Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

alcra.b virus


  • Please log in to reply
1 reply to this topic

#1 BlackPearl

BlackPearl

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 03 July 2005 - 10:59 PM

I need help on this one.
As per instructions from my symantec product (norton antivirus 2005) I have run a virus scan, I have deleted the virus,but when it comes to the part of deleting the values from my registry editor (the virus changes the values on the registry, so that one cannot access it), symantec has a tool to resolve this problem, the tool supposedly unlocks the registry so that one can modify and delete the values, but the tool is not working. I still cannot access my registry editor and delete the aggregated values.
Can somebody help, please?

Edited by BlackPearl, 03 July 2005 - 11:04 PM.


BC AdBot (Login to Remove)

 


#2 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 AM

Posted 04 July 2005 - 03:25 AM

Sophos

W32/Alcra-B is a worm for the Windows platform.

W32/Alcra-B spreads via file sharing on P2P networks.

W32/Alcra-B includes functionality to download, install and run new malware executables.

W32/Alcra-B typically arrives with the filename Setup.exe.

When first run W32/Alcra-B displays a dialog box with the text "Setup", "Welcome to the Setup Wizard ...". W32/Alcra-B creates the folder &ltProgram Files>\winupdates\, copies itself to this folder as winupdates.exe and creates the following files:

&ltProgram Files>\winupdates\a.zip
&ltSystem>\cmd.com
&ltSystem>\bszip.dll
&ltSystem>\netstat.com
&ltSystem>\ping.com
&ltSystem>\regedit.com
&ltSystem>\taskkill.com
&ltSystem>\tasklist.com
&ltSystem>\tracert.com

All files and folders will have the hidden and system attributes set, including the Windows system folder.

a.zip is a zip archive containing a copy of W32/Alcra-B named Setup.exe.

Bszip.dll is a clean file compression utility.

The new files created in the Windows system folder by W32/Alcra-B with a COM extension are simply 'MZ' stubs (2-byte files simply containing "MZ"), designed to disable the standard Windows applications: cmd, netstat, ping, regedit, taskkill, tasklist and tracert. Executables files with a COM extension have precedence over files with the same filename, but an extension of EXE, therefore if a user runs "cmd", "netstat", "ping", "regedit", "taskkill", "tasklist" or "tracert", the new file with a COM extension will be executed rather than the legitimate executable with an extension of EXE.

The following registry entry is created to run winupdates.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winupdates
&ltProgram Files>\winupdates\winupdates.exe /auto


Are you typing regedit only? Reading this you may have to manually locate regedit and double click on it.

I assume your on XP?

C:\WINDOWS\system32\regedt32.exe

Or download a 3rd party tool to edit the registry here's one but I'm sure you can locate others.

Registry Commander 1.04

Along the toolbar
Show
Registry Roots
Registry Root List

This will show all of the registry options.

Before using please backup your registry with this tool ERUNT

Edited by stidyup, 04 July 2005 - 03:26 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users