BadTrans.B Disinfection Instructions
Disinfection Instructions for Badtrans.b worm. Description of the functionality of the worm is available at http://www.f-secure.com/v-descs/badtrs_b.shtml
1. If you don't have F-Secure Anti-Virus (FSAV from now on) you can download a trial version from our website: http://www.europe.f-secure.com/download-purchase/
2. If you already have F-Secure Anti-Virus or if you are using a trial version, please download the latest updates from our website: http://www.europe.f-secure.com/download-purchase/updates.shtml
3. Download and apply Microsoft's security patch against automatic activation of e-mail attachments: http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
4. Download and run F-Secure's special patch file that disables starting of Badtrans.b worm when Windows runs: ftp://ftp.europe.f-secure.com/anti-virus/tools/bt_b_dis.reg
When you click on this link your web browser will ask you if you want to open it or save it to disk. Select 'Open' option and click 'Ok' button.
5. Restart your system.
6. Scan all your hard drives with F-Secure Anti-Virus. Use 'Scan All Files' option. Set 'Confirm Operations' option if you have FSAV 4. Set 'Ask After Scan' option if you have FSAV 5.a. When FSAV detects the Badtrans worm in 'kernel32.exe' file in your Windows System folder, select 'Delete' disinfection action. This will remove the worm's file from your system.b. When FSAV detects 'Trojan.PSW.Hooker' in a file (usually KDLL.DLL file), try to delete it by selecting 'Delete' disinfection option. If the file was deleted successfully then your system is clean from Badtrans worm and Hooker trojan.If the file can't be deleted (locked by Windows), you will have to delete it manually. First, write down the location and file name of a file that FSAV detected as 'Trojan.PSW.Hooker'. Then, depending on your operating system do the following:
For Windows 95/98 users
If you have Windows 95 or 98, restart your system in MS-DOS mode, and type at command prompt 'DEL' followed by a space and a location of trojan file you put down before. Then press 'Enter' and the trojan file will be deleted.For Windows ME users
If you have Windows ME, you will need to boot your computer with a system diskette and type at command prompt 'DEL' followed by a space and a location of trojan file you put down before. Then press 'Enter' and the trojan file will be deleted. It is also advised to disable System Restore function of Windows ME as the worm and trojan files can re-appear. Here are the instructions on how to disable System Restore feature:
For Windows NT4/2000/XP users
If you have Windows NT, 2000 or XP please rename the trojan's file using your Windows Explorer. Rename the file with a different name, 'trojan.000' for example and restart your system. Then scan your system with FSAV and when FSAV detects the trojan in the file earlier renamed by you select 'Delete' disinfection action. This will remove the trojan's file from your system.c. VERY IMPORTANT! If FSAV detects an infection in your e-mail database (PST, MDB and other files), DO NOT delete this file or you will loose all your e-mails. You will need to delete all infected messages from your e-mail database using your e-mail client and then to compact these databases to purge deleted e-mails. After that FSAV will not find infected message any more.7. After disinfection it is recommended to scan your system with FSAV again to ensure that no infected files are left.8. It is also recommended to change your Windows domain password and RAS password as they might have been compromised.[F-Secure Corporation]