|
|
 |
Viruses and solutions |
|
In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab’s products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.
|
How to disinfect computer from the virus Lovesan?
|
|
ID Article: 39
|
Other languages:
   
|  29 |
 2008 Oct 03 10:07 |
 Printable version |
1. "Lovesan", "Lovsan", "Blaster", "Msblast", "Poza" – is it the same type of worm or different worms?
All these names refer to the same malware but are used by different antivirus companies. In Kaspersky Lab terminology this worm is called “Lovesan”. For the present moment three types of this worm are known and some developers gave to the types “a”, “b” and “c” indexes.
2. How can I understand, whether my computer is infected?
The signs of computer infection are:
Presence of the files "MSBLAST.EXE", "TEEKIDS.EXE" or "PENIS32.EXE" in the Windows system catalogue (usually WINDOWS\SYSTEM32\)
Sudden rebooting of the computer after connecting with the Internet every few minutes
Multiple fails in the work of programs Word, Excel and Outlook
Error messages caused by the file "SVCHOST.EXE" . the error message window is displayed on the screen (RPC Service Failing)
3. How can this worm be dangerous for my computer?
“Lovesan” is not essentially dangerous for an infected computer. The worm does not delete, alter or steals the data. Its threat is in malfunction of internet work in general. This happens because of the reloading of the canals of transaction of the data delivery by the virus code. Besides from August 16 “Lovesan” attacks the web-site windowsupdate.com, where the updates of the Windows OS are. As a result the web-site may be disabled and the users will be “cut” from important data.
That is why Kaspersky Lab recommend to install update as soon as possible while the web-site functions normally.
4. What systems does “Lovesan” infect?
The worm infects computers managed by Windows NT, Windows 2000, Windows XP. The full list of the vulnerable OSs is given below:
Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32 bit Edition
Windows XP 64 bit Edition
Windows Server 2003 32 bit Edition
Windows Server 2003 64 bit Edition
5. How can I protect my computer?
There are several ways to protect from “Lovesan”:
5.1. download the latest antivirus updates and do not disable antivirus monitor when working in Internet.
5.2. use firewall to block the ports 135, 69 and 4444.
5.3 install updates for Windows, to close a breach through which “Lovesan” intrudes your computer.
The last way is the most effective one as it prevents infecting not only with “Lovesan” but also with its types and other worms of the kind that use the described breach of Windows.
6. What is a firewall and where can I get it?
Firewall is a special program to protect from hacker's attacks by controlling the data flow between a computer and Internet. It allows only safe connection with the Internet, filters malicious data packs and prevents access to Internet of non-authorized applications.
7. How to install updates for Windows?
You should download updates from the Microsoft sites in the following addresses: br>
- Windows NT 4.0 Server
(Russian, English, German, French, Spanish)
- Windows NT 4.0 Terminal Server Edition
(English, Germna, French, Spanish)
- Windows 2000
(Russian, English, German, French, Spanish)
- Windows XP 32 bit Edition
(Russian, English, German, French, Spanish)
- Windows XP 64 bit Edition
(English, German, French)
- Windows Server 2003 32 bit Edition
(Russian, English, German, French, Spanish)
- Windows Server 2003 64 bit Edition
(English, German, French)
After the update process is over, run the file and it will be installed automatically. Follow the instructions of the installation wizard.
8. Fail to download updates from the Microsoft site – computer keeps rebooting.
Sudden computer reboot is one of the signs of “Lovesan”. To provide updates transfer from the Microsoft site it is recommended to find the file TFTP.EXE (in the Windows system catalogue, usually \WINDOWS\SYSTEM32\, and in the hidden catalogue \WINDOWS\SYSTEM32\DLLCACHE) and rename it. When the loading and updates installation processes are over you may return the file its original name.
9. What should I do if the virus has already infected my computer?
To disinfect the virus, use the antivirus installed on your PC. Make sure that the antivirus contains the latest antivirus updates. You can also use a free utility Kaspersky Lab to protect from “Lovesan”. This program detects the active copy of a worm in the computer memory, deactivates it, deletes infected files from the hard and network discs, restores Windows system registry. When the utility work is over reboot your PC and run the antivirus scanner with the latest antivirus updates. The utility is absolutely free and is available to download in the addresses:
Version in ZIP-archive:
ftp://ftp.kaspersky.com/utils/clrav/clrav.zip
Documentation for the utility:
ftp://ftp.kaspersky.com/utils/clrav/readme.txt
ftp://ftp.kaspersky.com/utils/clrav/readme.txt
10. I used the utility against "Lovesan", but my computer got infected once again.
The utility only deletes the worm and restores an infected computer, but does not create immunity against it. To create the immunity, install updates for Windows described previously
|
|
|
|
