Removing the Worm.Win32.Ladex

vbimport

#1

After reading a description of it here (see below for pasted page), I realised I had it on my system. McAfee’s online scan and my antivirus don’t detect it.

I could start deleting the executables described on that page but I may miss something. How do I remove it?

Ladex is a network worm, it is efficient only under Windows NT/2000/XP and it is distributed on local area networks. It is a Windows (PE EXE) file about about 275K in size and is written in Microsoft Visual C++.

Installation

Upon being launched the worm creates three copies of itself in the system directories:

%SystemRoot%\Help\DOSAPP.HLP
%SystemRoot%\Inf\CDROM.SYS
%SystemRoot%\Fonts\DOSOEM.FON

it also creates new hidden files that are components of the worm:

%SystemRoot%\SMSS.EXE
%SystemRoot%\CSRSS.EXE
%SystemRoot%\System32\LADY.EXE

Then it registers the files SMSS.EXE and CSRSS.EXE in the system registry so that they execute upon system reboot:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
@=“smss.exe”
@=“csrss.exe”

Next the worm registers itself as a system service with the name “TCP/IP NetBIOS Provider”.

After the first reboot or restart of the service “TCP/IP NetBIOS Provider” the worm also copies itself into the file

%SystemRoot%System32LMHSVC.EXE.
Spreading

The worm “touches” IP-addresses of a local network and tries to connect to network resources under the names

IPC$ and Admin$.
While logged in as “Administrator”. If possible, the worm copies itself onto the remote computer in the system directory:

“\XXX.XXX.XXX.XXX\Admin$\System32\lmhsvc.exe”

Once this is done it registers itself on the remote computer and creates and starts the service "TCP/IP NetBIOS Provider ".

Invisibility

Using the additional components SMSS.EXE and CSRSS.EXE the worm tries to mask (hide)itself in the system. Both files ensure the functioning of the main module LMHSVC.EXE if for any reason it appears unloaded from memory. Besides these components it looks for REGEDIT - if REGEDIT is open it temporarily removes the keys in the system registry and restores them upon the closure of the REGEDIT application. Thus the worm achieves invisibility in the system registry.

Payload

The worm starts the joke program LADY.EXE which displays a set of creeping flies which can be “killed” with the mouse cursor.


#2

Go into safe mode (F8) and nuke all programs and registry settings it made. Then restart into safe mode and check if it reappeared. If not , restart in normal mode and get a good virusscanner.