2005年8月15日，江民反病毒中心截获一个利用微软“即插即用服务代码执行漏洞”（MS05-039）的蠕虫病毒I-Worm/Zobot。该病毒利用最新漏洞传播，并且可以通过IRC接受黑客命令，使被感染计算机被黑客完全控制。截止8月17日，江民客服中心以及技术支持信箱和病毒自动监控系统已接到百余例用户求助。

针对该病毒，江民反病毒专家提出了手动清除和自动杀毒两种办法。

一、 自动杀毒：及时下载安装漏洞补丁，升级杀毒软件病毒库，开启病毒实时监控，特别木马/注册表监视，即可确保不受该病毒侵害。

二、 手动杀毒办法：

1、 在任务管理器里面结束botzor.exe进程

2、 运行REGEDIT，打开注册表编辑器，删除病毒在注册表中添加的启动项
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDOWS SYSTEM" = botzor.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"WINDOWS SYSTEM" = botzor.exe

3、将病毒在系统目录下创建botzor.exe文件删除,大小为22528字节。

此外，专家建议，使用江民KV2005“未知病毒克星”以及“木马一扫光”组件，也可对病毒进行有效的主动防御。

微软补丁下载地址：
http://www.microsoft.com/china/technet/security/bulletin/MS05-039.mspx
江民专杀工具下载地址：
http://update2.jiangmin.com/kvrt.exe
http://forum.jiangmin.com/KVRT.RAR

漏洞利用MS05039:MS PnP Buf Overflow.请大家升级尽快...
我先出个专杀吧..大家到时候万一中了马上运行就是了

把以下代码保存成VBS文件,然后运行即可.
PS:好久不来论坛跑了......以前在蠕虫流行的时候发专杀,还不如动作快点在没到的时候出一个保险.



On error resume next

Dim wmi,wsh
Set wsh=CreateObject("Wscript.Shell")
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")


function killprocess()
set process=wmi.execquery("select * from win32_process where name='csm.exe'")
for each objprocess in process
objprocess.terminate()
next
Msgbox "Process is Killed."
end function

Function delreg()
wsh.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\csm Win Updates"
wsh.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\csm Win Updates"
Msgbox "Delete OK"
End Function

Function updatereg()
wsh.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start",3,"REG_DWORD"
Msgbox "Modified OK"
End Function

Function Delfile()
wsh.run "cmd.exe /c del %Systemroot%\2pac.txt",0
wsh.run "cmd.exe /c del %Systemroot%\haha.exe",0
wsh.run "cmd.exe /c del %Systemroot%\csm.exe",0
Msgbox "Delete OK"
End Function

Function Resethosts()
wsh.run "cmd.exe /c echo 127.0.0.1 Localhost > %Systemroot%\system32\drivers\etc\hosts",0
msgbox "Reset OK!"
End Function


Msgbox "Delete The Fucking vivus Zotob codz.\n By kEvin1986 [S.4.T]",vbinfomation,"Zotob Killer"
Msgbox "Now Terminate the Fucking Process of Csm.exe",vinfomation,"Zotob Killer"
killprocess()
Msgbox "Now Delete the Fucking Keys In The Registry",vinfomation,"Zotob Killer"
DeleteReg()
Msgbox "Now Update the registry which modified By the Fucking vivus.",vinfomation,"Zotob Killer"
Updatereg()
Msgbox "Now Delete the Fucking shit of this Vivus.",vinfomation,"Zotob Killer"
Delfile()
Msgbox "Now it will Reset the hosts file which modified by the fucking vivus.you must update your system right now!",vinfomation,"Zotob Killer"
Resethosts()
Msgbox "Greate...The Fucking vivus was dead....Thank you 4 clean the fucking things.",vinfomation,"Zotob Killer"
Msgbox "Welcome visit My friends' BBS www.5idn.com "
Msgbox "And My Team www.4ngel.net"
Msgbox "Exit now..Bye."
这是别人编的,不过个大杀软已经有专杀了