الحالة
موضوع مغلق

بوعبداللطيف

عضـو
#1
..
يعطيكم العافية اخواني ..
بصراحة اعاني من مشكلة فايروس مادري وش يبي :confused:
اسمه ( svcsp.exe )
احذفه ويرد يطلع لي بعد فترة يقول المكافي انه هناك فايروس اسمه كذا ..
ولا يمكن اصلاحه او حذفه من خلال برنامج المكافي ..
فاذهب لمكان الملف واحذفه وتروح الرسالة .. وبعد يومين 3 يطلع لي مرة ثانية ..
اتمنى الافادة :(:(
 

arabic-lion

عضو محترف
#3
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.UJ

WORM_AGOBOT.UJ






Overview Technical Details





QUICK LINKS Solution | Understanding New Pattern Format

--------------------------------------------------------------------------------

Virus type: Worm

Destructive: No

Pattern file needed: 1.952.32

Scan engine needed: 6.810

Overall risk rating: Low

--------------------------------------------------------------------------------

Reported infections: Low

Damage Potential: High

Distribution Potential: High



--------------------------------------------------------------------------------

Description:

This memory-resident worm is another variant of the AGOBOT family that exploits the vulnerabilities discussed in the following pages:


Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-001
This worm propagates through network shares* and drops a copy of itself as SVCSP.EXE in the Windows system folder. It uses a list of user names and passwords to gain access to shared folders.

It acts as a server program controlled by an Internet Relay Chat (IRC) bot* thus capable of certain backdoor activities.

It is also capable of stealing the CD keys of popular Windows-based games and terminating certain programs.

This worm also is capable of launching denial of service (DoS) attacks. Lastly* it modifies the HOSTS file* which prevents the user from accessing certain antivirus and security Web sites.

It runs on Windows 95* 98* ME* NT* 2000 and XP.

Solution:



Restarting in Safe Mode

» On Windows 95


Restart your computer.
Press F8 at the Starting Windows 95 message.
Choose Safe Mode from the Windows 95 Startup Menu then press Enter.

» On Windows 98 and ME


Restart your computer.

Press the CTRL key until the startup menu appears.

Choose the Safe Mode option then press Enter.

» On Windows NT (VGA mode)


Click Start>Settings>Control Panel.
Double-click the System icon.
Click the Startup/Shutdown tab.
Set the Show List field to 10 seconds and click OK to save this change.
Shut down and restart your computer.
Select VGA mode from the startup menu.

» On Windows 2000


Restart your computer.

Press the F8 key* when you see the Starting Windows bar at the bottom of the screen.

Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
» On Windows XP


Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear* try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
Terminating the Malware Program

This procedure terminates the running malware process.

Open Windows Task Manager.
» On Windows 95* 98* and ME* press
CTRL+ALT+DELETE
» On Windows NT* 2000* and XP* press
CTRL+SHIFT+ESC* then click the Processes tab.
In the list of running programs** locate the process:
SVCSP.EXE
Select the malware process* then press either the End Task or the End Process button* depending on the version of Windows on your system.
To check if the malware process has been terminated* close Task Manager* and then open it again.
Close Task Manager.

--------------------------------------------------------------------------------
*NOTE: On systems running Windows 95* 98* and ME* Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise* continue with the next procedure* noting additional instructions.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

Open Registry Editor. Click Start>Run* type REGEDIT* then press Enter.
In the left panel* double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run>
In the right panel* locate and delete the entry or entries:
MsnServices = "svcsp.exe"
In the left panel* double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel* locate and delete the entry or entries:
MsnServices = "svcsp.exe"

--------------------------------------------------------------------------------
NOTE: If you were not able to terminate the malware process as described in the previous procedure* restart your system.
Removing Malware Entries from the HOSTS file

Deleting malware entries from the HOSTS file prevents the redirection of antivirus Web sites to the local machine.


Open the following file using a text editor (such as NOTEPAD):
%System%\drivers\etc\HOSTS
(Note: %System% is the Windows system folder* which is usually C:\WINNT\System32 on Windows NT and 2000* and C:\Windows\System32 on Windows XP.)
Delete the following entries:
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
Save the file and close the text editor.
RECOMMENDATIONS

Applying Patches

This malware exploits known vulnerabilities affecting the Windows NT platforms. Download and install the following patches to secure your system:

Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-001
Refrain from using your Microsoft product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_AGOBOT.UJ. To do this* Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall* Trend Micro's free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network* small and medium business or home PC.



For additional information about this threat* see Technical Details.
 
الحالة
موضوع مغلق

أعلى