1.DownloadGoogle recommend safer browser Web browser, For more safe , Stay Secure on the Web and stay far away virus,Download URL http://www.oral8.net/firefox/firefox.htm
2. Temporarily Disable System Restore (Windows Me/XP).
3. Update the virus definitions. Reboot computer in SafeMode
4. Run a full system scan and clean/delete all W32.Zatyudi.A infected files and Delete/Modify any values added to the registry.
Navigate to the subkey and delete the valuesas following:
When the worm is executed, it creates the following files:
It then creates the following registry entry, so that it starts when Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"NTservices" = "C:\WINDOWS\system32\[8-DIGIT HEXADECIMAL NUMBER]\services.exe -update"
The worm also modifies the following registry entries, so that it starts when Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe C:\WINDOWS\winlogon.exe" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\"AlternateShell" = "winlogon.exe -safemode"
The worm may then harvest email addresses from files with the following extensions:
.exe
.scr
.com
.pif
.cmd
.wab
.asp
.dbx
.eml
.htm
.html
.jsp
.msg
.php
.shtm
.shtml
.txt
.xml
.js
.xml
.aspx
It will ignore email addresses that contain the following strings:
@microsoft
rating@
anti
secur
news
update
kasp
admin
icrosoft
support
ntivi
unix
bsd
nux
listserv
certific
sopho
avas
@foo
@iana
desk
free-av
@messagelab
winzip
google
winrar
samples
abuse
panda
cafee
spam
pgp
@avp.
noreply
local
root@
.org
@sys
premium
titanium
viruz
virus
support
orman
aladin
groups
anyone@
bugs@
contract@
feste
gold-certs@
help@
info@
nobody@
noone@
@sun
master
project
ternal
fbi
gmx
crack
hack
code
ware
trojan
clean
spy
movsd
masm
@pc
source
h4ck
compu
sales
catch
mantec
defen
viri
kill
cisco
labs
trust
sweep
winrar
winzip
submit
l0pht
phreak
The email addresses gathered may be stored in the following file: C:\Recycled.[8-DIGIT HEXADECIMAL NUMBER]\yudizat.zat
The worm may copy itself to shared folders and removable drives using the following file names:
Bank mini Games.exe
Apache_server_831.exe
Internet Explorer Vista.exe
Nation Instinct.exe
Crack Windows vista final release.exe
Gorilaz complete album lyrics.exe
Winamp Deluxe pro.exe
Bank Mini Games complete 2007.exe
Nero final version 8.exe
PHP nuke hack 3.exe
Guitar XP studio.exe
war games.exe
Splinter Cell.exe
e-Gold auto hack v2.1.exe
New yahoo messenger vista.exe
Update windows media player 10.exe
full complete codec pack.exe
XP Update.exe
Hawai Beach screen saver.exe
Britney Screensaver (live).exe
Defacer tool.exe
Trojan removal
eBay userID.exe
full AVG update 2007 pack.exe
eBay password.exe
Yahoo! password.exe
Soccer Manager 2007.exe
DeepFreeze Pro full.exe
Deep_freeze enterprise.exe
Games Cheats DataBase.exe
Californian Food v3.exe
Complete password cracker tool.exe
GameHouse Collection.exe
Note: These files may also be dropped in random locations.
The worm may also randomly create .zip files in various folders on the compromised computer with the any of the following file names:
Entertainment.zip
don't touch this!.zip
my briefcase.zip
Photo Album Packed.zip
Deep_freeze_pro8.zip
Always in memory.rar
Billing_13_professional.zip
AVP_N_license.zip
XP anti hacker.zip
The .zip files contain a copy of the worm with the file name SETUP.exe. It may then copy these .zip files to shared folders and removable drives.
The worm may attempt to connect to the following IP addresses to check network connectivity (using ping.exe) and then send a notification of infection:
69.73.169.9
216.177.77.9
It may then attempt to download one of the following images:
The worm then attempts to end all processes and services whose name, associated window, or description contain the following strings:
SysMech
PDFIND
avtask
mav
process
ccapp
avgemc
snaps
rstrui
syslove
sstray
thread
mcvsescn
poproxy
xpshare
systray
ashmaisv
aswupdsv
nvc
cclaw
njeeves
nipsvc
update
vptray
opscan
nopdb
ccapp
ctfmon
zlh
avgupsvc
removal
virus
AGENTSVR
ANTI
MONITOR
APLICA32
APVXDWIN
ATCON
GUARD
ATRO55EN
WATCH
AUTODOWN
AUTOTRACE
AUTOUPDATE
AVCONSOL
AVGSERV9
AVLTMAIN
AVPUPD
AVSYNMGR
AVWUPD32
AVXQUAR
AVprotect9x
BD_PROFESSIONAL
BIDEF
BIDSERVER
BIPCP
BIPCPEVALSETUP
BISP
BLACKD
BLACKICE
BOOTWARN
BORG2
BS120
CDP
CFGWIZ
CFIADMIN
CFIAUDIT
CFINET
CFINET32
CLEAN
CLEAN32
CLEANER
CLEANER3
CLEANPC
CMGRDIAN
CMON016
CPD
CPF9X206
CWNB181
CWNTDWMO
config
killbox
hijackthis
DEFWATCH
DEPUTY
DPF
DPFSETUP
DRWATSON
DRWEBUPW
ENT
ESCANH95
ESCANHNT
ESCANV95
EXANTIVIRUS-CNET
FAST
FIREWALL
FLOWPROTECTOR
FP-WIN_TRIAL
FRW
FSAV
FSAV530STBYB
GBMENU
GBPOLL
GUARD
GUARDDOG
HACKTRACERSETUP
HTLOG
HWPE
IAMAPP
IAMSERV
ICLOAD95
ICLOADNT
ICMON
ICMON32
sysmech6
sysmech5
ICSSUPPNT
ICSUPP95
ICSUPPNT
IFW2000
IPARMOR
IRIS
JAMMER
KAVLITE40ENG
KAVPERS40ENG
KERIO-PF-213-EN-WIN
KERIO-WRL-421-EN-WIN
KERIO-WRP-421-EN-WIN
KILLPROCESSSETUP161
LDPRO
LOCALNET
LOCKDOWN
LOCKDOWN2000
LSETUP
LUALL
LUCOMSERVER
LUINIT
MCAGENT
MCUPDATE
MFW2EN
MFWENG3.02D30
MGUI
MINILOG
MOOLIVE
MRFLUX
CONFIG32
MSINFO32
MSSMMC32
MU0311AD
NAV80TRY
NAVAPW32
NAVDX
NAVSTUB
NAVW32
NC2000
NCINST4
admin
NDD32
NEOMONITOR
NETARMOR
NETINFO
NETMON
NETSCANPRO
HUNTER
NISSERV
NMAIN
NORTON
NPF
NPROTECT
NSCHED32
NTVDM
NUPGRADE
NVARCH16
NWINST4
NWTOOL16
NavShExt.dll
OSTRONET
OUTPOST
OUTPOST
PADMIN
PANIXK
PAVPROXY
PCC2002S902
PCC2K_76_1436
PCCIOMON
PCDSETUP
PCFWALLICON
PCIP10117_0
PDSETUP
PERISCOPE
PERSFW
PF2
PFWADMIN
PINGSCAN
PLATIN
PROTECTX
PSPF
QCONSOLE
QSERVER
RESCUE
watch
watcher
RRGUARD
RSHELL
RULAUNCH
SAFEWEB
SAVSCAN
SBSERV
SETUPVAMEEVAL
SETUP_FLOWPROTECTOR_US
SFC
SGSSFW32
SHELLSPYINSTALL
SYSEDIT
SymWSC
TAUMON
TAUSCAN
TRACERT
TRJSCAN
TRJSETUP
TROJANTRAP
UNDOBOOT
VBCMSERV
VBCONS
VBUST
VIRUSMDPERSONALFIREWALL
W32DSM
WEBSCANX
WHOSWATCHINGME
WINRECON
WNT
WRADMIN
WRCTRL
WSBGATE
WYVERNWORKSFIREWALL
XPF202EN
ZONEALARM
ccApp
ccEvtMgr
navapsvc
norman
workstation
autoupdate
avast
internals
ContactKeeper129
antivir
avg
aawsepersonal
avgwb.dat
ultraedit
hiew
memhack
systemhack
finder
engine
cracker
cheat
anti
hacker
killer
machine
fix
fixer
ner
er44
er40
er10
er5
spy
Dump
fusion
virus
system
f10
er10
jack
rip
guard
diskmon
regmon
monitor
debug
MEMGUTT
nmap
rminstall
ator
secure
security
center
control
panda
sophos
prot
protex
protect
regmonnt
ware
view
viewer
washer
admin
administrator
secret
show
stealth
hide
awake
visible
dump
api
crc
procexp
hex
workshop
ver
licode
codeli
hacking
mfwenu3.02r
vsc601ai
vs0602AU
upswplug
rescue
RShelln
shield
stealth
scrubber
LUSETUP
scan
NavDX
NU2002
Pavjobs
PAVSRV50
Pavw
Repairnt
zapSetup3026
anty
Pavsched
Pavclshe
pavcl.msg
pavcl
Inicio
Iface
Avengine
Apvxdwin
upgrader
TRJSETUP
wgsetup
WINPROXY
maker
crack
hack
procviewer
lyze
yzer
yzing
pest
patrol
viruz
virii
viren
stop
attack
defend
stoper
stoped
exploit
monitoring
scan
sav
rav
lav
known
pav
kav
yav
tav
nav
hidden
hidding
die
admin
netcat
nmap
softice
softice32
tools
xav
abuse
abuser
tactic
weapon
rock
strike
special
ddos
flicker
sniff
access
proc
proce
memory
frog
trap
catch
frogging
grabber
graber
grabbing
kick
kicker
stole
aware
freeze
freezing
struct
death
Avast
ashBug
ashDisp
ashChest
ashLogV
ashMaiSv
ashPopWz
ashQuick
ashSimpl
ashSkPcc
ashSkPck
aswBoot
aswUpdSv
sched
ccsetmgr
pavprsrv
navsetup
lrsetup
lucoms~1
nprotect
cfgwiz
symlcsvc
luall
navapsvc
navw32
wisptis
inocit
stopper
realmon
monxp
avconsol
alogserv
webscanx
mcshield
vshwin32
vsstat
avsynmgr
netstat
ipconfig
nmap
wmiprvse
toolz
hacker
cracker
snipper
avengine
pavprsrv
pavsrv51
apvxdwin
LordPE
Recommendations
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
5. Exit registry editor .
6.delete the IE temp files or you may download ATF temp files cleaner to run a full cleaning.and restart the computer.
8. Now you may remove W32.Zatyudi.A successfully.
