SWBADTRB -------- Version 1.00, November 2001 Copyright (c) 2001, Sophos Plc, www.sophos.com 1. Introduction 2. Making the SWBADTRB floppy disk 3. Preparing to run SWBADTRB a) On Windows 95/98 and FAT-based systems b) On Windows Me c) On Windows NT/2000/XP 4. Running SWBADTRB 5. After running SWBADTRB a) Checking removal b) Restarting Windows c) Purging system restore d) Changing your passwords e) Installing the security patch f) Reversing the registry change that the worm has made 6. Additional SWBADTRB options 7. For further assistance 1. INTRODUCTION --------------- SWBADTRB is a utility for deleting the worm 'W32/Badtrans-B' and the Trojan 'Troj/PWS-AV'. The worm infects most 32-bit Windows platforms (Windows 95, 98, Me, NT and 2000) and installs a copy of the Trojan. It does not affect any files already existing on the system. It can spread by sending out infected emails. Details of W32/Badtrans-B and Troj/PWS-AV can be found at http://www.sophos.com/virusinfo/analyses/w32badtransb.html http://www.sophos.com/virusinfo/analyses/trojpwsav.html The tool these notes refer to can be found at http://www.sophos.com/tools/badtbsfx.exe It is not necessary for a user to double-click on the attachment to become infected as this worm can exploit a security vulnerability in Microsoft Internet Explorer, Outlook and Outlook Express. To prevent reinfection, users of Microsoft Outlook and Outlook Express should install the following patch available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp (This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.) Read through these notes before starting to disinfect your computer(s). 2. MAKING THE SWBADTRB FLOPPY DISK ---------------------------------- On an uninfected computer, get BADTBSFX.EXE from the \tools\utils directory on the Sophos CD or download it from http://www.sophos.com/tools/badtbsfx.exe and copy it to a floppy disk. Write-protect the floppy disk. The self-extracting archive badtbsfx.exe contains SWBADTRB and these instructions. 3. PREPARING TO RUN SWBADTRB ---------------------------- Before running SWBADTRB, ensure that the worm is not active on your computer by following the instructions below. Choose the appropriate steps for your operating system. Sophos recommends that you shut down any Internet connection on the affected computer(s). This will prevent the worm from spreading further while you are cleaning. a) On Windows 95/98 and FAT-based systems Restart the computer in MS-DOS mode. This worm is a 32-bit program and cannot survive in 16-bit DOS mode. Note that starting a Command Prompt (a DOS window) is not enough. Go to the Start menu and select Shut Down. Choose the option "Restart the computer in DOS mode". This disables the worm and provides a safe environment for disinfection. b) On Windows Me This version of Windows does not allow you to exit directly into MS-DOS mode. You must create a startup disk to boot from. At the Windows taskbar, select Start|Settings|Control Panel. Click on "Add/Remove Programs". Select the "Startup Disk" tab and press the "Create Disk" button. When you have created the startup disk, write-protect it. Place it in the A: drive and reboot to a command prompt. This disables the worm and provides a safe environment for disinfection. c) On Windows NT/2000/XP Open task manager to stop the process used by the worm. Press the CTRL, ALT and DEL keys at the same time. Select "Task Manager". Click on the "Processes" tab. Highlight the process "KERNEL32.EXE" and click on "End Process". You will see a confirmation message. Click "Yes". You must also disable InterCheck before running SWBADTRB as it would prevent SWBADTRB from opening and cleaning infected files. At the Windows taskbar, select Start|Program files|Sophos Anti-Virus|Sophos Anti-Virus. Click on the "InterCheck Client" tab and press the "STOP" button. To open a command prompt, go to Start|Run. In the dialog box that appears, enter the command "CMD.EXE". Press Enter. A command prompt window appears. Press the CTRL, ALT and DEL keys at the same time. Click the "Task Manager" button and select the "Processes" tab. Highlight the entry for "Explorer.exe" and click on "End Process". The entire Windows desktop (including the Taskbar) should disappear. You can now run SWBADTRB from the command prompt you just opened. 4. RUNNING SWBADTRB ------------------- Insert the BADTBSFX.EXE floppy disk. At the command prompt (see 3a, 3b or 3c), type C: CD \ MD SOPHTEMP CD SOPHTEMP A:BADTBSFX This will unpack the SWBADTRB program files into the directory C:\SOPHTEMP. To clean files on the C: drive, type the following: SWBADTRB C: If you have more than one hard drive, clean it after you have cleaned the C: drive. See below. You will see the following: SWBADTRB -- find and delete 'W32/Badtrans-B' and 'Troj/PWS-AV' -- Version 1.00 Copyright (c) 2001, Sophos Plc, www.sophos.com Cleanup will start. When infected files are found, you will be asked if you want to remove them: >>> Virus 'W32/Badtrans-B' found in file C:\SOME\FILE.EXE Proceed with disinfection (Y/N) ? Press 'Y' to delete the file. You should see: Disinfection successful If it was impossible to delete the file, for example if the file was running, you will see: Disinfection unsuccessful IMPORTANT: if this happens you must stop that process or service and repeat the scan. See section 3. This may occur in Windows NT/2000/XP, it should not happen in Windows 95/98/Me. Now clean any other hard drives, e.g.: SWBADTRB D: 5. AFTER RUNNING SWBADTRB ------------------------- You now need to ensure that the files have been deleted and that reinfection cannot occur. a) Checking removal At the end of the run, SWBADTRB will produce a summary like this Infected files claimed in report: X Files not cleaned: 0 Disinfected: 0 Deleted: Y Errors during disinfection: Z Note that if Y (the number of files deleted) is less than X (the number of infected files found) then infected files remain on the disk. As mentioned above, you should ensure they are not running and repeat the scan with SWBADTRB. b) Restarting Windows When SWBADTRB is finished and you have deleted all the worm files, you can restart Windows. On Windows 95/98/Me simply reboot and Windows will restart. On Windows NT/2000/XP you may not want to reboot (for example, if the computer is a server). Instead, type the command EXPLORER in the command window. This will restart the Windows desktop and Taskbar. Restart InterCheck in order to restore active protection. At the Windows taskbar, select Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus. Select the "InterCheck Client" tab and click the "GO" button. c) Purging system restore Users of Windows Me or Windows XP should purge the contents of System Restore to remove any backed up copies of the worm or Trojan. To do this: Right-Click the 'My Computer' icon on the desktop, select 'Properties' and then choose 'Performance'. Click 'File System' and then click the 'Troubleshooting' tab. Click to select the 'Disable System Restore' check box and click 'Apply'. Then click to clear the 'Disable System Restore' check box and click 'OK'. Restart the computer. The contents of your System Restore folder will be erased (you will not lose any of your ordinary data). Scan your computer with Sophos Anti-Virus to ensure that the worm has gone. d) Changing your passwords Sophos recommends changing passwords on any affected PCs as they may have stolen by Troj/PWS-AV. This could be considered a serious security breach. e) Installing the security patch This worm can exploit a security vulnerability in Microsoft Internet Explorer, Outlook and Outlook Express. To prevent reinfection, you should install the following patch available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp (This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.) f) Reversing the registry change that the worm has made You may wish to reverse the registry change that the worm has made. This is optional. At the Windows taskbar, select Start|Run. Type in "Regedit" and press return. The registry editor will open. Before you edit the registry, it is recommended you make a backup. To do this, in the Registry menu, click on Export Registry File, in Export Range select All, then save your registry as Backup. Locate the key: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce and delete the following value, if it exists: Kernel32 it will be pointing to a file called kernel32.exe. You should now close Registry Editor and restart your computer. 6. ADDITIONAL SWBADTRB OPTIONS ------------------------------ If you do not want SWBADTRB to request confirmation before attempting to remove each file, add the -NOC (for 'no confirmation') option when you run the program SWBADTRB -NOC C: If you want to produce a report recording the actions taken by SWBADTRB, add -LF=filename to write a log file SWBADTRB -LF=SAV.LOG C: If you want more detailed information in the disinfection log add the -V (verbose) qualifier when executing the program SWBADTRB -LF=SAV.LOG -V C: If you do not want more detailed information in the disinfection log add the -NV (not verbose) qualifier when executing the program. (This is the default option). Note: the log files may become very large, particularly on servers containing thousands of files. 7. FOR FURTHER ASSISTANCE ------------------------- For further assistance, please contact Sophos technical support (support@sophos.com). 7 April 2003 ----------------