Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.
Stinger has been updated to detect and remove the virus and trojan components of this threat.
Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.
net share c$ /delete
- net share d$ /delete
- net share e$ /delete
- net share ipc$ /delete
- net share admin$ /delete
Certain files associated with this threat are considered to be "Potentially Unwanted Programs" and will not be removed with the DAT files.
For VirusScan 4.x users who would like to detect this program on their system, they can run the command line scanner with the /PROGRAM switch.
- Click the START button
- Click RUN
- Type COMMAND and hit ENTER
c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c: /program /sub
and hit ENTER.
Users running VirusScan 7 or later can also enable application or joke detection via the configuration option "Find potentially unwanted programs" (Advanced section - see example below), within the VirusScan GUI as shown below:
This applies for the VirusScan 7 Enterprise On-Access scanner too.Retail Users:
This does not apply for the VirusScan 7 Retail On-Access scanner.
The following files should be removed manually, if unwanted (these files are not detected as trojan or virus by the scanner, some are detected as applications):
NOTE: It is possible to have unrelated files bearing the same name on an infected, or non-infected, system. Therefore care should be taken before deleting any file based on the name alone. Additionally, filenames displayed here can vary.
Edit the registry
The following registry key should be deleted manually to remove a service that may get created:
It may also be necessary to reset or delete the admin
user account and/or remove it from the administrators
Additional Windows ME/XP removal considerations