IT Help Central - Division of Information Technology
Texas Tech University

HELP!!!

IT Help Central

[ Hours of Operation ]
[ Safe Computing ]
[ Customer Survey ]
[ Security Bulletins ]
[ Instructions ]
[ Request Assistance ]
[ Our Team ]
[ Employment ]
[ Strategic Plan ]
[ Site Map ]

Related Sites

[ Texas Tech ]
[ IT Division ]
[ High Tech ]
[ Raiderlink ]
[ Computer Labs ]
[ Training ]
[ TTUHSC Help Desk ]
[ Network Access ]

General Info

[ New Students ]
[ Text-Only Version ]
[ Buying the Right Computer ]

ASC
Room 101
2903 4th Street

W32.Mocbot is a worm with back door capabilities that exploits the Microsoft Windows Plug and Play Buffer Overflow vulnerability (as described in Microsoft Security Bulletin MS05-039).

Note: Virus definitions dated October 24, 2005 or earlier may detect this threat as W32.Esbot.A.

Systems Affected:  Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

It is recommended that you view the full articles related to these vulnerabilities:

• W32.Mocbot.A (Symantec)

Quick Fix Instructions

To remove this worm, delete files that are detected as W32.Mocbot.A@mm or W32.Esbot.A and reverse the changes that it made to the registry. Detailed instructions follow.

To remove the worm:

1. Disable System Restore (Windows Me/XP)
2. Update the virus definitions
3. Run a full system scan and delete all the files detected as W32.Mocbot.A or W32.Esbot.A
4. Reverse changes to the registry

NOTE: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Reverse the changes made to the registry.

1. Click Start > Run.
    
2. Type regedit.  Then click OK.
   
   Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
    
3. Navigate to and delete the subkeys:
   
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wudpcom
   HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_WUDPCOM
    
4. Navigate to the subkey:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    
5. In the right pane, reset the value to the original value if applicable:
   
   "EnableDCOM" = "n"
    
6. Navigate to the subkey:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    
7. In the right pane, reset the value to the original value if applicable:
   
   "restrictanonymous" = "1"
    
8. Exit the Registry Editor.

For specific details on each of these steps, please follow this link.