How to Prevent and Remove the Worm.Win32.Bybz.ddw

Bookmark and Share

 

1. What is the Worm.Win32.Bybz.ddw

Worm.Win32.Bybz.ddw is a network-aware worm that attempts to replicate across an existing network. Worm.Win32.Bybz.ddw can also spread using Windows networking APIs, MAPI functions or email clients such as Microsoft Outlook. Worm.Win32.Bybz.ddw often creates unknown email messages which contains a harmful spyware program and sometimes attaches itself to outgoing email messages. Worm.Win32.Bybz.ddw also uses a misleading message which suggests that the recipient should open the attachment to see something interesting or important. Worm.Win32.Bybz.ddw should not be allowed to spread and must be removed from the infected system immediately.


Alias: Mal/DelpDldr-F [Sophos], Worm.Win32.Bybz [Ikarus] 

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 %AppData%\Microsoft\svchost.exe
[file and pathname of the sample #1] 		24,576 bytes
  • Note:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
svchost.exe %AppData%\microsoft\svchost.exe 90,112 bytes

c.  Registry Modifications

    • The following Registry Key was created:
      • HKEY_CURRENT_USER\Software\m1gmt/ipqup/psh
    • The newly created Registry Values are:
      • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
        • Startup = "%AppData%\Microsoft\svchost.exe"

        so that svchost.exe runs every time Windows starts
         
      • [HKEY_CURRENT_USER\Software\m1gmt/ipqup/psh]
        • FileNameActual = "[file and pathname of the sample #1]"
        • FirstInstall = "1"

    d. Other details

    • The following ports were open in the system:

    Port Protocol Process
    1052 TCP svchost.exe (%AppData\Microsoft\svchost.exe)

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    72.229.162.129 80

     

    3. How-to's

    a. How to prevent the  Worm.Win32.Bybz.ddw ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Worm.Win32.Bybz.ddw Manually?

    Step 1 : Use Windows Task Manager to Remove Worm.Win32.Bybz.ddw Processes

    svchost.exe

    Step 2 : Use Registry Editor to Remove Worm.Win32.Bybz.ddw Registry Values

    HKEY_CURRENT_USER\Software\m1gmt/ipqup/psh

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    + Startup = "%AppData%\Microsoft\svchost.exe"

    [HKEY_CURRENT_USER\Software\m1gmt/ipqup/psh]
    + FileNameActual = "[file and pathname of the sample #1]"
    + FirstInstall = "1"

    Step3: Detect and Delete Other Worm.Win32.Bybz.ddw Files

    %AppData%\Microsoft\svchost.exe
    [file and pathname of the sample #1]

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•