Discovered: January 3, 2003
Updated: February 13, 2007 11:42:00 AM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
NOTE: These instructions are for all the current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
- Reverse the changes that the Trojan made to the registry.
- Update the virus definitions.
- Do one of the following:
- Windows 95/98/Me: Restart the computer in the Safe mode.
- Windows NT/2000/XP: Stop the Trojan process.
- Run a full system scan and delete all the files detected as Backdoor.OptixPro.10.c or Trojan Horse.
- For Windows 95/98/Me only: Restore the shell= line in the System.ini file and restore the run= line in the Win.ini file.
For details on how to do this, read the following instructions.
Reversing the changes the Trojan made to the registry
Because the Trojan modified the registry so that you cannot run the .exe files, first make a copy of the Registry Editor as a file with the .com extension, and then run that file.
Making a copy of the Registry Editor
- Do one of the following, depending on which version of Windows you are running:
- Windows 95/98: Click Start, point to Programs, and click MS-DOS Prompt. A DOS window opens at the C:\Windows prompt. Proceed to step 2 of this section.
- Windows Me: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. A DOS window opens at the C:\Windows prompt. Proceed to step 2 of this section.
- Windows NT/2000:
- Click Start, then click Run.
- Type command, then press Enter.
(A DOS window opens.)
- Type the following:
cd \winnt
Then press Enter.
- Go to step 2 of this section.
- Windows XP:
- Click Start, then click Run.
- Type command, then press Enter.
(A DOS window opens.)
- Type the following:
cd\
cd \windows
Then press Enter after typing each one.
- Proceed to step 2 of this section.
- Type the following:
copy regedit.exe regedit.com
Then press Enter.
- Type the following:
start regedit.com
Then press Enter.
The Registry Editor opens in front of the DOS window. After you finish editing the registry, exit the Registry Editor, and then exit the DOS window.
Editing the registry
CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
- Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the \command subkey.
Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey, shown in the following figure:
<<=== NOTE: Modify this key.
- In the right pane, double-click the (Default) value.
- Delete the current value data, then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk).
NOTES:
- On Windows 95/98/Me/NT, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:
""%1" %*"
- On Windows 2000/XP, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this:
"%1" %*
- Make sure that you completely delete all the value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document and make sure that you completely remove the current value data.
- Navigate to each of the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
NOTE: Both keys may not be found on all the operating systems.
- For each of the keys in step 4, in the right pane, delete any value that refers to C:\%system%\netupd.exe.
- Exit the Registry Editor.
Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
- Running LiveUpdate, which is the easiest way to obtain the virus definitions. These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate), in the "Protection" section, at the top of this writeup.
- Downloading the definitions using the Intelligent Updater. The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater), in the "Protection" section, at the top of this writeup.
The Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
Restarting the computer in Safe mode or ending the Trojan process
- Windows 95/98/Me
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."
- Windows NT/2000/XP
To end the Trojan process:
- Press Ctrl+Alt+Delete once.
- Click Task Manager.
- Click the Processes tab.
- Double-click the Image Name column header to alphabetically sort the processes.
- Scroll through the list and look for Win32loader.exe.
- If you find the file, click it, and then click End Process.
- Exit the Task Manager.
Scanning for and deleting the infected files
- Start your Symantec antivirus program and make sure that it is configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Backdoor.OptixPro.10.c or Trojan Horse, click Delete.
Editing the System.ini and Win.ini files (Windows 95/98/Me only)
- Click Start, then click Run.
- Type the following:
edit c:\windows\system.ini
Then click OK.
(The MS-DOS Editor opens.)
NOTE: If Windows is installed in a different location, make the appropriate path substitution.
- In the [boot] section of the file, look for an entry similar to:
shell=Explorer.exe <the Trojan file name>
- Delete all the text (on the shell=Explorer.exe line only) to the right of Explorer.exe. When you have finished, the line should read:
shell=Explorer.exe
- Click File, click Exit, then click Yes when you are prompted to save the changes.
- Click Start, then click Run.
- Type the following:
edit c:\windows\win.ini
Then click OK.
(The MS-DOS Editor opens.)
NOTE: If Windows is installed in a different location, make the appropriate path substitution.
- In the [windows] section of the file, look for an entry that is similar to:
run=<the Trojan file name>
- Delete all the text (on the run= line only) to the right of run= . When you have finished, the line should read: run=
- Click File, click Exit, then click Yes when you are prompted to save the changes.
Writeup By: Yana Liu
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine