|
worm
Поискал в Google: Без комментариев
Description:
This worm propagates via network shares. It uses an installer icon and poses as an mIRC installation file to lure users into executing it.
It connects to mIRC and acts as an mIRC client, which grants the remote user access over the machine to carry out malicious commands. It is also capable of terminating certain processes, as well as preventing access to certain Web sites by modifying the system's HOSTS file.
It runs on Windows NT, 2000, and XP.
Solution:
Terminating the Malware Program
This procedure terminates the running malware process.
Open Windows Task Manager.
» On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
» On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the process:
svchostx.exe
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
WSAConfiguration = "svchostx.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
WSAConfiguration = "svchostx.exe"
Close Registry Editor.
|