Half a million zombie machines orphaned....Srizbi bot removal!

Hi you malware fighters and bot hunters,

Over half a million Internet users have been infested with the Srizbi bot,
turning this in one of the biggest botnets on the Internet.
Srizbi also had it’s command & control servers hosted at spamhoster McColo.
see: http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html
That firm recently has been closed down,
so bot herders could not herd their botnets anymore.

Computer users that are infected with Srizbi bot can try to remove this manually,
according to botnethunter FireEye who explains his method here:
http://blog.fireeye.com/research/2008/11/srizbi-removal-instructions.html
he also explains how mentioned bot uses rootkit functionality.
When his step by step plan does not bring full results,
the only thing left will be formatting the infected machine,
according to researcher Atif Mushtaq.

Description of this malware:

Discovered: June 20, 2007
Updated: July 23, 2007 2:39:10 AM
Also Known As: Troj/RKAgen-A [Sophos], Rootkit:W32/Agent.EA [F-Secure]
Type: Trojan
Infection Length: 154,112 bytes
Systems Affected: Windows XP, Windows NT, Windows 2000

Agent.ea arrives as a dropper that installs the main driver of the trojan and deletes itself.
Upon execution, it creates the following file:

* %System%\windbg48.sys

It installs the driver file as service by creating the following registry key:

* HKLM\System\CurrentControlSet\Services\windbg48

The dropper deletes itself with the following batch file:

* %Temp%\_uninsep.bat

When the driver file is activated,
it might connect to one of the following remote sites
in an attempt to retrieve spam messages:

* www dot konskyvolos dot com
* www dot swinmaster dot com

The driver also hides itself, its registry keys, and network traffic using rootkit techniques.
The spamming routine is also implemented entirely in the kernel-mode component (windbg48.sys).

Follow the following general removal instructions:

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan.
  4. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

  1. To disable System Restore (Windows Me/XP)
    If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

ME http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?OpenDocument&src=sec_doc_nam
XP http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

  1. Update the virus definitions

  2. To run a full system scan

    1. Start your antivirus program and make sure that it is configured to scan all the files.
    2. Run a full system scan.
    3. If any files are detected, follow the instructions displayed by your antivirus program.

After the files are deleted, restart the computer in Normal mode and proceed with the next section.
Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. T
To search for a file, click the Start button, and then click Search.

Delete the following files:
%systemdir%\windbg48.sys
%profiledir%\scchost.exe
\scchost.exe

  1. To delete the value from the registry
    Important: We strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

    1. Click Start > Run.

    2. Type regedit

    3. Click OK.
      Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

    4. Navigate to and delete the following entries:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RcpApi"MachineNum"
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windbg48

    Delete the following registry keys:
    windbg48
    windbg48
    windbg48
    LEGACY_windbg48
    LEGACY_windbg48
    LEGACY_windbg48

    1. Exit the Registry Editor.

That’s all folks,

polonus


Thank you, polonus, for this informative post. :slight_smile: