Plexus/Explet Worm

About EXPLET (Symantec) / PLEXUS (McAfee)

From: Symantec's Security Response site

This worm may arrive via email.  DO NOT OPEN ATTACHMENTS of unknown origin.  It can spread through Kazaa file sharing.  It uses several Microsoft operating system vulnerabilities which are addressed by keeping up with Critical Updates from Microsoft.

Systems which can be infected include:  Windows 98/NT/2000/XP and Windows Server 2003,
 

REMOVAL for Windows XP ONLY

1. Close all programs and be sure you are logged on to your system with administrative rights.
2. disable System Restore (Instructions below).
3. Update Symantec or Norton virus definitions now.
4. Shut down the computer and turn off the power and wait at least 30 seconds.
5. Disconnect your computer from the network and the Internet, if you are not already blocked.
6. Restart the computer in SAFE MODE (See instructions).
7. Run a scan with Symantec Antivirus
8. If any files are detected as infected with W32.Explet.A@mm, click Delete.
    
9. Delete the added value from the Windows Registry

The next steps if done incorrectly may cause your computer to become UNUSABLE. 
PROCEED WITH CAUTION.  If you are a student, service repair information is available in CH227.

Backup the Windows Registry.  Note:  The Backup utility is not included in a default installation of Windows XP Home Edition.

Click Start Click Run Type regedit Click OK
	Navigate to the folder: HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\ CurrentVersion\Run
In the right pane, delete the value:  "NvClipRsv"="<path to the worm>" Exit the Registry Editor.

10. Delete added lines from the Windows Hosts File.

1. Click Start, and then click Search.
2. Click All files and folders.
3. In the "All or part of the file name" box, type:  hosts
4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
5. Click "More advanced options."
6. Check "Search system folders."
7. Check "Search subfolders."
8. Click Search.
9. Click Find Now or Search Now
10. For each Hosts file that you find, right-click the file, and then click "Open With."
11. Deselect the "Always use this program to open this program" check box.
12. Scroll through the list of programs and double-click Notepad.
13. When the file opens, delete all the entries in the Hosts file except for the following line:
                 127.0.0.1     localhost
14. If this line does not exist, add it to the file.
15. Close Notepad and save your changes when prompted.

11. Run a full antivirus scan again to ensure that the system is clean.
12. If you are running Windows XP, next re-enable System Restore (Instructions below).
13. Reconnect to the network and restart your computer.
14. Be sure you have installed all Critical Updates to your operating system.
    (If you are on ResNet, do this after you been unblocked).

ResNet students who have been disconnected will have to call
the ResNet Help Line (372-6566) to be reconnected to the network. 
It may take some time to be confirmed clean and reconnected.

Remember that Symantec Antivirus is available for download to enrolled TTU students.

Disabling System Restore in Windows XP

• Click Start.
• Right-click My Computer
• Select  Properties from the floating menu.
• Click the System Restore tab.
• Select Turn off System Restore check box.
• Click Apply.
• Click Yes in message box.
• Click OK.

After the worm is removed, restart your computer and follow the steps above to deselect "Turn off System Restore".

Running a Scan with Norton Antivirus

Click on the yellow shield in the bottom right corner (system tray). Click Scan Computer in the left menu. Check the box to select C: (Local Drive) Click the Scan button at the bottom of the window.

Faculty and staff who need additional assistance, please contact MicroSupport@tntech.edu (372-6315)
or their College MicroSupport contact.