W32/Sonebot-B

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Kernel_check = wmiprvse.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Kernel_check = wmiprvse.exe

and delete them if they exist.

Close the registry editor.

W32/Sonebot-B is a network worm which includes IRC bot and backdoor functionality that allows unauthorised remote access to the infected computer.

This worm copies itself to network shares with weak passwords, initiates a remote background process, connects to a remote IRC server and joins a specific channel.

W32/Sonebot-B drops a copy of itself to the Windows System32 folder with the filename WMIPRVSE.EXE and sets the following registry entries to run the copy on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Kernel_check = wmiprvse.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Kernel_check = wmiprvse.exe

W32/Sonebot-B also attempts to terminate a number of processes and delete a number of files from the infected computer.

This worm may also set the following registry entries:

HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\
AutoShareServer = <value>
AutoShareWks = <value>

HKLM\System\CurrentControlSet\Control\lsa\
RestrictAnonymous = <value>
RestrictAnonymousSam = <value>