Remover virus W32/Lovsan.worm.a Threat Search

Sábado, 08 de Agosto de 2009 17:41 Administrador
E-mail Imprimir PDF
Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied. It may be necessary to install/configure a firewall prior to downloading/installing this patch. Microsoft has outlined the necessary steps to address Windows issues when removing this virus. These actions should be taken prior to removing the virus (see below).

Virus Removal :
Use the curent DAT file for detection an removal. The 4283 DAT files will detect this threat as a variant of Exploit-DcomRpc. Infected systems must be patched prior to removal of the virus (see below).

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stand alone remover
Stinger has been updated to include detection/removal of this threat.

Sniffer Customers: A new filter has been developed that will look for any traffic exploiting the RPC Exploit, plus traffic on port 4444 (Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Apply the MS03-039 patch (includes MS03-026  patch)
  2. Terminate the process msblast.exe
  3. Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:\windows\system32 or c:\winnt\system32)
  4. Edit the registry
    • Delete the "windows auto update" value from
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
Threatscan users
The latest ThreatScan signature (2003-08-12) includes detection of the W32/Lovsan.worm virus.This signature is available for ThreatScan v2.0, v2.1, and v2.5.

To update your ThreatScan installations with the latest signatures perform the following tasks:

  1. From within ePO open the “Policies” tab.
  2. Select “McAfee ThreatScan” and then select “Scan Options”
  3. In the pane below click the “Launch AutoUpdater” button.
  4. Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-08-12 has completed successfully.
  5. From within ePO create a new “AutoUpdate on Agent(s)” task.
  6. Go into the settings for this task and ensure that the host field is set to ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp .Note that “tsc20” in the above path is used for ThreatScan 2.0 and 2.1.The correct path for ThreatScan 2.5 is “tsc25”.
  7. Launch this task against all agent machines.
  8. When the task(s) complete information will be available in the “Task Status Details” report.

To create and execute a new task with the new Hot Fix functionality do the following:

  1. Create a new ThreatScan task.
  2. Edit the settings of this task.
  3. Edit the “Task option”, “Host IP Range” to include all desired machines to scan.
  4. Select the “Remote Infection Detection” category and “Windows Virus Checks” template.
    -or-
     Select the “Other” category and “Scan All Vulnerabilities” template.
  5. Launch the scan.
Actualizado ( Sábado, 08 de Agosto de 2009 17:42 )