It appears that this worm/virus is again spreading. Here's what I got from my team. ...hope this helps. Sammy =================
I used another Anti-virus to scan the infected PC and detected as: Z:\WINNT\system32\SYSMON32.exe Infection: Worm.Win32.Aidid Renamed. Z:\Documents and Settings\administrator\My Documents\Article Number 6 (PNAP).doc.exe Infection: Worm.Win32.Aidid Renamed. Actually its an old virus. pls. check this link : http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AID ID.A I don't know why OfficeScan cannot detect it. Worm.Win32.Aidid can be easily manually remove. Pls. read above link for the procedure. Terminating the Malware Program This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier. Open Windows Task Manager. On Windows 95/98/ME systems, press CTRL+ALT+DELETE On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, then click the Processes tab. In the list of running programs*, locate the malware file or files detected earlier. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system. Do the same for all detected malware files in the list of running processes. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. *NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries: SystemMonitor = "%System%\Sysmon32.exe" Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. Close Registry Editor. NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system. -----Original Message----- From: Joseph Anthony C. Hermocilla [mailto:[EMAIL PROTECTED] Sent: Saturday, November 20, 2004 3:45 AM To: Philippine Linux Users Group Mailing List Subject: Re: [plug] new philippine virus! Kalat po yan dito sa UPLB. To remove the worm: 1.) Boot in safe mode (Win 98 or XP) 2.) Run regedit. Regedit won't run under normal mode because the worm closes the window associated with regedit. 3.) Remove registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSMON? something. 4.) delete "C:\WINDOWS\SYSTEM\SYSMON32.EXE". I don't remember if its SYSTEM or SYSTEM32. Just check the registry. I think the worm was made using VB. -- ________________________________________________________________________ ________ Joseph Anthony C. Hermocilla http://www.ics.uplb.edu.ph/~jach Instructor 1 Institute of Computer Science University of the Philippines Los Banos -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
