Definitions Details ---------------------- File Name: symcbetadefsx86.exe File Date: 03:51 PST June 3, 2004 Definitions Version: 6/2/2004 rev. 69 Description: Supports the following versions of Symantec antivirus software: * Corporate Edition 6.x, 7.x and 8.x (Server and Clients) * Carrier Scan Server * Scan Engine 3.0 products * Firewalls * Web Security (Windows NT only) * Internet Email Gateways * MS Exchange * Lotus Notes/Domino * NAV NLM * 4.0 and 5.0 for Windows 9x/Windows NT * pcAnywhere32 7.5 and higher for Windows NT These definitions were confirmed to detect this latest worm variant. ** Worm details: ixd.exe or odz.exe or ???.exe -------------------------------- 102960 bytes in length File name is RANDOM and three characters in length To determine the offending file, find the EM_EXEL or SOUNDMAN registry keys as they reference the name of the offending file Modified date of Thursday, August 29, 2002, 08:00:00 Attributes: Read-Only, Hidden, System File owner is user logged in at time of infection Security permissions are inherited from above Doesn't hide process while running Doesn't make file invisible while running Kills administrative shares (e.g. ADMIN$, C$, D$, etc.) for that session (not permanently) Does NOT stop the IPC$ share Scans for MS04-011 security hole (port 445) May check for weak or blank passwords on system accounts Lives in %systemroot%\system32 Add registry values: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN "EM_EXEL" = ".exe" HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES "EM_EXEL" = ".exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "EM_EXEL" = ".exe" or possibly one or all of the following HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN "SOUNDMAN" = ".exe" HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES "SOUNDMAN" = ".exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SOUNDMAN" = ".exe" Removal: ---------- Log onto the system as an administrator Open up the Task Manager Under the "Processes" tab, highlight the viral process Click the "End Process" button Confirm termination of the process by clicking "Yes" Open up a command prompt (Start --> Run --> cmd) Change directory (cd) to the location of the file (e.g. "cd C:\windows\system32") Type the following and hit enter: attrib .exe -s -h -r Type the following and hit enter: del .exe Open regedit (Start --> Run --> regedit) Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Delete the "EM_EXEL" key if present Delete the "SOUNDMAN" key if present Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES Delete the "EM_EXEL" key if present Delete the "SOUNDMAN" key if present Search the entire registry for EM_EXEL and delete all remaining instances Search the entire registry for SOUNDMAN and delete all remainint instances Visit http://windowsupdate.microsoft.com and download / install all missing patches Reboot the machin