Microsoft KB Archive/873018

= Download.Ject Payload Detection and Removal Tool =

Article ID: 873018

Article Last Modified on 6/6/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-



Notice
This tool is no longer available. It has been replaced by the Microsoft Windows Malicious Software Removal Tool. For more information about the Malicious Software Removal Tool, click the following article number to view the article in the Microsoft Knowledge Base:

890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Server 2003, Windows XP, or Windows 2000



SUMMARY
''Microsoft has learned of a Trojan horse program that is named W32/Berbew (variants A-H) that is downloaded after a Microsoft Windows-based client computer is infected with the Download.Ject malware. This problem occurs when a user visits a Web site that is hosted on a server that is running Microsoft Internet Information Services (IIS) and that has been infected by JS.Scob. The Web pages that are downloaded to the user’s computer contain an additional JavaScript program that downloads the Backdoor:W32/Berbew Trojan horse. Backdoor:W32/Berbew is also known as Backdoor-AXJ, Webber, or Padodor. When this Trojan horse runs on the user’s computer, it performs several actions, including the following:''


 * It monitors Internet access. When the user visits one of several financial or ISP Web sites, the Trojan horse captures sensitive information, such as log-in names, passwords, and other sensitive information. The Trojan horse then sends that information to a Web server for the Trojan horse’s author to retrieve. It installs a proxy server that configures the user’s computer for use as a relay for such actions as sending spam.
 * It opens fake dialog boxes that prompt the user to enter confidential information, such as ATM card codes or credit card numbers. This information is then sent to a Web server for the Trojan horse’s author to retrieve.

''Microsoft has released a tool to help you remove Backdoor:W32/Berbew Trojan horse variants from your computer. You can download this tool from the Microsoft Download Center and run it on your computer to remove Backdoor:W32/Berbew.A, Backdoor:W32/Berbew.B, Backdoor:W32/Berbew.C, and Backdoor:W32/Berbew.D, Backdoor:W32/Berbew.E, Backdoor:W32/Berbew.F, Backdoor:W32/Berbew.G and Backdoor:W32/Berbew.H infections.''

Technical updates  February 8, 2005: Microsoft replaced this tool with the Microsoft Windows Malicious Software Removal Tool. For more information about the Malicious Software Removal Tool, click the following article number to view the article in the Microsoft Knowledge Base:

890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Server 2003, Windows XP, or Windows 2000

 July 14, 2004: &quot;Summary,&quot; &quot;Resolution,&quot; and &quot;Usage Information&quot; sections were updated. July 13, 2004: Microsoft released version 1.0 of the Download.Ject Payload Detection and Removal Tool to the Microsoft Download Center. Version 1.0 detects and removes all currently known variants (A to H) of the Backdoor:W32/Berbew Trojan horse.



SYMPTOMS
You may experience one or more of the following symptoms:
 * Computer performance is decreased or the network connection is slow.
 * You receive messages or dialog boxes that request ATM security numbers and credit card information when you visit certain online financial and ISP Web sites.



CAUSE
This behavior occurs because your computer is infected with the Backdoor:W32/Berbew Trojan horse. Backdoor:W32/Berbew is delivered by the Download.Ject Trojan horse. For more information about how to determine if your computer is infected with a variant of Backdoor:W32/Berbew, visit the following Microsoft Web site:

http://www.microsoft.com/security/incident/Download_Ject.mspx



RESOLUTION
Antivirus software with up-to-date signatures will help prevent the Backdoor:W32/Berbew Trojan horse from infecting your computer.

Important We also recommend that you use an Internet firewall and an antivirus program with up-to-date signatures, and that you keep both Windows and your programs up-to-date.

For more information about how to prevent viruses, and about how to recover from virus infections, click the following article number to view the article in the Microsoft Knowledge Base:

129972 Computer viruses: description, prevention, and recovery

Prerequisites
The Download.Ject Payload Detection and Removal Tool has the following prerequisites:
 * Your computer must be running Microsoft Windows 2000 SP2 or later or a 32-bit version of Microsoft Windows XP.
 * You must log on as a computer administrator or as a member of the Administrators group.

For more information about how to determine whether a computer is running a 32-bit version of Windows XP or a 64-bit version of Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

827218 How to determine whether your computer is running a 32-bit version or a 64-bit version of the Windows operating system

If these prerequisites are not met, the installation will not work, and you will receive an error message. For more information about the error message, view the following log file:

%Windir%\Debug\Berbcln.log

Additionally, we recommend that you install the Windows update to disable the ADODB.stream object in Internet Explorer before you run the removal tool. Although the removal tool will remove the Trojan horse from infected computers, it will not prevent re-infection if your computer is still vulnerable. By installing the critical update, you can help prevent additional downloads of malware from a Download.Ject-infected server.

For more information about the Windows update to disable the ADODB.stream object, click the following article number to view the article in the Microsoft Knowledge Base:

870669 How to disable the ADODB.Stream object from Internet Explorer

Restart requirement
You do not have to restart your computer after you install this tool.

Usage information
Important Before you follow these steps, make sure that you have backed up all your important data.

When you install the Download.Ject Payload Detection and Removal Tool and accept the end-user license agreement (EULA), the installation package extracts the Berbcln.exe file to a temporary folder, and then the removal tool runs. The removal tool verifies that your computer meets the prerequisites that are listed in the &quot;Prerequisites&quot; section. If the prerequisites are met, the removal tool takes the following actions:  The tool examines the following registry subkeys for entries that the Trojan horse has added:   </li>  </li></ul> </li> The tool searches in memory for evidence of the main Backdoor:Win32/Berbew Trojan horse component. If the removal tool finds this, the process is ended.</li> The tool searches for the following data files that the Trojan horse created. These files may contain sensitive personal data. The tool deletes these files.

Neh2x32.vxd

Neh2x32.dat

Glumx32.vxd

Glumx32.dat

Tt32.vxd

Tt32.dat

Gart32.vxd

Gart32.dat

Jcole32.vxd

Jcole32.dat

Kk32.dll

Kk32.dll

Dnkk.dll

Surf.dat

Kkq32.dll

Kkq32.vxd

Dnkkq.dll

Kar32.dll

Kar32.vxd

Dkk32.dll

Zurfs.dat

</li> The tool deletes all the files that are associated with the Backdoor:W32/Berbew Trojan horse. These files were identified in steps 1 and 2.</li> The tool removes the registry entries that it identified in step 1. If a Berbew registry value no longer points to a file on the hard disk, the removal tool does not remove the orphaned registry value because the registry value will not cause any damage if the associated file does not exist on the hard disk.</li> As part of its method of operation, the Trojan horse runs two instances of Microsoft Internet Explorer in hidden windows. These windows try to connect to malicious Web sites. One instance tries to upload stolen personal data, and the other instance looks for software updates for the Trojan horse. If the tool detects the Backdoor:W32/ Berbew Trojan horse on the computer, the tool ends all currently running instances of Internet Explorer.</li> The tool displays a message that describes the outcome of the detection and removal process. The following list contains the messages that you may receive, and it explains their meanings.

When you close the message box, the removal tool quits, and the Berbcln.exe file is deleted from the temporary folder. You can now delete the Windows-KB873018-ENU-V1.exe file manually.</li> The removal tool creates a log file named Berbcln.log in the %Windir%\Debug folder. You can view this log file to determine if Backdoor:W32/Berbew.gen infections were detected and were removed.</li></ol>

Command-line switches
The removal tool installer supports the following command-line switches:
 * /Q - Use quiet mode or suppress messages when the files are being extracted.
 * /Q:U - Use user-quiet mode. User-quiet mode displays some dialog boxes to the user.
 * /Q:A - Use administrator-quiet mode. Administrator-quiet mode does not present any dialog boxes to the user.
 * /T:  - Specify the location of the temporary folder that is used by the Download.Ject Payload Detection and Removal Tool Setup program, or specify the target folder for extracting files (when this switch is used together with the /C switch).
 * /C - Extract the files without installing them. If /T:  is not specified, you are prompted to specify a target folder.
 * /C:  - Specify the path and the name of another Setup.inf file or an .exe file to use to install the tool.
 * /R:N - Never restart the computer after installation.
 * /R:I - Prompt the user to restart the computer if a restart is required, except when this switch is used with the /Q:A switch.
 * /R:A - Always restart the computer after installation.
 * /R:S - Restart the computer after installation without prompting the user

For more information about the supported installation switches, click the following article number to view the article in the Microsoft Knowledge Base:

197147 Command-line switches for IExpress software update packages

The removal tool supports the following command-line switch:
 * /S - Enables silent mode for the tool. This switch suppresses the infection status dialog box that you receive after the tool has run.

Removal information
The Berbcln.exe file is automatically deleted from its temporary location after the removal tool runs. You can delete the tool's installer package after you install the removal tool.

Note After you install the Download.Ject Payload Detection and Removal Tool, it does not appear in the Installed programs list in the Add/Remove Programs tool in Control Panel.

<div class="moreinformation_section">

MORE INFORMATION
In more recent versions of Robocopy, such as version XP010, the /SECFIX switch has been deprecated. To refresh security information for existing destination files and folders without copying file data, use the /IS switch together with the /COPY switch without the D flag. For example, /IS /COPY:SOU refreshes all security information for all selected files without copying any file data. For more information, see the &quot;Selectively Copying File Data&quot; topic in the Robocopy.doc file.

Additional query words: Berbew removal tool virus worm W32.Berbew.A W32.Berbew.B W32.Berbew.C W32.Berbew.D W32.Berbew.E W32.Berbew.F W32.Berbew.G

Keywords: kbpubtypekc atdownload kbqfe kbsecurity kbsecbulletin kbsecvulnerability kbbug kbfix KB873018

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.