Harry Waldron
08-17-2005, 06:26 AM
Below are the recommended general cleaning techniques for MS05-039 infections associated with the Windows 2000 environment. The key steps are to remove the current virus with a standalone removal tool, get Windows 2000 to Service Pack 4, and then apply the MS05-039 patch so you system is bullet-proof from current and future infections based on this specific security exposure.
IF NEEDED: Download Windows 2000 Service Pack 4 (http://www.microsoft.com/downloads/details.aspx?familyid=1001AAF1-749F-49F4-8010-297BD6CA33A0&displaylang=en), the Windows 2000 Update Rollup 1 for Service Pack 4 (http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/rollup.asp) plus the MS04-011 patch (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx). (this step can be skipped if user has these)
Download MS05-039 patch from Microsoft (http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx)
Download McAfee's Stinger standalone cleaning tool (http://vil.nai.com/vil/stinger/) (which handles all major Zobot and other MS05-039 threats). Other AV and MS based standalone cleaners can be used also.
note - in steps 1-3, you may need to use another uninfected PC if they have the continuous reboot issue; also AV and Firewall protection may be gone as these worms could impact these from properly working after an infection. You can copy to and from a CD or USB memory stick to capture these repair tools. Stinger should fit on a diskette
Run McAfee's Stinger cleaning tool (http://vil.nai.com/vil/stinger/) (or other standalone AV or MS cleaning tools) to remove worm infection
[list:d81f59ac6a] Or run the Microsoft Malicious Software Removal Tool (http://www.microsoft.com/security/malwareremove/default.mspx) online or downloaded from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=40587).
IF NEEDED: Apply Windows 2000 SP4 and then reboot. Then apply the MS04-011 which provides protection against Sasser.
Apply the MS05-039 patch from Microsoft (http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx) and reboot
Connect back to the Internet and run Windows Update (http://www.microsoft.com/windowsupdate) Then update your Antivirus software. Update or add a firewall system if you need one.
From a lessons learned standpoint - always check at least once per month on every 2nd Tuesday for MS updates and apply them right away :)[/list:o:d81f59ac6a]
IF NEEDED: Download Windows 2000 Service Pack 4 (http://www.microsoft.com/downloads/details.aspx?familyid=1001AAF1-749F-49F4-8010-297BD6CA33A0&displaylang=en), the Windows 2000 Update Rollup 1 for Service Pack 4 (http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/rollup.asp) plus the MS04-011 patch (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx). (this step can be skipped if user has these)
Download MS05-039 patch from Microsoft (http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx)
Download McAfee's Stinger standalone cleaning tool (http://vil.nai.com/vil/stinger/) (which handles all major Zobot and other MS05-039 threats). Other AV and MS based standalone cleaners can be used also.
note - in steps 1-3, you may need to use another uninfected PC if they have the continuous reboot issue; also AV and Firewall protection may be gone as these worms could impact these from properly working after an infection. You can copy to and from a CD or USB memory stick to capture these repair tools. Stinger should fit on a diskette
Run McAfee's Stinger cleaning tool (http://vil.nai.com/vil/stinger/) (or other standalone AV or MS cleaning tools) to remove worm infection
[list:d81f59ac6a] Or run the Microsoft Malicious Software Removal Tool (http://www.microsoft.com/security/malwareremove/default.mspx) online or downloaded from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=40587).
IF NEEDED: Apply Windows 2000 SP4 and then reboot. Then apply the MS04-011 which provides protection against Sasser.
Apply the MS05-039 patch from Microsoft (http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx) and reboot
Connect back to the Internet and run Windows Update (http://www.microsoft.com/windowsupdate) Then update your Antivirus software. Update or add a firewall system if you need one.
From a lessons learned standpoint - always check at least once per month on every 2nd Tuesday for MS updates and apply them right away :)[/list:o:d81f59ac6a]