high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing worms.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows System Configure = C:\<Windows System folder>\ SystemConfig.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows System Configure = C:\<Windows System folder>\ SystemConfig.exe
and remove any references to Windows System Configure = C:\<Windows System folder>\ SystemConfig.exe.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows System Configure = C:\<Windows System folder>\ SystemConfig.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Duload-A is worm that spreads in the KaZaA network. When run it copies itself into the Windows system folder as SystemConfig.exe and sets the following registry entries so that it will be automatically run when Windows starts up.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows System Configure = C:\<Windows System folder>\ SystemConfig.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows System Configure = C:\<Windows System folder>\ SystemConfig.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows System Configure = C:\<Windows System folder>\ SystemConfig.exe
The worm creates a folder named Media in the Windows system folder and creates several copies of itself in this folder using the following names:
Jenna Jamison Dildo Humping.exe
Pamela Anderson And Tommy Lee Home Video.exe
Alicia Silverstone Payboy Nude.exe
Kama Sutra Tetris.exe
Flash Golf.exe
Hoes For You Solitare.exe
Bingo.exe
Irc Client.exe
Mirc 7.0.exe
Email Bomber.exe
FileServer.exe
Kazaa Clone.exe
Napster Clone.exe
Winmx.exe
Website Hacker.exe
Hotmail Hacker.exe
Windows Hacker.exe
Free Porn.exe
Free Mpegs.exe
Free Pics.exe
Xbox Emulator.exe
Britney Spears Dance Beat.exe
Shakira Dancing.exe
J.Lo Bikini Screensaver.exe
Universal Game Crack.exe
Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
Play Games Online For FREE.exe
Win A Ps2.exe
Win An Xbox.exe
Ps2 Emulator.exe
Ps2 Iso 2 Rom Converter.exe
Xbox Iso 2 Rom Converter.exe
The Sims Game Crack.exe
Working Iso Burner.exe
Winzip.exe
Winrar.exe
Winace.exe
System Monitor.exe
Warcraft 3 Battle.net Crack.exe
W32/Duload-A sets several entries under the registry entry
HKCU\Software\Kazaa so that the Media folder will become shared in the KaZaA network.
W32/Duload-A also downloads a file from thisistrash.0catch.com into C:\Uninstall.exe and executes it.
|
