W32.Kassbot.A

W32.Kassbot.A is a network-aware worm that opens a back door through IRC. The worm monitors for access to certain financial Web sites, logging keystrokes when they are visited.

Also Known As:	Win32.Kassbot.D [Computer Associates], Backdoor.Win32.Delf.zq [Kaspersky Lab], Generic BackDoor.d [McAfee], W32/Kassbot-D [Sophos], BKDR_KASSBOT.D [Trend Micro], TSPY_BANKER.RE [Trend Micro]
Type:	Worm
Infection Length:	266,752 bytes
Systems Affected:	Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Virus Definitions (LiveUpdate™ Weekly) May 24, 2005 Virus Definitions (Intelligent Updater) May 20, 2005

Wild Number of infections: 0 - 49 Number of sites: 0 - 2 Geographical distribution: Low Threat containment: Easy Removal: Moderate

Threat Metrics Wild: Low Damage: Medium Distribution: Medium

Damage

• Payload Trigger: n/a
• Payload: Opens a back door
  • Large scale e-mailing: n/a
  • Deletes files: n/a
  • Modifies files: Modifies the Hosts file.
  • Degrades performance: n/a
  • Causes system instability: n/a
  • Releases confidential info: Installed keylogger captures information from financial Web sites.
  • Compromises security settings: Modifies the Hosts file to prevent access to Web sites, some of which may be security related.

Distribution

• Subject of email: n/a
• Name of attachment: n/a
• Size of attachment: n/a
• Time stamp of attachment: n/a
• Ports: TCP Port 1051 and higher.
• Shared drives: n/a
• Target of infection: n/a

When W32.Kassbot.A is executed, it performs the following actions:

1. Copies itself as %System%\spools.exe.
   
   Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
   
   
2. Drops the following files:
   
   
   • %System%\xee32.dll - which is detected as Hacktool
   • %System%\xbccd.log
     
     
3. Adds the value:
   
   "Spools Service Controller" = "%System%\spools.exe"
   
   to the registry subkey:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that the risk runs every time Windows starts.
   
   
4. Monitors Internet connections for access to the following financial Web sites with the following URLs:
   
   
   • abnamrofutures.com
   • activebanking.de
   • allbank.de
   • allianz.de
   • amdirect.ambg.com.my
   • americanexpress.com
   • apobank.de
   • arabbank.com
   • asbbank.co.nz
   • asia.citibank
   • axabanque.fr
   • b2b.de
   • bacaf.at
   • baj.com.sa
   • bamernet.hn
   • banco-general.com
   • bank of india
   • bank.eldersruralbank.com.au/banking/ERBIBanking/
   • bankhaus-mayer.de
   • banking-service.de
   • banking.apobank.de
   • banking.apobank.de/
   • banking.bankhaus-mayer.de/login.php
   • banking.bmwbank.de/dbc/login.html
   • banking.bw-bank.de
   • banking.bw-bank.de/frame.html
   • banking.cc-bank.de
   • banking.co.at
   • banking.degussa-bank.de/de/
   • banking.degussa-bank.de/de/start.htm
   • banking.diba.de/DIBA?rqh=STARTUP&ZIEL=main
   • banking.diba.de/OnlineBanking/index.html
   • banking.donner.de/default.jsp
   • banking.elba.at/html/login.jsp
   • banking.europace.ie/epps/login.dialog?p_loginmask=gmac
   • banking.hypo.at/html/login.jsp
   • banking.ing-diba.at/dibaonline/login.jsp
   • banking.martinbank.de/login.aspx
   • banking.privatbank.at/html/login.jsp
   • banking.raiffeisen.at/html/login.jsp
   • banking.santander.de
   • banking.santander.de/sdb/prepareLogin.do
   • banking.seb.de
   • banking.seb.de/pt/
   • banking.vkb-bank.at/html/login.jsp
   • bankingonline.de
   • banklenz.de
   • bankone
   • bankone.com.au
   • banpais.hn
   • barclaycard.de
   • baufinanzierung.dslbank.de
   • baufinanzierung.dslbank.de/webcredit-frontoffice/LoginSeite.jsp
   • bawag.com.at
   • bendigobank.com.au
   • berenbergbank.de
   • bgl.lu
   • billscenter
   • billscenter.paytrust.com/csp/CSPServlet/Login?
   • bks-banking.at
   • blc direct
   • bmwbank.de
   • bob.bankwest.com.au
   • bob.bankwest.com.au/BWAMain.asp
   • boq.com.au
   • brokerage.comdirect.de
   • brokerage.comdirect.de/index.jsp?ziel=duallogin&permissionId=memberdatamaintenance&errorCode=0
   • btfunds
   • cash.rin.ru/cgi-bin/auth.pl
   • cebit.de
   • cetelem.de
   • citibank.co.uk
   • citibiz
   • citibusinessonline.da-us.citibank.com/cbusol/busSignOn.do
   • commerzbanking.de
   • cortalconsors.de
   • creditmutuel.fr
   • creditplus.de
   • creditplus.de/cgi-bin/WebObjects/BOV4?Einstieg=Haendler
   • daimlerchrysler-bank.de
   • davis-company.com
   • debema.de
   • degussa-bank.de
   • deutsche-bank.de
   • deutsche-factoring.de
   • dfbonline.deutsche-factoring.de/dfbonline/html/index.htm
   • dhbbank.com
   • diba.de
   • dollarbank
   • donner.de
   • dresdner.de
   • dslstar.de
   • dws-direkt.deutsche-bank.de/check.asp?id=6110B558-0AC2-33DB-0502-520914080619
   • e-bank.feibbank.com/index.htm
   • e-bank.wuestenrot.de/pkmsstepuplogin.form
   • ebank.hsbc.co.nz
   • ebank.laiki.com/CommonUI/eBankAUUI/LoginAU.aspx
   • ebanker.arabbank.com.au/
   • ebanking.bawag.com/InternetBanking/InternetBanking?d=login&lang=de&svc=BAWAG
   • ebanking.bgl.lu/en/bgl
   • ebankinter
   • elba.at
   • eldersruralbank
   • etimebanker.bankofthewest.com/SITE/6.0_signin/signin.asp
   • europace.ie
   • ewm.ubs.com/de00-safe-login/Login?handler=SAFEGetLogin
   • fcb-e-bank.com
   • feibbank
   • fh-vie.ac.at
   • fiservdmecom
   • fiservdmecom1
   • fnc.asbbank.co.nz/
   • gad.de
   • generalibank.at
   • global-banking.de
   • hbci-banking.allbank.de/fb3/jsp/allbank/de/login
   • hoernerbank.de
   • homebank.tsbbank.co.nz
   • homebank.tsbbank.co.nz/
   • homebanking-berlin.de
   • hypo.at
   • ib.national.com.au/nabib/login.jsp
   • ib2.inetbank.net.au
   • ibank.stgeorge.com.au/html/index.asp?origin=ABA&redirected=True&JavaVendor=MICROSOFT&ClientPlatfor
   • inetbnkp.adelaidebank.com.au/OnlineBanking/AdBank
   • ing-diba.at
   • ingretirem
   • internetbanking.gad.de/banking/banking;
   • internetbanking.gad.de/banking/portal?bankid=4967
   • internetbanking.suncorpmetway.com.au/sml/logon.asp?
   • investing.schwab.com/trading/start?&AddrChangeAuth
   • izb.de
   • kiwibank.co.nz
   • konto.xcom-bank.de/b2cbp/login.do;jsessionid
   • laiki.com
   • leu.directnet.com/dn/c/cls/auth?language=
   • macquarie
   • martinbank.de
   • mein.raiffeisen.at/personalization/
   • midamerica
   • mmgbank
   • my.banklenz.de/RequestLayer?
   • my.hypovereinsbank.de
   • my.hypovereinsbank.de/prot/templates/login_frame.jsp
   • my.ingretirementplans.com/INGAccess/SULLogin.fcc
   • myaxa.de
   • national inter bank
   • national-bank.de
   • national.com
   • necu
   • netbank
   • netbank-money.de
   • netbanking.at
   • netbanking.sozialbank.de/smartoffice/
   • networld-ebanking.de
   • noname.de
   • norisbank.de
   • oberbank-banking.at
   • olb.westpac
   • online-banking.de
   • online-banking.vwbank.de
   • online-banking.weberbank.de/home/index.htm
   • online-service.allianz.de/identityprovider_app/aos/identityprovider
   • online.btfunds.com.au/retailinvestor/investor
   • online.dollarbank.com/cgi-bin/rsa2clnt.dll/NB%20-%20Main/ND000_
   • online.westpac.com.au/SignIn
   • onlinebanking.norisbank.de/norisbank/login.do?method=login
   • onlineservices
   • onlineservices.amp.com.au/logon/eservicesLogon.asp?activated=true
   • personal.macquarie.com.au
   • portal-banking.de
   • portal01.commerzbanking.de/P-Portal/XML/IFILPortal/pgf.html?Tab=3
   • portal1.izb.de/ihb/dkb-bank/Main
   • privatbank.at
   • privatebanking.debema.de/dbm/how.jsp
   • privatkunden.union-investment.de
   • raiffeisen.at
   • sabadella
   • saradar
   • schwab
   • schwaebische-bank.de
   • sec.westpac.co.nz
   • sec.westpac.co.nz/IOLB/newSession
   • secure.accu
   • secure.accu.com.au/
   • secure.americanfederal.net
   • secure.bankone.com.au/login.asp?check
   • secure.dnetz-b2b.de/ssl_peugeotbank/bstkdn/login.asp
   • secure.easy-car-credit.de/anmelden.asp
   • secure.easy-car.de
   • secure.nationalinterbank.com/Scripts/ni4.dll=
   • secure.rabobank.com.au
   • secure.rabobank.com.au/ribs/scripts/abtwsac.exe/clientInternetView
   • servicebank.at
   • services.credit-suisse.de
   • services.credit-suisse.de/pbi/pbov/c/cls/auth
   • sozialbank.de
   • ssl.4alpha.de/ios-4alpha/onlinefiliale/php/zugang/anmelden2.php?SID=
   • sso.americanexpress.com/SSO/request?
   • standardchartered.com
   • stgeorge
   • suncorpmetway
   • superbank.co.nz
   • svr1.instant-ecash.com
   • swkbank.de
   • swkbank.de/page/kontakt/login.php?PHPSESSID=
   • ubs.com.de
   • union-investment.de
   • uniservices3.uobgroup
   • uniservices3.uobgroup.com/CLO/Pub_ControllerServlet?cmd=customerlogin&action=clologin
   • visionsfcu
   • vkb-bank.at
   • volswagen.de
   • vr-ebanking.de
   • web.cplnn.com/svhost32.exe
   • web7.evault.ws/pbi_pbi1961/pbi1961.asp?Rt=121142287&LogonBy
   • webbank.standardchartered.com/idc/login.jsp
   • wertpapier.schwaebische-bank.de/login.php
   • westlbmarkets.net
   • westpac
   • wsk-bank.at
   • wuestenrot.de
   • ww2.homebanking-berlin.de/cgi/anfang.cgi
   • www.aaztecgold.com
   • www.abgoldcommerce.com
   • www.abnamrofutures.com/abacus_syd/nfront/Main.asp
   • www.amazon.com
   • www.americanexpress.com/australia/homepage.shtml
   • www.anb.com.sa/tadonline/default.asp
   • www.anz.com
   • www.anz.com/inetbank/bankmain.asp
   • www.anz.com/nz/inetbank/bankmain.asp
   • www.asia.citibank.com/asia/index/hm_leftNav_trans/1,3834,13-en,00.html
   • www.axabanque.fr/client/sAuthentification?
   • www.bacaf.at/page/start.mv?NOFRAMES
   • www.bamernet.hn/ws2/servlet/com.dlya.bantotal.hhbk0700
   • www.banco-general.com/bgespanol/index.asp
   • www.banking.co.at/m000/ibk/login.html
   • www.bankingonline.de/psd-banking/view/index.jsp?blz=10090900&graphics=true
   • www.bankingonline.de/sparda-banking/view/index.jsp?graphics=true&blz=
   • www.bankofindia.com/home/registration/login.aspx
   • www.bankone.com.au/
   • www.banpais.hn/flash.asp
   • www.barclaycard.de/service/service.php3?start=true&cs_vid_save=
   • www.bendigobank.com.au/banking/BBLIBanking/
   • www.berenbergbank.de/my_berenberg/index.html
   • www.berenbergbank.de/my_berenberg/index_e.html
   • www.bks-banking.at/cgi/anfang.cgi/BKS
   • www.blcdirect.banquelaurentienne.ca/login
   • www.bnz.co.nz
   • www.bnz.co.nz/Internet_Banking/0,,10-123,00.html?pmarkC=Image&pmarkK=1227
   • www.boq.com.au/EDS.IB/
   • www.bv-activebanking.de/
   • www.cashcards.net
   • www.cebit.de/homepage_e?x=1
   • www.cetelem.de/site/haendlerlogin.php
   • www.cetelembank.de/site/haendlerlogin.php
   • www.citibank.com.au
   • www.citibank.com.au/portal/citiau_home_center.jsp?frameval1=customerSigninLink1
   • www.cortalconsors.de/euroWebDe/
   • www.creditmutuel.fr
   • www.daimlerchrysler-bank.com/intrade/disp;jsessionid=
   • www.dhbbank.com/NetBanking/TagesGeldLogin.aspx
   • www.dresdner-privat.de/index.html?
   • www.dslstar.de/epps/login.dialog?p_loginmask=dsl
   • www.e-gold.com/acct/login.html
   • www.ebank.hsbc.co.nz/jsp/en/login.jsp
   • www.ebankinter.com/www/es-es/cgi/ebk
   • www.efirstbank.com
   • www.eservices.baj.com.sa/default.asp
   • www.fcb-e-bank.com/
   • www.fh-vie.ac.at/V1/login.aspx?PID=588
   • www.firstbanks.com
   • www.fiservdmecom1.net
   • www.fiservdmecom1.net/PBI_Pbi1961/Pbi1961.asp?Rt=104901940&LogonBy=connect3&PRMAccess=Account&user=t
   • www.fiservla3.com/PBI1961.asp?Rt
   • www.generalibank.at/geb/jsp/logon_anmelden.jsp
   • www.gitgold.com
   • www.global-banking.de/aktivbank/login/login.jsp
   • www.goldage.net/buy.aspx
   • www.goldcurrencies.ca
   • www.goldpouchexpress.com
   • www.hoernerbank.de/ebanking/
   • www.icegold.com
   • www.internet-banking-service.de/cgi-bin/catwaycgi?runScript=login&
   • www.kiwibank.co.nz/banking/login.asp
   • www.londongoldexchange.com
   • www.loyalbank.com
   • www.metal-escrow.com
   • www.midamericabank.com/s_log_into.cfm
   • www.mmgbank.com/scripts/mmg.dll?lang=
   • www.myaxa.de/myaxa/login/LogInput.do
   • www.national-bank.de/www/frames/10_00_00.asp?mid
   • www.ncrbanks.com/
   • www.necu.com.au/802292V3/ntv3.asp?wci=entry
   • www.netbank-money.de/netbank-banking/view/index.jsp?blz=20090500&graphics=true
   • www.netbanking.at/netbanking/index.start;jsessionid=
   • www.netbanking.at/netbanking/index.start?
   • www.netteller.com/
   • www.oberbank-banking.at/LoginHomepage.htm
   • www.omnipay.com
   • www.portal-banking.de/wps/portal/!ut/p/.scr/Login?view=spb&blz=
   • www.sabadellatlantico.com/=
   • www.saradar.com/sfp/sfp_ef_html/public_page.html
   • www.servicebank.at/cgi/anfang.cgi/BTV
   • www.site-secure.com/cgi-bin/cgig555.exe/newport/SID/GetLogon
   • www.superbank.co.nz/ExpressBanking/login.asp
   • www.tampaexchange.net
   • www.thebullionexchange.com
   • www.visionsfcu.com/cgi-bin/mcw000.cgi?MCWSTART5&
   • www.vr-ebanking.de/index.php?
   • www.vr-networld-ebanking.de/index.php?
   • www.westlbmarkets.net/cms/sitecontent/ib/
   • www.winweb.seceti.it/webapp/winweb/ProfileUsersServlet?banca=
   • www.wsk-bank.at/wsk/user/index.ndm/singlelogin
   • www0.advisernet.com.au/aol/cgi-bin/advhome/advancehome.cgi
   • www1.internet-trading1.com
   • www1.netbank.commbank.com.au/netbank/bankmain.htm
   • www2.bankingonline.de/sparda-banking/view/index.jsp?graphics=true&blz=
   • xcom-bank.de
     
     
5. Monitors Internet connections for access to financial Web sites with the following titles:
   
   
   • BrownCo | Online Investing
   • Login to Ameritrade
   • ameritrade
   • AMCORE Online
   • amcore
   • Zions Bank: Home Page
   • zions
   • FirePay.com
   • fire pay
   • T&C Federal Credit Union: Home Page
   • t&c
   • Union State Bank - Portal
   • union state
   • Farmers & Merchants Bank - Login
   • farmers
   • ESB Bill Pay
   • esbbill
   • Industrial State Bank
   • industrial
   • Security Bank of Kansas City
   • security of kansas
   • Login - Peoples Bank
   • Premier Bank
   • peoples
   • Kansas State Bank
   • kansas state bank
   • The Mission Bank
   • the mission
   • First Bank of Newton
   • Hillcrest Bank
   • hillcrest
   • Welcome To Metcalf Bank
   • metcalf
   • Valley View Bank
   • valley
   • The Bennington State Bank
   • benington
   • firststateks.com
   • firststateks
   • Login - Commerce Bank
   • commerce
   • Kendall State Bank
   • kendal state
   • The Trust Company of Kansas - Online Access
   • trust of kansas
   • Amarillo National Bank
   • amarillo
   • Sumx Banking
   • sumx
   • Busey Financial Services
   • busey
   • Chase.com Home Page
   • chase
   • Commerce Online
   • commerce2
   • Juniper - Save Time and Money with the Juniper Credit Card
   • juniper
   • ATBOnline
   • atb
   • American Savings Bank
   • amsavings
   • Banamex.com
   • banamex
   • Banca Popolare di Bergamo
   • bergamo
   • Bradesco - Colocando voc
   • bradesco
   • Unibanco.com
   • unibanko
   • Banco de Reservas - Portal Financiero
   • reservasIT
   • Banco di Caribe Online
   • di caribe
   • Banco Ita
   • Banregio
   • banregio
   • Banespa
   • banespa
   • Bank Midwest
   • midwest
   • Bank Independent
   • independment
   • United Commercial Bank
   • united commercial
   • Bank of the Orient
   • Bank of the Cascades
   • cascades
   • American Gateway Bank
   • american gateway
   • Welcome to Brenham National Bank
   • brenham national
   • Bruceton Bank, Your Community Bank.
   • bruceton
   • Beneficial Home
   • beneficial
   • Sofinco : Cr
   • sofinco
   • www.socgen.com
   • socgen
   • Bienvenue sur La Poste.fr
   • la poste FR
   • Caisse d'Epargne, jeunes, associations, professionnels, entreprises, pme,
   • caisse FR
   • LAFCU
   • lafcu
   • KeyPoint Credit Union
   • keypoint
   • Alpha Bank
   • alphabank
   • TIBLink Internet Banking Sign On
   • tibbank
   • Welcome to Nodaway Valley Bank Online
   • nodawayvalleybank
   • First Hawaiian Bank
   • fhb
   • Bendingo e-banking
   • bendigo
   • First Tennessee
   • firsttennessee
   • Tompkins Trust - Community Banks in Ithaca
   • tompkinstrust
   • Bank Austria Creditanstalt
   • baca
   • Transaction Manager Deutsche Bank
   • deutschebank
   • Fidelity Investments
   • fidelity
   • Morgan Stanley Online
   • dwdean
   • Postbank Banking Service
   • postbank
   • Dresdner Bank - Privatkundenportal
   • dresdner_privat
   • moneybookers.com - and money moves
   • moneybookers
   • Welcome to FlyntDigital
   • flyntdig
   • Bankwest Online Business Banking
   • bankwest
   • DEFCREDIT Direct
   • defcredit.com.au
   • NetBank - Logon
   • EzyBank
   • Heritage on-line
   • heritage
   • ANCU - Internet Banking Login
   • ancu
   • ANZ E*TRADE
   • anz_etrade
   • Washington Mutual - Log On
   • wamu
   • http:/ /mbk.rbc.ru
   • RBC RUS
   • WitnessInfo - Logon
   • witness info
   • Charter One Bank
   • charteronebank
   • Buy E Gold
   • Cambist.net
   • Personal Banking
   • on line banking
   • Internet Banking
   • Web Banking
   • Home Banking
     
     
6. Logs the keystrokes typed into the financial Web page.
   
   
7. Connects via TCP Ports 1051 and higher to a predetermined IRC server on the ern.nnctx.com.ru domain, providing an attacker back door access to perform some or all of the following commands:
   
   
   • Set up a proxy server
   • Participate in distributed denial of service (DDoS) attacks
   • Download and execute files, some of which may include an updated version of the worm
   • Monitor internet activity for specific financial Web sites
   • Log keystrokes
   • Act as an email relay, allowing remote attackers to route email
   • List, stop, and start processes and services
   • Redirect HTTP traffic to alternate Web sites
   • Modify, delete, and execute files or folders
     
     
8. Modifies the Hosts file by adding the following lines to prevent access to the specified host(s), some of which may be security related:
   
   d-ru-1f.kaspersky-labs.com
   d-ru-1h.kaspersky-labs.com
   d-ru-2f.kaspersky-labs.com
   d-ru-2h.kaspersky-labs.com
   d-eu-2f.kaspersky-labs.com
   d-eu-2h.kaspersky-labs.com
   d-eu-1f.kaspersky-labs.com
   d-eu-1h.kaspersky-labs.com
   d-us-1f.kaspersky-labs.com
   d-us-1h.kaspersky-labs.com
   downloads1.kaspersky.ru
   downloads2.kaspersky.ru
   downloads3.kaspersky.ru
   downloads4.kaspersky.ru
   downloads5.kaspersky.ru
   www.kaspersky.ru
   kaspersky.ru
   kaspersky-labs.com
   www.kaspersky-labs.com
   barclays.co.uk
   hsbc.co.uk
   ibank.barclays.co.uk
   kaspersky-labs.com
   kaspersky.ru
   lloydstsb.co.uk
   nwolb.com
   online.lloydstsb.co.uk
   personal.barclays.co.uk
   www.barclays.co.uk
   www.hsbc.co.uk
   www.kaspersky-labs.com
   www.kaspersky.ru
   www.lloydstsb.co.uk
   www.lloydstsb.com
   www.nwolb.com

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Remove the entries added to the Hosts file.
3. Update the virus definitions.
4. Run a full system scan and delete all the files detected.
5. Delete any values added to the registry.
   

• How to disable or enable Windows Me System Restore
• How to turn off or turn on Windows XP System Restore

1. Navigate to the following location:
   
   
   • Windows 95/98/Me:
     %Windir%
   • Windows NT/2000/XP:
     %Windir%\System32\drivers\etc
     
     Notes:
   • The location of the hosts file may vary and some computers may not have this file. There may also be multiple copies of this file in different locations. If the file is not located in these folders, search your disk drives for the hosts file, and then complete the following steps for each instance found.
   • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
     
     
2. Double-click the hosts file.
3. If necessary, deselect the "Always use this program to open this program" check box.
4. Scroll through the list of programs and double-click Notepad.
5. When the file opens, delete all the entries added by the risk. (See the Technical Details section for a complete list of entries.)
6. Close Notepad and save your changes when prompted.

• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the document: Virus Definitions (LiveUpdate).
• Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the document: Virus Definitions (Intelligent Updater).
  
  The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
   • For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
2. Run a full system scan.
3. If any files are detected, click Delete.

1. Click Start > Run.
2. Type regedit
3. Click OK.
   
   Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
   
   
4. Navigate to the subkey:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
5. In the right pane, delete the value:
   
   "Spools Service Controller" = "%System%\spools.exe"
   
   
6. Exit the Registry Editor.

Write-up by: John Park