Karma
Worm Prevention and Removal
Download
Introduction
With
prolific outbreaks of Karma Worm infections by many different
variants across IRC (Internet Relay Chat) we have decided to
release both a preventative and removal program as a FREE service
to help halt the spread. The script program has a prevention
mode which will write a dummy Rol.VBS file to the C:\ drive
with read only attributes which cannot be overwritten by the
real Karma Worm and effectively stops it being installed. It
is noticeable that a lot of people clean up one infection of
Karma Worm and then become reinfected with yet another variant
by visiting another Karma Worm infected web site. Installing
the dummy file will prevent these reinfections for the known
variants. If the deployment method is changed we will update
the script to add prevention for any new methods. The other
part of the script cleans Karma Worm infections of 7 types including
all variants of those 7 types plus 2 other nuisance Worms which
are encoded and create text files. If you load this script and
keep it loaded it will automatically clean any reinfections
if you did not install the dummy file. Note : Karma Worm copies
itself to every mIRC directory and each version should be cleaned
separately.
Curing
an Existing Infection
If
the computer is already infected the Worm will need to be cleaned
up and deactivated and the solution is to load the removal and
protection script. Details of how to load the script are below.
The script automates the process of finding and removing Karma
Worm variants and also restores the MIRC.INI file back to its
original state where it can be written to so that configuration
changes can be saved. Karma Worm makes the MIRC.INI read only
in an attempt to prevent the line it uses from being deleted
or edited and the changes being saved. To load the script download
from the link below and save it to your hard drive. Unzip the
script to your mIRC directory and open the mIRC program. Type
/load -rs karma.mrc in any of the mIRC windows as seen
below and you should see the results of the detection and removal
processes.
Load
by typing the above and then hit your Enter key.
If
you are prompted with a script warning as above click on the
Yes button to load the script.
Once
loaded you will see this text displayed in the active window.
Anything in red text shows that a removal was effective. The
above demonstrates a successful removal of Server.INI. It would
be prudent to leave the script loaded at all times to automatically
clean any reinfections of the same.
If
you right click in a channel or click on main menu you will
see these extra options displayed. To check your WIN.INI and
SYSTEM.INI for other possible Trojans set the Windows directory
first by browsing to and selecting its directory. Once the location
of Windows is set you can view the contents of your *.INI files
to check them for possible Trojan Start Up methods.
By
clicking on the Block Karma option in the menu a harmless dummy
read only Rol.VBS file will be created on the C:\ drive to render
future Karma Worm attacks impotent. Once installed if you visit
a Karma infected page you will see that the page now gives an
error due to it not being able to write Rol.VBS as it is read
only.
You
can download the Karma Worm Prevention and Removal script here
You
can also download our FREE Swat It Trojan, Bot and Worm Scanner
that detects in excess of 3000 different Trojans and Bots plus
variants. Swat It recently performed very well in comparative
testing against a test bed of different Trojan and Bot files
and came out top by nearly double the amount of confirmed detections
of its nearest competitor. You can download and use Swat It
for FREE including product and signature updates here
You can download and try SwatIt now free of charge by clicking
on the download link on the left.
