|
Karma
Worm Prevention and Removal
Download
Introduction
With
prolific outbreaks of Karma Worm infections by many different
variants across IRC (Internet Relay Chat) we have decided
to release both a preventative and removal program as a
FREE service to help halt the spread. The script program
has a prevention mode which will write a dummy Rol.VBS file
to the C:\ drive with read only attributes which cannot
be overwritten by the real Karma Worm and effectively stops
it being installed. It is noticeable that a lot of people
clean up one infection of Karma Worm and then become reinfected
with yet another variant by visiting another Karma Worm
infected web site. Installing the dummy file will prevent
these reinfections for the known variants. If the deployment
method is changed we will update the script to add prevention
for any new methods. The other part of the script cleans
Karma Worm infections of 7 types including all variants
of those 7 types plus 2 other nuisance Worms which are encoded
and create text files. If you load this script and keep
it loaded it will automatically clean any reinfections if
you did not install the dummy file. Note : Karma Worm copies
itself to every mIRC directory and each version should be
cleaned separately.
Curing
an Existing Infection
If
the computer is already infected the Worm will need to be
cleaned up and deactivated and the solution is to load the
removal and protection script. Details of how to load the
script are below. The script automates the process of finding
and removing Karma Worm variants and also restores the MIRC.INI
file back to its original state where it can be written
to so that configuration changes can be saved. Karma Worm
makes the MIRC.INI read only in an attempt to prevent the
line it uses from being deleted or edited and the changes
being saved. To load the script download from the link below
and save it to your hard drive. Unzip the script to your
mIRC directory and open the mIRC program. Type /load
-rs karma.mrc in any of the mIRC windows as seen below
and you should see the results of the detection and removal
processes.
Load
by typing the above and then hit your Enter key.
If
you are prompted with a script warning as above click on
the Yes button to load the script.
Once
loaded you will see this text displayed in the active window.
Anything in red text shows that a removal was effective.
The above demonstrates a successful removal of Server.INI.
It would be prudent to leave the script loaded at all times
to automatically clean any reinfections of the same.
If
you right click in a channel or click on main menu you will
see these extra options displayed. To check your WIN.INI
and SYSTEM.INI for other possible Trojans set the Windows
directory first by browsing to and selecting its directory.
Once the location of Windows is set you can view the contents
of your *.INI files to check them for possible Trojan Start
Up methods.
By
clicking on the Block Karma option in the menu a harmless
dummy read only Rol.VBS file will be created on the C:\
drive to render future Karma Worm attacks impotent. Once
installed if you visit a Karma infected page you will see
that the page now gives an error due to it not being able
to write Rol.VBS as it is read only.
You
can download the Karma Worm Prevention and Removal script
here
You
can also download our FREE Swat It Trojan, Bot and Worm
Scanner that detects in excess of 3000 different Trojans
and Bots plus variants. Swat It recently performed very
well in comparative testing against a test bed of different
Trojan and Bot files and came out top by nearly double the
amount of confirmed detections of its nearest competitor.
You can download and use Swat It for FREE including product
and signature updates here
|
