The latest variant as discussed by Sophos is a user mode only variant (for 64bit OS compatibility) which is quite different in the removal process from previous versions. Fortunately, it’s easier! So I wrote a quick removal tool.
Download the Removal Tool and Check out our Youtube Video and one from Britec09 here.
The tool first scans the appropriate registry values for the infection, and if found it will extract the paths of the malware from the reg values and rename them. At this point the tool prompts you to reboot so the renamed malware cannot execute again; after reboot, run the tool again and it will complete the removal by writing the correct reg values and deleting the renamed malware.
If you are a D7 user, this functionality has already be added to D7 v6.4 where it will automatically check for/remove this new variant on startup. Youtube video to follow soon.
EDIT: Some infections of the latest ZA will download new payload onto the machine and infect the WindowsSystem32services.exe – When you neuter the infection the infected services.exe will force Windows to continually reboot.
This tool has been updated on 6/24/2012 to replace services.exe with a known good copy.
Also, I discovered D7’s Repair Firewall function to be ineffective at repairing the damage done by this malware. Updated to v6.4.7 which includes new functionality and will successfully repair the Windows Firewall.
3 Comments
Leave your reply.