5:43 PM
Oglacs
Most of the Top 10software companies in India would list the Win32.AutoRun a low risk virus and this is true. But this virus can be extremely bugging if it is not taken care of on time. The sooner it is taken care of, the better it is.
This virus propagates through removable storage devices and there are symptoms which indicate that a computer is affected by this virus. Visible symptoms that indicate Win32.AutoRun is affecting a computer are listed below.
When operated, the worm copies itself in the %programfiles%\Microsoft Common\ folder under the file name – wuauclt.exe and the registry given below is created.
[HKEY_LOCL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Image File Execution Options\ explorer.exe] “Debugger” = “%programfiles%\Microsoft Common\wuauclt.exe”
This then cause the worm to execute on the start of every application.
You may wonder how do I get to know all these. It is because I get maximum cooperation from the software engineers working in Oglacs, a top software company based in India.
Continuing, I would like to tell you that this worm runs and create a new thread with its own program code inside the following processes:
This worm copies itself into root folders of removable drives using the name – system.exe. A file, autorun.inf is dropped in the same folder. This then ensures that the worm is started every time an infected media is inserted into a computer.
The system.exe file is a copy of the worm itself, while the autorun.inf contains the following strings:
[autorun]
;p
open=system.exe
;p
shellexecute=system.exe
;p
shell\Explore\command=system.exe
;p
shell\Open\command=system.exe
;p
shell=Explore
The Win32.AutoRun worm contains a list of URLs from which it tries to download several files. HTTP protocol is used and files are then executed.
The worm creates files as %temp%\%variable%.tmp (6656 B)
It may also set the following Registry entries:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon] "Userinit" = "%system%\userinit.exe,%variable1%"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run] "%variable2%" = "%variable3%"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List] "%variable4%" = "%variable5%:*:Enabled:%variable6%"
Win32.AutoRun may also create files given under:
%System%\config\autorun.inf
h:\autorun.inf
f:\autorun.inf
i:\autorun.inf
g:\autorun.inf
k:\autorun.inf
l:\autorun.inf
o:\autorun.inf
j:\autorun.inf
These files will be launched each time the user opens the corresponding hard disk partition using Windows Explorer. When one of these files is executed, it will launch a copy of the virus as %System%\config\csrss.exe.
Win32.AutoRun may also infect the following files:
%AllUsersProfile%\smss.exe
%AppData%\microsoft\windata\__arestra__best.exe
%CommonPrograms%\startup\a.m.k.b_pk.exe
%CommonPrograms%\startup\lsass.exe
%CommonPrograms%\startup\ms-dos.exe
%CommonPrograms%\startup\winlogon.exe
%FontsDir%\fonts.exe
%FontsDir%\tskmgr.exe
%ProgramFiles%\common files\system\fhxssom.exe
%ProgramFiles%\common files\system\rckywlq.exe
%ProgramFiles%\meex.exe
%ProgramFiles%\microsoft common\svchost.exe
%ProgramFiles%\microsoft common\wuauclt.exe
%Programs%\startup\kavsrv.exe
%System%\__arestra__best.exe
%System%\3c7780c0.dll
%System%\amvo.exe
%System%\amvo0.dll
%System%\amvo1.dll
%System%\amvo2.dll
%System%\ckvo.exe
%System%\ckvo0.dll
%System%\ckvo2.dll
%System%\crs.exe
%System%\csrs.exe
%System%\csrsss.exe
%System%\dllcache\default.exe
%System%\dllcache\global.exe
%System%\dllcache\spoolsv.exe
%System%\dllcache\svchost.exe
%System%\dllcache\wuauclt.exe
%System%\drivers\bfddos.sys
%System%\drivers\drivers.cab.exe
%System%\drivers\gthook.sys
%System%\drivers\suchost.exe
%System%\dx6vcl.dll
%System%\easydown.exe
%System%\explorer.exe
%System%\fsp32.exe
%System%\j3ewro.exe
%System%\javamachine.exe
%System%\kavo.exe
%System%\kavo0.dll
%System%\kavo2.dll
%System%\kxvo.exe
%System%\ms_tcp.dll
%System%\msncnfmgr.exe
%System%\mstruecrypt.exe
%System%\postcard.exe
%System%\regedit.exe
%System%\revo.exe
%System%\service.exe
%System%\sr50_32.dll
%System%\stormser.exe
%System%\svchosts.exe
%System%\sys.exe
%System%\syskernel.exe
%System%\taskmon.exe
%System%\winxpsp2.dll
%System%\wuauclt.exe
%Temp%\__arestra__best.exe
%Temp%\00055616_rar\smss.exe
%Temp%\00058eba_rar\smss.exe
%Temp%\00058eba_rar\xmss.exe
%Temp%\00058f28_rar\killer.exe
%Temp%\explorer.exe
%Temp%\ixp000.tmp\net.exe
%Temp%\msnupdater.exe
%Temp%\service.exe
%Temp%\usdeiect.com
%UserProfile%\ms_tcp.dll
%UserProfile%\smss.exe
%Windir%\csrss.exe
%Windir%\firewall.exe
%Windir%\help\hlps.exe
%Windir%\keeper.exe
%Windir%\killer.exe
%Windir%\knight.exe
%Windir%\media\wma.exe
%Windir%\msagent\svhost.exe
%Windir%\pchealth\global.exe
%Windir%\pchealth\helpctr\binaries\helphost.com
%Windir%\service.exe
%Windir%\services.exe
%Windir%\shell.exe
%Windir%\smss.exe
%Windir%\system.exe
%Windir%\system\keyboard.exe
%Windir%\system\services.exe
%Windir%\system\sysanalysis.exe
%Windir%\system\vmwareservice.exe
%Windir%\tasks\0x01xx8p.exe
%Windir%\virus.exe
%Windir%\vxds.exe
%Windir%\winsys.exe
%Windir%\xmss.exe
c:\3i.com
c:\adoberd9.0.exe
c:\autorun.exe
c:\awda2.exe
As mentioned before, Win32.AutoRun is a family of worms that spread through USB storage devices or disks shared via a network.
In order to remove this particular virus you need to do the following things:
- Disable system restore
- Delete all registry values created by the virus
- Remove all files dropped by the virus i.e. wuauclt.exe and autorun.inf. But take enough care that you don't delete any system file.
- Use removal tool
This is all for today, visit back for more.
Posted in: 
1 comments:
Princess Square in Koramangala - Serviced Apartments in Bangalore
With over 40 years of experience in the Service Industry all of us at princess square Service Apartments personally know caring for the guest and It is our goal to make sure you, your family and friends the guest enjoy a carefree vacation or Superior business class experience.
We have a small quality driven collection of hotels & hotel apartments within one of the world's most modern and fastest growing city of Bangalore.
Welcome to the Garden city - Welcome to Princess square Service Apartments Hospitality, where our promise of pure value, pure quality and pure service is delivered.
An essential attribute of all our properties are our convenience and central locations within the city of Bangalore.
At princess square Service Apartments we provide a wonderful choice. Whether you are a discerning budget traveler or just looking for that element of luxury of a 5 star business hotel, we have the accommodation solution to suite you.
Our deluxe hotel apartments offer a choice of both full hotel service operations as well as self catering facilities. We have an extensive choice of accommodations to choose from and our portfolio includes standard hotel rooms, deluxe hotel suites, studios, One, Two & Three Bedroom suite apartments, Royal Suites, Executive & Privilege Floors.
We are ideal for leisure, corporate travelers, stopovers & long stays.
All our hospitality establishments provide only the highest levels of comfortable quality accommodations and we are the perfect choice for your next city break, business meeting or special family occasion.
Post a Comment