W32/Delbot-AK

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Has anybody experience a virus referenced as W32/Delbot-AK by sopho's.

We have attempted to clear using sophos across servers.

We think the following files have some thing to do with infection.
cnen.exe & ntoepad.exe.

Does anyone have experience of this and recommendations to removal.


Re: W32/Delbot-AK

In article <1176894469.489878.283310
@b75g2000hsg.googlegroups.com>, paulcarr@handleman.co.uk
says...
Quoted text here. Click to load it
http://www.sophos.com/virusinfo/analyses/w32delbotak.html says this:

W32/Delbot-AK is a worm with backdoor functionality for the Windows platform.

W32/Delbot-AK spreads to other network computers by:
- Scanning network shares for weak passwords
- Exploiting common buffer overflow vulnerabilities
- Symantec (SYM06-010)
- Microsoft Security Advisory (935964): Vulnerability in RPC on Windows DNS
Server Could
Allow Remote Code Execution.

When first run W32/Delbot-AK copies itself to <System>\ntoepad.exe and attempts
to
download and execute a file from a remote location to <Root>\radi.exe. At the
time of
writing, this file was unavailable for download

The following registry entry is created to run ntoepad.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Notepad
<System>\ntoepad.exe



So it looks simple enough to clean.
Boot to Safe Mode, delete that file and registry entry - or just scan with
Sophos.
Password all usernames, including Guest even if it shows as
disabled.
Re-boot.
Password any shares
Get up to date with MS patches.

--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may

Re: W32/Delbot-AK

dave@davebudd.org.ku says...
Quoted text here. Click to load it
Ah, you mentioned servers. If you want to avoid booting, you ought to be able to
kill the
process claiming to be notepad (but which is actually the ntoepad exe) with Task
Manager
and then remove the registry entry and then delete the file.
 
Sophos issued an IDE for this around 07:00 (GMT+1) today so if your servers are
running it
on-access the thing shouldn't get in again, assuming you do hourly updates as
recommended by Sophos.
--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may

Site Timeline