Lizard said:
Hi guys,
i got a virus last night by surfing in the internet. After hard fights i couldnt beat it... so i formated c:\ ... but after reinstall of windows i got the same virus again without surfing in the internet. I connected to the internet, started starcraft and forgot to start ZoneAlarm -.- ... so i got it again ... its name ist W32/Wallz ... can u tell me how to remove it permanently ... thx
Cya
Hi There
W32.Wallz was discovered on: February 07, 2005.
W32.Wallz is a worm that attempts to exploit the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011). The worm spreads by randomly scanning IP addresses for computers vulnerable to this threat.
Also Known As:
Net-Worm.Win32.Small.b [Kaspersky Lab]
Type:
Worm
Infection Length:
6,578 bytes
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Wallz is executed, it performs the following actions:
Creates a copy of itself as %System%\winpnp32.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates a service with the following properties:
Service Name: winpnp32
Display Name: Windows 32-bit PnP Driver
Image Path: %System%\winpnp32.exe
Startup type: Automatic
Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINPNP32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winpnp32
to run itself as a service.
Adds the value:
"EnableDCOM" = "Y"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
to enable DCOM.
Adds the value:
"restrictanonymous" = "dword:00000001"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
to restrict anonymous access to network shares.
Creates the following file, which is not malicious:
%Windir%\Debug\dcpromo.log
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
Scans random IP addresses for vulnerable computers, and attempts to exploit the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011). using TCP port 445. If the worm successfully exploits this vulnerability on a remote computer, it will send shellcode that creates and runs a copy of the worm on the remote computer.
Connects to an IRC server on the owjgp.game2max.net domain to log the IP address of each successfully exploited computer.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
HOW TO KILL IT:
~~~~~~~~~~
1) Install Norton AntiVirus 2002 or higher
http://www.symantec.com
2) Disable System Restore (Windows Me/XP).
3) Update the virus definitions.
4) Run a full system scan and delete all the files detected as W32.Wallz.
Delete the value that was added to the registry.
That should do the trick !.