**************************************************************************** Utility for cleaning infection by: I-Worm.BleBla.b I-Worm.Navidad I-Worm.Sircam I-Worm.Goner I-Worm.Klez.a,e,f,g,h Win32.Elkern.c I-Worm.Lentin.a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p I-Worm.Tanatos.a,b Worm.Win32.Opasoft.a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p I-Worm.Avron.a,b,c,d,e I-Worm.LovGate.a,b,c,d,e,f,g,h,i,j,k,l I-Worm.Fizzer I-Worm.Magold.a,b,c,d,e Worm.Win32.Lovesan Worm.Win32.Welchia I-Worm.Sobig.f I-Worm.Dumaru.a-d Trojan.Win32.SilentLog.a-b Backdoor.Small.d I-Worm.Swen Backdoor.Afcore.l-ad I-Worm.Sober.a,c I-Worm.Novarg Version 10.1.0.7 Copyright (C) Kaspersky Lab 2000-2004. All rights reserved. **************************************************************************** Command line: /s[n] - to force scanning of hard drives. Program will scan hard drives for I-Worm.Klez.a(e,f,g,h) infection in any case. n - include scanning of mapped network drives. /y - end program without pressing any key. /i - show command line info. /nr - do not reboot system automatically in any case. /Rpt[ao][=] - create report file a - add report file o - report only (do not cure/delete infected files) Return codes: 0 - nothing to clean 1 - virus was deleted and system restored 2 - to finalize removal of virus you should reboot system 3 - to finalize removal of virus you should reboot system and start program the second time 4 - program error. **************************************************************************** I-Worm.BleBla.b --------------- If program finds HKEY_CLASSES_ROOT\rnjfile key in registry it: deletes registry keys HKEY_CLASSES_ROOT\rnjfile HKEY_CLASSES_ROOT\.lha repairs registry keys to default value HKEY_CLASSES_ROOT\.jpg to jpegfile HKEY_CLASSES_ROOT\.jpeg to jpegfile HKEY_CLASSES_ROOT\.jpe to jpegfile HKEY_CLASSES_ROOT\.bmp to Paint.Picture HKEY_CLASSES_ROOT\.gif to giffile HKEY_CLASSES_ROOT\.avi to avifile HKEY_CLASSES_ROOT\.mpg to mpegfile HKEY_CLASSES_ROOT\.mpeg to mpegfile HKEY_CLASSES_ROOT\.mp2 to mpegfile HKEY_CLASSES_ROOT\.wmf to empty HKEY_CLASSES_ROOT\.wma to wmafile HKEY_CLASSES_ROOT\.wmv to wmvfile HKEY_CLASSES_ROOT\.mp3 to mp3file HKEY_CLASSES_ROOT\.vqf to empty HKEY_CLASSES_ROOT\.doc to word.document.8 or wordpad.document.1 HKEY_CLASSES_ROOT\.xls to excel.sheet.8 HKEY_CLASSES_ROOT\.zip to winzip HKEY_CLASSES_ROOT\.rar to winrar HKEY_CLASSES_ROOT\.arj to archivefile or winzip HKEY_CLASSES_ROOT\.reg to regfile HKEY_CLASSES_ROOT\.exe to exefile tries to delete file c:\windows\sysrnj.exe I-Worm.Navidad -------------- If program find HKEY_CURRENT_USER\Software\Navidad, HKEY_CURRENT_USER\Software\xxxxmas or HKEY_CURRENT_USER\Software\Emanuel key in registry it: deletes registry keys HKEY_CURRENT_USER\Software\Navidad HKEY_CURRENT_USER\Software\xxxxmas HKEY_CURRENT_USER\Software\Emanuel SOFTWARE\Microsoft\Windows\CurrentVersion\Run Win32BaseServiceMOD repairs registry keys to default value HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* tries to delete files winsvrc.vxd winfile.vxd wintask.exe I-Worm.Sircam ------------- If program find HKEY_LOCAL_MACHINE\Software\SirCam key in registry, "@win \recycled\sirc32.exe" in autoexec.bat or \windows\run32.exe and \windows\rundll32.exe was created in Delphi it: deletes registry keys HKEY_LOCAL_MACHINE\Software\SirCam Software\Microsoft\Windows\CurrentVersion\RunServices Driver32 repairs registry key to default value HKEY_CLASSES_ROOT\exefile\shell\open\command to "%1" %* tries to delete files %Windows drive%:\RECYCLED\SirC32.exe %Windows directory%\ScMx32.exe %Windows system directory%\SCam32.exe %Windows startup directory%\"Microsoft Internet Office.exe" %Windows drive%:\windows\rundll32.exe tries to rename files %Windows drive%:\windows\Run32.exe to %Windows drive%:\windows\RunDll32.exe tries to repair files autoexec.bat Other viruses ------------- If program finds any processes in memory, infected by these viruses, it will try to unhook virus hooks and patch needed processes to stop reinfection or stop them and delete/cure their files on hard drive and delete links to their files from system registry and other startup places. If program finds any infected processes in memory it will start scanning of your hard drives. It will check only infection by these viruses. If you specify /s key in command line, the program will scan your hard drives (and all mapped network drives if you specify /sn) in all cases. If Win32.Elkern.c virus has created memory mapping, the program disinfects this memory area. In case program can not delete or rename any files (it may be used at the moment) it adds these files to the queue to delete or rename during next bootup process and offer user to reboot system. The program can restore next startup links used by viruses: autoexec.bat win %virus file path and name% win.ini section [Windows] run= system.ini section [boot] shell= registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows values AppInit_DLLs Run HKEY_CLASSES_ROOT\txtfile\shell\open\command (txt association) restoring to link to notepad.exe program HKEY_CLASSES_ROOT\exefile\shell\open\command (exe association) restoring to "%1" %* HKEY_CLASSES_ROOT\comfile\shell\open\command (com association) restoring to "%1" %* HKEY_CLASSES_ROOT\batfile\shell\open\command (bat association) restoring to "%1" %* HKEY_CLASSES_ROOT\piffile\shell\open\command (pif association) restoring to "%1" %* HKEY_CLASSES_ROOT\cmdfile\shell\open\command (cmd association) restoring to "%1" %* HKEY_CLASSES_ROOT\scrfile\shell\open\command (scr association) restoring to "%1" /S HKEY_CLASSES_ROOT\scrfile\shell\config\command (scr association) restoring to "%1" HKEY_CLASSES_ROOT\regfile\shell\open\command (reg association) restoring to regedit.exe "%1" installed NT services mIRC start scripts \Mirc\script.ini \Mirc32\script.ini Pirch start scripts \Pirch98\events.ini