|
Posted by =?Utf-8?B?TWlsbyAoTVNQU1Mp?= on June 8, 2007, 1:10 pm
If you were Registered and logged in, you could reply and use other advanced thread options
This is a great information you have here sir
please visit this website
http://www.microsoft.com/security/portal/default.aspx
mpcfb@microsoft.com
Thanks,
--
Milo
MSPSS
"Mark" wrote:
> Greetings all, this is what I have used to contain this bug, so far so good,
> but what is it upto in the background? We have CA AV and have submitted
> sample to them the defs will be out in a few hours. Here is my fix:
>
> Virus info
>
> How to Identify:
> File Size equals 208Kb, uses a folder Icon the same name as parent folder,
> but is an executable:
> NB: Turn on view of system files and hidden files, also show file extension
> types.
> Removal instructions (Some of the info below was from AGV forum)
> Description of what it does:
> I you enter a directory it creates an exe of that directory, eg
> Enter the directory c:\Program Files\ and it will create Program Files.exe
>
> Properties of Program Files.exe:
> Version:
> Comments - Butterfly.
> File version - 1.00
> Internal name - My Things
> Language - English(United states)
> Legal Trademarks - 2007
> Orignal file name - My Things.exe
> Product Name - butterfly
>
> Ensure you set the PC to show hidden and system files and file extensions.
> Where it is located:
> Registery:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> That is the entry that starts the bug.
>
> Physical location if windows XP:
> c:\WINDOWS\Help\sched.exe or schedl.exe
>
> If Windows 2000: C:\WINNT\Help\sched.exe or schedl.exe
>
> How to stop it:
> 0) Turn off system restore
> 1) Open Task Manager goto Processes sort by Image Name. Find the sched.exe
> and kill it.
> 2) Delete the entry from the registery
> 3) Delete the sched.exe file
> 4) Need to find all the infected *.exe and delete them. If you run them, it
> will reinstall itself.
> 5) Search for *.exe from 01 May 2007 to present, look for hidden files with
> a maximum size of 209Kb and make a detailed list of them.
> 6) Check the properties. If they match delete them! Empty the recycle bin
> (Safety net incase any valid files are deleted).
> 7) Restart machine and check 1) to 3).
> 8) If the user is using Offline files and folders and has no reason to be
> using them, clear the offline folder cache by using Shift + left CTRL +
> Deltete then disable offline files and folders.
> 9) Reboot and re-check 1, 2 and 3
> 10) The user may have browsed to network shares and used a memory stick, mp3
> player or cellphone to view or store data. Run from step 5 to search and
> delete the dormant virus files.
>
> You can add the following basic script to the beginning (must be beginning)
> of a logon batch file to kill the virus on a XP workstation. (Can also be
> added as a startup script via a GPO).
>
> rem ****************************************************
> rem Butterfly virus containment 06-06-07 mtd (thanks uct for the basics!)
> rem ****************************************************
> echo This batch will kill the schedl.exe
> echo process and remove it from startup
> echo ---------------------------------------
> rem ---------------------------------------
> taskkill /F /IM schedl.exe /T
> REG DELETE
> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v schedl
> /f
>
> del /ah c:\WINDOWS\Help\schedl.exe
> cls
> echo Completed "schedl.exe" removal
>
> Explorer stays very slow after the reboot!
>
> This is a temporary fix until the AV vendors recognise this as a virus and
> provide a fix with a system clean. We are unsure as to what else this bug
> gets upto. It is possible that your antispam box will hammered with
> x@yourdomain.x!
>
| 
XML site map