's creator. The file that contains the stolen passwords is Exelib.dll. In the registry key HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\ open\command it changes the (Default) value to %System%\wininet.exe"%1" %* This causes the worm to run when you attempt to run an .exe file. The worm can also be configured to stop personal firewall and antivirus programs, and to display a message the first time that it is run. Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices": Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. To remove this worm: 1. Update the virus definitions, run a full system scan, and delete all files that are detected as W32.Wotron.Worm. 2. If the worm has run, restore the value in the registry key HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\ open\command to "%1" %* For details on how to do this, read the following instructions. To scan with Norton AntiVirus and delete the infected files: NOTE: If the worm has already run, you may have to do this last. If programs such as Norton AntiVirus no longer start, first follow the instructions in the section "How to restore the default value of the registry key HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command," which follows this section. 1. Obtain the most recent virus definitions. There are two ways to do this: Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up. Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up. Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here. 2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. NAV Consumer products: Read the document How to configure Norton AntiVirus to scan all files. NAV Enterprise products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files. 3. Run a full system scan. 4. Delete all files that are detected as W32.Wotron.Worm. How to restore the default value of the registry key HKEY_LOCAL_MACHINE\Software\ CLASSES\exefile\shell\open\command The worm modifies the registry so that an infected file is executed every time that you run an .exe file. Follow these instructions to fix this. Copy Regedit.exe to Regedit.com: Because the worm modified the registry so that you cannot run .exe files. You must first make a copy of the Registry Editor as a file with the .com extension and then run that file. 1. Do one of the following, depending on which version of Windows you are running: Windows 95/98: Click Start, point to Programs, and click MS-DOS Prompt. Windows Me: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. Windows NT/2000/XP: a. Click Start, and click Run. b. Type the following, and then press Enter: command A DOS window opens. c. Type the following, and then press Enter: cd \winnt d. Go on to the next step. 2. Type the following, and then press Enter: copy regedit.exe regedit.com 3. Type the following, and then press Enter: start regedit.com 1. Proceed to the section "To undo the changes that the worm made to the registry" only after you have accomplished the previous steps. NOTE: The Registry Editor will open in front of the DOS window. After you finish editing the registry and have exited Registry Editor, close the DOS window. To undo the changes that the worm made to the registry: CAUTION: Symantec strongly recommends that you back up the system registry before you make any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed; consult a qualified computer technician for more information. 1. Navigate to and select the following key: HKEY_LOCAL_MACHINE\Software\CLASSES\ exefile\shell\open\command CAUTION: This key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey. Do not modify the HKEY_LOCAL_MACHINE\Software\CLASSES\.exe key. Do modify the HKEY_LOCAL_MACHINE\Software\CLASSES\ exefile\shell\open\command subkey that is shown in the following figure: <<hahahaha= NOTE: Modify this key. 2. Double-click the (Default) value in the right pane. 3. Delete the current value data, and then type "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.) NOTES: On Windows 95/98/NT, the Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %" On Windows 2000/XP, the additional quotation marks will not appear. In these environments, the (Default) value should look exactly like this: "%1" % 4. Make sure that you completely delete all value data in the \command key prior to typing the correct data. If you accidentally leave a space at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ <path and file name>." 5. Exit the Registry Editor. If you have not run the full system scan as directed in the previous section, do so now. __________________