What the?! A virus found...

[Raistlin Majere]

After running a routine virus-check, I found a virus named "Worm/Agobot.14.AP", but my virus program couldnt remove it! So its still on my computer, and I dont really see a way to remove it...Its located on a file named "C:\WINDOWS\SYSTEM32\ntsyskrnl.exe", so I can see why the program couldnt remove it, but Id like to now: 1)What is it, 2)What does it do and 3)How do I get rid of it. Any help would be welcome!

edit]After checking recent test results, it seems that nearly everytime the program has found a "hidden extension"...what can I do to prevent this?

[ 05-28-2004, 12:51 PM: Message edited by: Raistlin Majere ]

[Gnarf]

Could be this thing (didn't find agobot.14.AP at the site, only agobot.AP).

[Raistlin Majere]

hmmm...I cant open the page! very odd...

[Mack_Attack]

Overview Technical Details Statistics





QUICK LINKS Solution | Critical Update

--------------------------------------------------------------------------------

Virus type: Worm

Destructive: Yes

Aliases: W32.HLLW.Gaobot.AO

Pattern file needed: 679 (0.679.03)

Scan engine needed: 5.600

Overall risk rating: Low

--------------------------------------------------------------------------------

Reported infections: Low

Damage Potential: High

Distribution Potential: High



--------------------------------------------------------------------------------

Description:


This memory-resident worm propagates through network-shared folders.

Like the earlier AGOBOT variant, WORM_AGOBOT.AN, it also exploits certain vulnerabilities to propagate across the network. It takes advantage of the following Windows vulnerabilities:

Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
IIS5/WEBDAV Buffer Overflow vulnerability
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-001.
This worm also has backdoor capabilities. It randomly opens a TCP port where it waits for connection from a remote user. It also connects to an IRC channel and waits for commands from a remote malicious user.

It allows a remote user to perform the following malicious actions:

Log off user
Shut down the machine
Reboot the machine
Connect to a different IRC server
Reconnect to an IRC server
Send raw message to the IRC server
Quit from the IRC session
Send a private message
Leave a channel
Print netinfo
Perform a mode change
Join a channel
Disconnect from IRC server
It also terminates antivirus-related processes and steals CD keys of certain game applications.

It is compressed with Neolite and runs on Windows 2000 and XP.

Solution:


AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Services.

MANUAL REMOVAL INSTRUCTIONS

Disconnecting Network Connection

Unplug the Unshielded Twisted Pair (UTP) cable that is normally located at the back of the machine to disconnect from the network and avoid reinfection.

Apply the proceeding instructions. Once the malware is completely removed from all the machines in the network, it is then safe to plug the UTP cable and reconnect to the network.

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager. Press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the process:
CSRRS.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

To remove the malware autostart entries:

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
%System32%CSRRS.EXE
Note: %System32% is the Windows system folder, which is usually C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.

In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries:
%System32%CSRRS.EXE
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Applying Patches

This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following to patch your system.


IIS5/WEBDAV vulnerability patch
Windows NT

http://microsoft.com/downloads/detai...displaylang=en

Windows NT Terminal Server

http://microsoft.com/downloads/detai...displaylang=en

Windows XP 32 bit

http://microsoft.com/downloads/detai...displaylang=en

Windows XP 64 bit

http://microsoft.com/downloads/detai...displaylang=en


DCOM Patch
WindowsNT

http://microsoft.com/downloads/detai...displaylang=en

WindowsNT Terminal Server

http://microsoft.com/downloads/detai...displaylang=en

Windows 2000

http://microsoft.com/downloads/detai...displaylang=en

WindowsXP 32bit

http://microsoft.com/downloads/detai...displaylang=en

WindowsXP 64bit

http://microsoft.com/downloads/detai...displaylang=en


RPC Patch
Windows NT

http://www.microsoft.com/downloads/d...displaylang=en

Windows NT Terminal Server

http://www.microsoft.com/downloads/d...displaylang=en

Windows 2000

http://www.microsoft.com/downloads/d...displaylang=en

Windows XP 32 bit

http://www.microsoft.com/downloads/d...displaylang=en

Windows XP 64bit

http://www.microsoft.com/downloads/d...displaylang=en

Windows 2003 server 64 bit

http://www.microsoft.com/downloads/d...displaylang=en

Refrain from using the affected software until the appropriate patch has been installed.

Additional Windows XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.AP. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.


Here ya go then.

[Gnarf]

... but this (agobot.ik) one seems to be the only one dealing with ntsyskrnl.exe ... so I dunno which is right, if any. It's likely to be the .ik one, as it dissables access to, amongst others, that trendmicro site.

For agobot.ik:

Quote:

Description: This AGOBOT variant is a network worm and a backdoor. It propagates into machines unpatched to the following vulnerabilities: Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/tre...n/MS03-026.asp RPC Locator vulnerability Microsoft Security Bulletin MS03-001 http://www.microsoft.com/technet/tre...n/MS03-001.asp IIS5/WEBDAV buffer overrun vulnerability Microsoft Security Bulletin MS03-007 http://www.microsoft.com/technet/tre...n/MS03-007.asp It also uses a list of user names and passwords to propagate into machines with weak passwords. This malware has backdoor capabilities. It allows remote users to manipulate infected systems and steal information, including game CD keys. It also terminates different programs, including antivirus and firewall applications. It runs on Windows NT, 2000, and XP. Solution: Terminating the Malware Program This procedure terminates the running malware process from memory. Open Windows Task Manager. Press CTRL+SHIFT+ESC, and click the Processes tab. In the list of running programs, locate the process: ntsyskrnl.exe Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows> CurrentVersion>RunServices In the right panel, locate and delete the entry: System Kernel = "ntsyskrnl.exe" In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Windows> CurrentVersion>Run In the right panel, locate and delete the entry: System Kernel = "ntsyskrnl.exe" Close Registry Editor. NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system. Cleaning the HOSTS file This malware added loopback addresses to your hosts file. Cleaning this would enable access to the Web sites. Using Notepad, edit the file ?hosts? located in the %System%\drivers\etc folder. Remove the lines containing the following sites: avp.com ca.com customer.symantec.com dispatch.mcafee.com download.mcafee.com f-secure.com kaspersky.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com mcafee.com my-etrust.com nai.com networkassociates.com rads.mcafee.com secure.nai.com securityresponse.symantec.com sophos.com symantec.com trendmicro.com update.symantec.com updates.symantec.com us.mcafee.com viruslist.com viruslist.com www.avp.com www.ca.com www.f-secure.com www.kaspersky.com www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com Note: %System% is the Windows system folder, which is C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. Additional Windows XP Cleaning Instructions Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.IK. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner. Applying Patches Download the latest patch. Information and download links on the vulnerabilities exploited by the malware can be found at the following links: Microsoft Security Bulletin MS03-026 Microsoft Security Bulletin MS03-001 Microsoft Security Bulletin MS03-007 Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.

Edit: Link to that housecall thing: http://housecall.antivirus.com/
Also, you can try using system restore, starting the puter in safe-mode then deleting file or... something.

[ 05-28-2004, 01:28 PM: Message edited by: Gnarf ]

[Raistlin Majere]

When I open the task manager and end the process, instead of ending it, it just switches its place, but remains on the list! Damn, I dont like this thing at all...

[Gnarf]

Tried starting the puter in safe mode? It's likely that the ntsyskrnl.exe thing won't be loaded then, and you can delete it.

[Raistlin Majere]

How do I boot in safe mode? I dont remember what I have to press on the start up...Im running XP pro., btw

[Bungleau]

Hmmm... I think it's either F5 or F8 while you're booting. I can never remember which one, so I usually alternate between them, about once every second or so, during the boot process.

Good luck in killing it...

[Gnarf]

You can probably do it with F8 or something, or:
start > run > "msconfig" > "boot.ini" tab > check /safeboot. You'll be prompted to restart puter after clicking "OK", do so.

Uncheck /safeboot when you want puter to return to normal.