THREAT NAME

Worm.VB.Ymeak.A

CLEAN INSTRUCTIONS
1. Restart the system in Safe mode.

2. Open Windows Explorer and go to C:\Documents and Settings\All users\Start Menu\Programs\Startup.

3. Locate and delete the svchost.exe file.

4. Navigate to C:\Windows folder.

5. Locate and delete the b.exe file.


SYMPTOMS
1. You can't open cmd, ipconfig, netstat, ping, regedit, regedt32, taskkill, taskmgr and tracert.

2. Your P2P file sharing program may launch itself automatically.

3. You may find a directory called "_" (underscore) in the shared folder of your P2P application.

4. Increased network activity.


DESCRIPTION
1. When executed it will create a copy of itself in C:\Documents and Settings\All users\Start Menu\Programs\Startup
with the name svchost.exe.

2. It shows a fake message saying The setup file is corrupted.

3. After that it will launch the svchost.exe copy and the original instance will end the execution.

4. This one will search the C:\Windows folder for the following applications:

winlog.exe
p2pnetworking.exe
scvhost.exe
winlogi.exe
p2pnetwork.exe

5. If it can't find any of those then it will drop a file (backdoor) called b.exe in the C:\Windows folder.

6. It will create a subfolder called "_" in the shared folder of the following P2P applications:

BearShare
Limewire
Morpheus
Shareaza

7. It opens the following programs for exclusive access, in order to prevent detection: