How To Remove Trojan Webus ?
Trojan.Webus.B is a Trojan horse program that corrupts antivirus
services and launches Distributed Denial of Service (DDoS) attacks
against a list of remote servers.
This Trojan is a variant of Trojan.Webus and is packed with UPX and Yoda. It is also known as DDoS.Win32.Boxed.p.It has variant
Trojan.Webus. It affects Windows 2000, Windows 95, Windows 98, Windows
Me, Windows NT, Windows Server 2003, Windows XP operating systems. It
leaves DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX operating
systems unaffected. This Trojan has infection length of 26,694 bytes.
Symptoms of Trojan.Webus.B
A)It copies itself as %Windir%systemlsass.exe. (%Windir% is a
variable that refers to the Windows installation folder. By default,
this is C:Windows or C:Winnt.)
B) Adds one of the following values:
".TEXTCONV"="%%Windir%\system\lsass.exe"
".WMAudio"="%%Windir%\system\lsass.exe"
"BuildLabs"="%Windir%\system\lsass.exe"
"ccpApps"="%Windir%\system\lsass.exe"
"FriendlyType"="%Windir%\system\lsass.exe"
"MicrosoftSourceSafe"="%Windir%\system\lsass.exe"
"Prog"="%Windir%\system\lsass.exe"
"RegDoneEx"="%Windir%\system\lsass.exe"
to the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
so that the Trojan is executed every time Windows starts.
C) Creates a mutex named
"3286E64A-W325-121E-BFC1-080C2BE3S518", exiting if it fails. This
ensures that no more than one instance of the worm can run on a
computer at any time.The Trojan exits if it fails to create the mutex.
D) Terminates and deletes the following security related services:
kavsvc,navapsvc,nwclntc,nwclntd,nwclnte,nwclntf,nwclntg,nwclnth,SAVScan,SymantecCoreLC,wuauserv.
E) It Performs Denial of Service (DoS) attacks on the following Web sites, using port 5000/TCP:
dns.web-bus.net
dns.xpublic.org
imap.web-bus.net
imap.xpublic.org
login.web-bus.net
login.xpublic.org
mail.web-bus.net
mail.xpublic.org
mb.web-bus.net
mb.xpublic.org
members.web-bus.net
members.xpublic.org
pop3.web-bus.net
pop3.xpublic.org
secure.web-bus.net
secure.xpublic.org
smtp.web-bus.net
smtp.xpublic.org
Precautions:
Many times the auxiliary services such as FTP server, telnet, and a Web
server are loaded by default by operating systems. It has been seen
that many times these services are proved to be useless. But can create
a nuisance by making your system vulnerable for attacks by Trojans. If
you remove these services then you have to maintain fewer services for
patch updates. Never allow such services until the latest patch is
applied. Always use reputed antivirus program and if possible use the
firewall.
Always select the complex password to avoid to be cracked by the hackers.
Regularly configure your mail server to block email with file
attachments such as .vbs, .bat, .exe, .pif and .scr files. These are
popular platforms by viruses to spread the threat. Isolate the infected
computers from the main network to prevent the further damage to entire
network.
Thoroughly scan the softwares for viruses before downloading from Internet.
Removal of Trojan.Webus.B
With the help of the Symantec AntiVirus and Norton AntiVirus
programs along with the following instructions you can remove
Trojan.Webus.B
a) Disable System Restore (Windows Me/XP). If you are running Windows
Me or Windows XP, it is recommend that you temporarily turn off System
Restore. Windows Me/XP is enabled by default, to restore the files on
your computer in case they get corrupt. If a Trojan infects a machine,
System Restore immediately back ups the virus or Trojan on the computer.
Since Windows prevents outside programs, including antivirus programs,
to modify System Restore, antivirus programs or tools cannot remove
threats in the System Restore folder. It results in restoring an
infected file on your computer. Despite of virus scan the threat
remains in the System Restore folder. To avoid it disable System
Restore.
b) Update the virus definitions.
Update the virus definitions regularly using Norton or Symantec anti-virus program.
c) To restart the computer in Safe mode or VGA mode Switch off
the power and Shut down the computer. Wait for at least 30 seconds, and
then restart the computer in Safe mode or VGA mode.
If you have Windows 95, 98, Me, 2000, or XP operating systems, restart
the computer in Safe mode. If you have Windows NT 4 operating system,
restart the computer in VGA mode.
d) Scan and delete infected files.
*Run Symantec or Norton antivirus program.
*Run full system scans.
*Delete infected files with Trojan.Webus.B
e) Delete the value that was added to the registry. It is strongly
recommended to take back up of the registry before making any changes
to it.
* Click Start.
* Run
* Type regedit
* Click OK.
* Navigate to the key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
* In the right pane, delete any of the following values:
".TEXTCONV"="%%Windir%systemlsass.exe"
".WMAudio"="%%Windir%systemlsass.exe"
"BuildLabs"="%Windir%systemlsass.exe"
"ccpApps"="%Windir%systemlsass.exe"
"FriendlyType"="%Windir%systemlsass.exe"
"MicrosoftSourceSafe"="%Windir%systemlsass.exe"
"Prog"="%Windir%systemlsass.exe"
"RegDoneEx"="%Windir%systemlsass.exe"
*Exit the Registry Editor.
Always use reputed antivirus programs like Symantec or Norton antivirus and protect your computer from Trojan attacks.
Subscribe
to "COMPTECH" ezine to get the latest news and updates on Computer Hardware, Software, Tips & Tutorials.
