W3.spybot.worm

CBCB Ƹ̵̡Ӝ̵̨̄ƷDer Millionendorf- Icrontian
edited August 2004 in Spyware & Virus Removal
My Norton active scanner tells me that I have W3.SPYBOT.WORM and that it cannot delete it.

I went to the Symantec site, and followed their removal instructions, but even in safemode, windowsXP wouldn't let Norton delete the infected file because the infected file is iexplore.exe

Norton is unable to remove, quaranteen, or delete this infection.

Has anybody heard anything about it?

Do I even need to worry about it, since I don't use IE?

Comments

  • DexterDexter Vancouver, BC Canada
    edited August 2004
    Do you mean w32.spybot.worm ?

    Yes, you need to worry about it, because it:
    Can be configured to create and share a folder on the KaZaA file-sharing network

    Copies itself to the configured path as file names that are designed to trick other users into downloading and executing the worm.


    Can be configured to perform Denial of Service (DoS) attacks on specified servers.


    Can be configured to terminate security product processes.


    Connects to specified IRC servers and joins a channel to receive commands.

    May log keystrokes to a file in the System folder.


    May send personal information, such as the operating system, IP address, user name, and so on, to the IRC server.


    May open a backdoor port.

    May spread by exploiting the following vulnerabilities: (edited - numerous MS exploits which put other users at risk if they are not doing their critical updates.)


    All of these actions are security risks, which allow someone to exploit your computer unless you are protected by a firewall. Even if you are, someone else can be infected by you, as the worm seeks to spread from your system to someone else's via Kazaa if you use it. Plus, all these activities take resources, RAM and CPU, as well as generate a lot of network activity, all of which will make your computer and your internet connection run slower.

    Post a HJT log (use version 1.98 from our downloads page) and let's take a look at it, perhaps it has mutated from the known values on Symantec's site.

    Dexter...
  • CBCB Ƹ̵̡Ӝ̵̨̄Ʒ Der Millionendorf- Icrontian
    edited August 2004
    Ya, I got all that from the stmantec site, but I wasen't sure if those problems occured only when using IE, since that's the file it infected...


    Okay, when I get home from work today, I'll post a HJT log.
  • CBCB Ƹ̵̡Ӝ̵̨̄Ʒ Der Millionendorf- Icrontian
    edited August 2004
    But, um... I still would like it if anyone had any info on this particular virus already, other that what symantec has...
  • DexterDexter Vancouver, BC Canada
    edited August 2004
    Symantec or any other of the AV sites is pretty much the best place to get the info from. What other info are you wanting....?

    Dexter...
  • CBCB Ƹ̵̡Ӝ̵̨̄Ʒ Der Millionendorf- Icrontian
    edited August 2004
    If someone has delt with it before, and actually found a way to get rid of it, 'cause the instructions on the Symantec site didn't work.

    It says to update the Norton definitions, then run the scanner from safe mode. After the scanner repairs the infection, delete certain keys in the reg. to keep it from putting itself back on right away.

    When I run the scanner in safemode, it finds the virus and tells me that repair is impossible and that it is going to quarantine instead. Then it says that quarantine is not possible and that it is going to just delete the infected file, instead. Then windows tells me that I'm not allowed to delet iexplore.exe (and rightly so...)

    GH told me to delete iexplore from DOS-mode, but I'm very weary to do such things. I know that windows uses explorer for a lot of functions.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited August 2004
    I would delete Iexplore and then reinstall IE. That will fix any weird windows problems you might have from not having IEXPLORE.EXE ... However, Windows uses EXPLORER.EXE for most GUI functions. I think it'll be alright.
  • CBCB Ƹ̵̡Ӝ̵̨̄Ʒ Der Millionendorf- Icrontian
    edited August 2004
    I think so too, thanks...
Sign In or Register to comment.