Re: W32/Delbot-AK

In article <MPG.2090168c1cf98dfa989693@xxxxxxxxxxxxxxxxxxx>,
dave@xxxxxxxxxxxxxxx says...
In article <1176894469.489878.283310
@b75g2000hsg.googlegroups.com>, paulcarr@xxxxxxxxxxxxxxx
says...
Has anybody experience a virus referenced as W32/Delbot-AK by sopho's.

We have attempted to clear using sophos across servers.

We think the following files have some thing to do with infection.
cnen.exe & ntoepad.exe.

Does anyone have experience of this and recommendations to removal.


http://www.sophos.com/virusinfo/analyses/w32delbotak.html says this:

W32/Delbot-AK is a worm with backdoor functionality for the Windows platform.

W32/Delbot-AK spreads to other network computers by:
- Scanning network shares for weak passwords
- Exploiting common buffer overflow vulnerabilities
- Symantec (SYM06-010)
- Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS Server Could
Allow Remote Code Execution.

When first run W32/Delbot-AK copies itself to <System>\ntoepad.exe and attempts to
download and execute a file from a remote location to <Root>\radi.exe. At the time of
writing, this file was unavailable for download

The following registry entry is created to run ntoepad.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Notepad
<System>\ntoepad.exe



So it looks simple enough to clean.
Boot to Safe Mode, delete that file and registry entry - or just scan with Sophos.
Password all usernames, including Guest even if it shows as
disabled.
Re-boot.
Password any shares
Get up to date with MS patches.


Ah, you mentioned servers. If you want to avoid booting, you ought to be able to kill the
process claiming to be notepad (but which is actually the ntoepad exe) with Task Manager
and then remove the registry entry and then delete the file.

Sophos issued an IDE for this around 07:00 (GMT+1) today so if your servers are running it
on-access the thing shouldn't get in again, assuming you do hourly updates as
recommended by Sophos.
--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may
.

Relevant Pages

  • Re: W32/Delbot-AK
    ... We have attempted to clear using sophos across servers. ... download and execute a file from a remote location to \radi.exe. ... delete that file and registry entry - or just scan with Sophos. ...
    (alt.comp.anti-virus)
  • Re: Opinions? Which Corporate Anti-Virus?
    ... I have just moved from Sophos to NOD32, my main driver was cost, so I ... NOD32's Remote Administration Console GUI is lacking in some areas, ... I've remotely installed NOD32 onto XP machines, Win2000 Servers, ...
    (alt.comp.anti-virus)
  • W32/Delbot-AK
    ... Has anybody experience a virus referenced as W32/Delbot-AK by sopho's. ... We have attempted to clear using sophos across servers. ... Does anyone have experience of this and recommendations to removal. ...
    (alt.comp.anti-virus)
  • Re: event id 5719
    ... I triedto input that registry entry also and see what you mean. ... when attempting to logon a domain, ... Windows 2000 Domain Controller is available for domain. ... There are currently no logon servers available ...
    (microsoft.public.windows.server.general)
  • Re: wins32.exe - virus? trojan? malware?
    ... >we ran new virus scans and spyware scans and found nothing. ... >renamed it there, whacked the registry entry again, but it still returns - ... >Servers, so we're pretty sure it's a bad file. ... it's best to post such help requests on alt.comp.virus ...
    (microsoft.public.win2000.security)