There is a worm called W32.Wargbot or Cuebot-L by Sophos spreading on campus. The worm infects Windows 2000, Windows XP and Windows 2003 Server computers that have not been patched with the Microsoft patch MS06-040.  All customers are strongly encouraged to always keep the Microsoft patches up to date using Windows Automatic Update and turning on Windows Firewall. See http://www.mcmaster.ca/ctl/winupdate.htm and http://www.mcmaster.ca/ctl/firewall.htm.

If you are unable to run the Windows Automatic update at this time, download the MS06-040 patch from http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx to a CD.

More information about the worm can be found at: http://www.symantec.com/enterprise/security_response/print_writeup.jsp?docid=2006-081312-3302-99 .

Removal Instructions:

- Using an account with Administrative privileges on the computer set the computer to show hidden folders and files.

- Turn off System Restore (Applies to Windows XP)
Click on Start > Control Panel > System and then selecting the System Restore tab. Click the check box beside “Turn off System Restore”. 

- Disable the service Windows Genuine Advantage Registration Service.
Click on Start > Control Panel > Administrative Tools > Services.  Windows Genuine Advantage Registration Service should be near the bottom.  Right click it and select Properties. Under “Startup Type” select Disabled. Click Apply and then OK.

- Reboot into Safe Mode. (Restart the computer and press F8)

- Delete the file wgareg.exe and nsms.exe in the System32 folder. The location of the system32 folder is C:\winnt or C:\Windows based on the operating system.

- Empty the Recycle bin.

- Run Regedit or regedt32.
Click on Start > Run and they type “regedit” (Win XP) or “regedt32” (Win 2000). Then click OK.
 

- Backup the Registry before removing the following entries created by the worm.
Click on File > Export. Type “registry” in the File Name box, select the Desktop as your save location, and select All under Export Range(near the bottom).  Click Save.

Delete the following registry folder create for the Windows Genuine Advantage Registration Service:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wgareg

Go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Change the subkey that disabled DCOM:
"enabledcom" = "n "

Go to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Change the subkeys that modified access to Network shares:
"restrictanonymous" = "1"
"restrictanonymoussam" = "1"

Go to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver\parameters
Change the subkeys:
"autoshareserver" = "0"
"autosharewks" = "0"

Go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Change the subkeys that lowered security settings:
"antivirusdisablenotify" = "1"
"antivirusoverride" = "1"
"firewalldisablenotify" = "1"
"firewalldisableoverride" = "1"

Go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile
Change the subkey that disabled firewall:
"enablefirewall" = "0"

Go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile
Change the subkey that disabled firewall:
"enablefirewall" = "0"

Go to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Change the subkeys:
"Start" = "4"

Delete from %windir%\system32

.exe
nmssvc.exe
wgareg.exe
##.tmp

delete the following {Keys}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nsms
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wgareg
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NSMS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WGAREG

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\nsms
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wgareg
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NSMS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WGAREG

{Values}
delete this value - HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows\load REG_SZ %windir%\system32\##.tmp

these should read as - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userint REG_SZ %windir%\system32\userinit.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell REG_SZ Explorer.exe

 

- Search the entire registry for nsms.exe and delete any subkeys related to that executable.
Click on Edit > Find)

- Delete the following file: %Windir%\debug\dcpromo.log. You may have to remove the “read only” mark before you can delete this file

- Reboot the computer and apply all critical patches from Microsoft using Windows Automatic update.  

 Note: The Microsoft site may be slow due to high volumes. It is important for you to keep trying to get the updates to avoid reinfection. If Windows Update fails see Recovering from a failed Windows Update.

- Make sure your Anti-virus is up to date and scan your computer.

There may be other viruses and trojans as a result of other missing Windows system patches. If you encounter malware such as *.tmp use tools such Microsoft Windows Defender or Google for malware removal tools such as AVG Anti-spyware.

-Turn on Windows XP Firewall. (Applies to Windows XP)

- If clean turn on System Restore. (Applies to Windows XP)

 

If you have questions or need a blocked port opened after the computer is clean, please contact the Service Desk at extension 24357 or send email to uts@mcmaster.ca.