The Looksky trojan is being passed around at an alarming rate so I figured I'd post the fix.

What you will encounter:

Along with a million pop-up windows, your entire windows background will change to this and will be unchangeable:





What it does:

quote:
When W32.Looksky.E@mm is executed, it performs the following actions:

1. Copies itself as the following files:

* %Windir%\sachostx.exe
* %CurrentFolder%\temp.bak

Note:
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
* %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.

2. Drops the following additional files:

* %System%\attrib.ini (A file to store stolen information.)
* %System%\hard.lck (A zero-byte file that is not malicious.)
* %System%\msvcrl.dll (A keylogger component.)
* %System%\sachostb.exe (A back door component.)
* %System%\sachostc.exe (A proxy server.)
* %System%\sachostp.exe (A component which steals confidential information, such email user names and passwords, and saves the information in the file %System%\attrib.ini.)
* %System%\sachosts.exe (An HTTP proxy server.)
* %System%\sachostw.exe (The worm's mass-mailer component.)

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

3. Adds the value:

"HostSrv" = "%Windir%\sachostx.exe..."

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

4. Runs netsh.exe in the following usage in an attempt to bypass the firewall settings on the compromised computer for all the above files:

netsh firewall set allowedprogram [WORM FILE NAME] enable

5. Adds the following subkeys:

"%System%\sachostw.exe" = "%System%\sachostw.exe:*:Enabled:enable"
"%System%\sachostc.exe" = "%System%\sachostc.exe:*:Enabled:enable"
"%System%\sachostb.exe" = "%System%\sachostb.exe:*:Enabled:enable"
"%System%\sachosts.exe" = "%System%\sachosts.exe:*:Enabled:enable"
"%System%\sachostp.exe" = "%System%\sachostp.exe:*:Enabled:enable"
"%System%\sachostx.exe" = "%System%\sachostx.exe:*:Enabled:enable"

to the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\StandardProfile\AuthorizedApplications\List

to modify the firewall settings.

6. May attempt to steal information, log keystrokes, and execute commands from a remote attacker.

7. Updates itself by downloading the following file to the temporary folder using a random file name beginning with tmx:

[http://]proxy4u.ws:8080/[REMOVED]/download.exe

8. Posts local system information to the following location:

[http://]proxy4u.ws/[REMOVED]

9. Gathers email addresses from the Windows Address Book and .htm files. It then sends out a copy of the worm as an email attachment. The email has the following characteristics:

Subject: Your mail Account is Suspended

Message Body:

We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment: acc_info1.exe



What to do:

quote:
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected.
4. Delete any values added to the registry.



5. Run Smitfraudfix
in safe mode.