Publishing a Removal Tool

Welcome to Major Geeks!

All tools would have to be submitted for review process by the owners before being made available for download.

Exactly what kind of tool is it? Is it an EXE, a batch file with registry patches.....etc?

This Trojan is really not a difficult one to detect of remove as far as I know. It just requires removing a few registry keys to stop the process from loading at startup, delete a handful of files and resetting the hosts file to default. Most of these a pretty common things to fix during basic malware removal procedures. Did you find that there were more issues than this?

 

To be a little more specific, the basic steps of the fix would be something like below (but this is not the full details):

Exit Skype if running!

Kill any of the below processes if running:
C:\WINDOWS\system32\mshtmldat32.exe
C:\WINDOWS\system32\sdrivew32.exe
C:\WINDOWS\system32\winlgcvers.exe
C:\WINDOWS\system32\wndrivs32.exe

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Then delete the below files in safe mode or using Pocket Killbox or Avenger:
C:\WINDOWS\system32\mshtmldat32.exe
C:\WINDOWS\system32\sdrivew32.exe
C:\WINDOWS\system32\winlgcvers.exe
C:\WINDOWS\system32\wndrivs32.exe

Also since the worm may copy itself to any available removable drives using the file name game.exe and because it also creates an autorun.inf file so that when the removable drive is accessed, the malware run, these files have to checked for on any removable drives.

Now download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Then obviously you would have to perform the appropriate checks to make sure everything was removed and also verify that all security softwae that may have been disabled by the infection is working properly now.

 

You will have to submit it to the owners. See the About link on the main page. But you will have to desribe exactly what the tool is going to delete and do to a PC.

Not TrendMicro already has a free fix tool too. WORM_SKIPI.A fixtool

Actually this is not difficult to get around. You can just end the Explorer.exe process if that is necessary while fixing. Also you can use a program like Process Explorer to unhook and DLLs from the Explorer.exe or and other running process and then delete the DLL and kill any running processes from the infection. We do this every day with many many infections (including Vundo). However, based on everything I have seen on this infection, there was no mention of it hooking into Explorer. Seems like some AV tools already have a fix for it too (like McAfee, Symantec, TrendMicro and F-Secure). What the say about it can be found in the below links:

http://vil.nai.com/vil/content/v_143083.htm

http://www.symantec.com/security_response/writeup.jsp?docid=2007-091011-2911-99&tabid=3

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SKIPI.A&VSect=T

http://www.f-secure.com/v-descs/im-worm_w32_skipi_a.shtml