The new variant of MSN worm began spreading via MSN Messenger from 20 Sept, 2007.
It sends out a .zip file "imag091307.zip" and messages. In the .zip file, it contains a .com file "img091307-
www.photoshop.com". Everyone should be careful.
File name: imag091307.zip (img091307-
www.photoshop.com)
Size: 25,600 bytes
Detection: Backdoor.Win32.SdBot.bze (Kaspersky)
HOW TO REMOVE
===============
STEP 1
Delete registry entry: (Under Start menu -> Run -> regeidt (OK))
(建議:先在 eg. C:\windows\dllcache [hidden directory] 內, sort by date 找出病毒的檔案名, 因為病毒可能會叫explorer.exe or other name, 不過它們的共通點是日期是中毒之日和時, 還有, 都是hidden status)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winlogon"="%System%\dllcache\winlogon.exe"
OR [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"explorer"="%System%\dllcache\explorer.exe"
STEP 2
Restart WINDOWS
STEP 3
Delete virus files:
(建議 sort by date, 那就會很明顯看得出virus file 是最新和在你中毒的日期和時間)
%System%\dllcache\winlogon.exe (Maybe name as 'explorer.exe' in hidden)
%Windows%\imag091307.zip (And delete the name which similar but in .zip extension)
STEP 4
Remove "Windows Sharing" from 'exceptions' tab of Windows Firewall
STEP 5
Set registry data from 7000 back to original setting 20000:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="20000"
如果你不是太明上述步驟, 建議你找朋友幫忙, 因為以上步驟牽涉到 register, 弄得不好會入windows 都有問題。
另外, 如果真的中了毒, 要即刻stop messenger 同關閉它, 不論它有甚麼diaglous box, 以免病毒漫延! (最簡單和快捷的方法: press "CRTL + ALT + DEL" 去close MSN 先)
不過既然你的NOD32 會有信息彈出來, 可能你的電腦根本沒有中毒, 因為已被Anti-virus software 擋了. (如果真的中了毒, 你的朋友應該會收到你發出的file transfer request)