W32/Delbot-AK

  • Thread starter Thread starter paulcarr
  • Start date Start date
P

paulcarr

Has anybody experience a virus referenced as W32/Delbot-AK by sopho's.

We have attempted to clear using sophos across servers.

We think the following files have some thing to do with infection.
cnen.exe & ntoepad.exe.

Does anyone have experience of this and recommendations to removal.
 
@b75g2000hsg.googlegroups.com>, (e-mail address removed)
says...
Has anybody experience a virus referenced as W32/Delbot-AK by sopho's.

We have attempted to clear using sophos across servers.

We think the following files have some thing to do with infection.
cnen.exe & ntoepad.exe.

Does anyone have experience of this and recommendations to removal.
Click to expand...
http://www.sophos.com/virusinfo/analyses/w32delbotak.html says this:

W32/Delbot-AK is a worm with backdoor functionality for the Windows platform.

W32/Delbot-AK spreads to other network computers by:
- Scanning network shares for weak passwords
- Exploiting common buffer overflow vulnerabilities
- Symantec (SYM06-010)
- Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS Server Could
Allow Remote Code Execution.

When first run W32/Delbot-AK copies itself to <System>\ntoepad.exe and attempts to
download and execute a file from a remote location to <Root>\radi.exe. At the time of
writing, this file was unavailable for download

The following registry entry is created to run ntoepad.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Notepad
<System>\ntoepad.exe



So it looks simple enough to clean.
Boot to Safe Mode, delete that file and registry entry - or just scan with Sophos.
Password all usernames, including Guest even if it shows as
disabled.
Re-boot.
Password any shares
Get up to date with MS patches.
 
@b75g2000hsg.googlegroups.com>, (e-mail address removed)
says...
http://www.sophos.com/virusinfo/analyses/w32delbotak.html says this:

W32/Delbot-AK is a worm with backdoor functionality for the Windows platform.

W32/Delbot-AK spreads to other network computers by:
- Scanning network shares for weak passwords
- Exploiting common buffer overflow vulnerabilities
- Symantec (SYM06-010)
- Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS Server Could
Allow Remote Code Execution.

When first run W32/Delbot-AK copies itself to <System>\ntoepad.exe and attempts to
download and execute a file from a remote location to <Root>\radi.exe. At the time of
writing, this file was unavailable for download

The following registry entry is created to run ntoepad.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Notepad
<System>\ntoepad.exe



So it looks simple enough to clean.
Boot to Safe Mode, delete that file and registry entry - or just scan with Sophos.
Password all usernames, including Guest even if it shows as
disabled.
Re-boot.
Password any shares
Get up to date with MS patches.
Click to expand...
Ah, you mentioned servers. If you want to avoid booting, you ought to be able to kill the
process claiming to be notepad (but which is actually the ntoepad exe) with Task Manager
and then remove the registry entry and then delete the file.

Sophos issued an IDE for this around 07:00 (GMT+1) today so if your servers are running it
on-access the thing shouldn't get in again, assuming you do hourly updates as
recommended by Sophos.
 
Back
Top