Worm - Win32:Rungbu

Viruses and worms
1

Hi All,

My network of >500 computers has been infected by a worm Win32:Rungbu and AVast is failing to detect this worm it is only when you scan files with another AV thats when it can be detected and removed. It is affecting mainly word files and the extension of the documents changed from .doc to .scr Does that mean that avast has less capabilities coz my VPS database is uptodate Help!!!

2

I didn’t get. Have you managed to delete the virus? :slight_smile:

Send any infected file to the avast virus lab. There are no perfect antiviral solutions. :slight_smile:

3

The problem wit the worm is Avast cannot pick it up but on other machines wit different AV (Norton) that is when you can detect and removw it but I have > 500 clients running avast I will have to remove avast from which is a lot of work.

4

:slight_smile: Hi Lox :

“Worms” are best dealt with by antiSPYWARE/antiTROJAN program(s), not an antiVIRUS
program; do you have of this “type” of program on your machines ?

Probably the Best is AVG Antispyware ( formerly known as "Ewido" ) from www.ewido.net .
5

Sure It’s one of the best. the only disadvantage of the free version is that, you will not have a realtime monitor :frowning: , but if you will run it manually, and update the bases, you will have a chance to remove this nasty worm.

6

Use this stand alone removal tool:
http://www.compactbyte.com/cav/index.php
Hope this will help.

7

If you can isolate a sample prior to deletion send it to avast! so a detection can be added.

Before you remove avast! from all those computers remember that no AV is 100%. Sure, avast! missed this one and Norton caught it. But I can tell you from personal experience there will be others Norton misses that avast! does catch.

8

Hi lox,

Here are the removal instructions for rungbu:
http://www.2-spyware.com/remove-rungbu-b.html

polonus

9

I disagree with you. :slight_smile: An antivirus is a means of removing malware, including classical viruses, worms and trojans. No way to recommend an antispyware tool to delete a worm, if you ask me. :slight_smile:

10

Hi NickGolovko,

You are right where a normal AV program should take care of this worm. Again there are worms that also are part of the signatures of anti-spyware, because of their qualification as typical spyware malware. Classification of worms sometimes creates a grey area. As we say ‘po polsku’ “robak internetowy to robak internetowy”, no matter what cleans it.

polonus

11

Still Avast Home Edition is failing to detect this worm is there anyone who has any new ideas???

12

Hi lox,

Rungbu.b manual removal:
Kill processes:
ctfmon.exe, docicon.exe, smss.exe, spoolsv.exe, svchost.exe
Help: how to kill malicious processes

Delete registry values:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe “C:\Recycled\svchost.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=C:\Recycled\svchost.exe
HKEY_CURRENT_USER\Word.Document.8\DefaultIcon(default)\C:\Program Files\Microsoft Office\Office\docicon.exe
HKEY_CURRENT_USER\scrfile(Default)\Microsoft Word Document
Help: how to remove registry entries

Delete files:
ctfmon.exe, docicon.exe, smss.exe, spoolsv.exe, svchost.exe
Help: how to remove harmful files

Misc:
Exact file location:
docicon.exe - C:\Program Files\Microsoft Office\Office
ctfmon.exe, smss.exe, spoolsv.exe, svchost.exe - C:\Recycled

polonus