Home / All Blog News>Virus Alert: W32.Scane

Virus Alert: W32.Scane

Posted by        0 Comments
Virus Alert: W32.Scane

W32.Scane is a worm that attacks the Windows operating system by exploiting the LSASS buffer overflow vulnerability. The infected system will start automatically after 1 minute.

Infectious infection: Windows 2000, Windows XP

Describe:

When executed, W32.Scane will perform the following tasks: & nbsp;

  1. Manually copy it with Service.exe into the system directory: "% System% servicec.exe"

    Attention: % System% is a variable of the system directory, by default: C: WinntSystem32 (Windows NT / 2000), or: C: WindowsSystem32 (Windows XP).

  2. Additional values:

    "WinLsass" = "% System% servicec.exe" or
    "WinLsass" = "

    ... into the registry key so that the worm can automatically run when the system starts up:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
    CurrentVersionRun

  3. Create multiple threads that connect to random IP addresses by exploiting the Microsoft Windows LSASS vulnerability at TCP / 445 port. If successful, the remote system will download a copy of the worm to the machine.

Following are some recommendations and guidelines for eradication for worms W32.Scane of Symantec Security:

Recommendations:

  • Turn off and remove unnecessary services on the system. By default, a lot of things onions Install unnecessary services, such as FTP servers, telnet, and Web servers. These services have long exposed many of the weaknesses that hackers use to attack computers.

  • Keep up to date with the latest patches, especially for computers that contain multiple public services and are accessible through firewalls, such as HTTP, FTP, mail, and DNS.

  • Tighten the password policy. Using complex passwords will make it difficult for programs to crack passwords on your computer. Doing this will also reduce the damage when the computer is compromised. & Nbsp;

  • Configure e-mail servers to block or remove e-mail attachments that are often exploited by viruses to spread: .vbs, .bat, .exe, .pif, and .scr.

  • Isolate the infected computer to prevent the spread of the virus in your organization. Carry out system audit and data backup.

  • Notify employees not to open attachments by e-mail unless they are of a safe and verifiable origin. Also, do not execute software downloaded from the Internet unless it has been tested by antivirus software. Browsers are no longer safe and sometimes just a normal web-browsing operation will also cause your computer to become infected.

W32.Scane Removal Instructions (Symantec)

  1. Disable System Restore (Windows Me / XP).

  2. Upgrade antivirus software.

  3. Restart the system in "Safe Mode" or "VGA mode".

  4. Run antivirus software in full system scan (Full scan) and delete all files named W32.Scane.

  5. Deletes registry values ​​related to worms.
    & nbsp;