Spoolsv.exe
When Backdoor.IRC.Zcrew.B is executed, it performs the following actions:
Drops the following files in the C:\WINNT\system32\wbem\repository\fs\macromed folder:
Spoolsv.exe- a Serv-U FTP server, packed with UPX
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.Disable System Restore (Windows Me/XP).
Update the virus definitions.
Do one of the following:
Windows 95/98/Me: Restart the computer in Safe mode.
Windows NT/2000/XP: End the Trojan process.
Run a full system scan and delete all the files detected as Backdoor.IRC.Zcrew.B or IRC Trojan. Delete the folder C:\WINNT\system32\wbem\repository\fs\macromed.
Reverse the changes that the Trojan made to the registry.
|