How to delete Win32.

AutoRun - Removal tool, fix instructions

Name: Win32.AutoRun Aliases: Worm.Win32.AutoRun (Kaspersky), Spy-Agent.bw.gen.trojan (McAfee), W32.SillyFDC (Symantec) Type: Worm Size: Depends on version First appeared on: October 10, 2007 Damage: Low Brief Description: Win32.AutoRun is a worm that spreads via removable media. Visible Symptoms: Win32.AutoRun creates some files listed below. Technical description: When executed, the worm copies itself in the %programfiles %\Microsoft Common\ folder using the following filename: wuauclt.exe The following Registry entries are created: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Image File Execution Options\explorer.exe] "Debugger" = "%programfiles%\Microsoft Common\wuauclt.exe" This causes the worm to be executed on every application start. The worm creates and runs a new thread with its own program code within the following processes: %system%\svchost.exe %windir%\explorer.exe The worm copies itself into the root folders of removable drives using the following name: system.exe The following file is dropped in the same folder: autorun.inf Thus, the worm ensures it is started each time infected media is inserted into the computer.

The system.exe file is a copy of itself, while the autorun.inf contains the following strings: [autorun] ;p open=system.exe ;p shellexecute=system.exe ;p shell\Explore\command=system.exe ;p shell\Open\command=system.exe ;p shell=Explore The worm contains a list of (2) URLs. It tries to download several files from the addresses. The HTTP protocol is used. The files are then executed. The worm creates the following files: %temp%\%variable%.tmp (6656 B) The worm may set the following Registry entries: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Winlogon] "Userinit" = "%system%\userinit.exe,%variable1%" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run] "%variable2%" = "%variable3%" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List] "%variable4%" = "%variable5%:*:Enabled:%variable6%" A string with variable content is used instead of %variable(1-6)% . The virus may also create the following files: %System%\config\autorun.inf h:\autorun.inf f:\autorun.inf i:\autorun.inf g:\autorun.inf k:\autorun.inf l:\autorun.inf o:\autorun.inf j:\autorun.inf These files will be launched each time the user opens the corresponding hard disk partition using Windows Explorer. When one of these files is run, it will launch a copy of the virus: %System %\config\csrss.exe.

Win32.AutoRun may infect the foloowing files: %AllUsersProfile%\smss.exe %AppData%\microsoft\windata\__arestra__best.exe %CommonPrograms%\startup\a.m.k.b_pk.exe %CommonPrograms%\startup\lsass.exe %CommonPrograms%\startup\ms-dos.exe %CommonPrograms%\startup\winlogon.exe %FontsDir%\fonts.exe %FontsDir%\tskmgr.exe %ProgramFiles%\common files\system\fhxssom.exe %ProgramFiles%\common files\system\rckywlq.exe %ProgramFiles%\meex.exe %ProgramFiles%\microsoft common\svchost.exe %ProgramFiles%\microsoft common\wuauclt.exe %Programs%\startup\kavsrv.exe %System%\__arestra__best.exe %System%\3c7780c0.dll %System%\amvo.exe %System%\amvo0.dll %System%\amvo1.dll %System%\amvo2.dll %System%\ckvo.exe %System%\ckvo0.dll %System%\ckvo2.dll %System%\crs.exe %System%\csrs.exe %System%\csrsss.exe %System%\dllcache\default.exe %System%\dllcache\global.exe %System%\dllcache\spoolsv.exe %System%\dllcache\svchost.exe %System%\dllcache\wuauclt.exe %System%\drivers\bfddos.sys %System%\drivers\drivers.cab.exe %System%\drivers\gthook.sys %System%\drivers\suchost.exe %System%\dx6vcl.dll %System%\easydown.exe %System%\explorer.exe %System%\fsp32.exe %System%\j3ewro.exe %System%\javamachine.exe %System%\kavo.exe %System%\kavo0.dll

%System%\kavo2.dll %System%\kxvo.exe %System%\ms_tcp.dll %System%\msncnfmgr.exe %System%\mstruecrypt.exe %System%\postcard.exe %System%\regedit.exe %System%\revo.exe %System%\service.exe %System%\sr50_32.dll %System%\stormser.exe %System%\svchosts.exe %System%\sys.exe %System%\syskernel.exe %System%\taskmon.exe %System%\winxpsp2.dll %System%\wuauclt.exe %Temp%\__arestra__best.exe %Temp%\00055616_rar\smss.exe %Temp%\00058eba_rar\smss.exe %Temp%\00058eba_rar\xmss.exe %Temp%\00058f28_rar\killer.exe %Temp%\explorer.exe %Temp%\ixp000.tmp\net.exe %Temp%\msnupdater.exe %Temp%\service.exe %Temp%\usdeiect.com %UserProfile%\ms_tcp.dll %UserProfile%\smss.exe %Windir%\csrss.exe %Windir%\firewall.exe %Windir%\help\hlps.exe %Windir%\keeper.exe %Windir%\killer.exe %Windir%\knight.exe %Windir%\media\wma.exe %Windir%\msagent\svhost.exe %Windir%\pchealth\global.exe %Windir%\pchealth\helpctr\binaries\helphost.com %Windir%\service.exe %Windir%\services.exe %Windir%\shell.exe %Windir%\smss.exe %Windir%\system.exe %Windir%\system\keyboard.exe %Windir%\system\services.exe

%Windir%\system\sysanalysis.exe %Windir%\system\vmwareservice.exe %Windir%\tasks\0x01xx8p.exe %Windir%\virus.exe %Windir%\vxds.exe %Windir%\winsys.exe %Windir%\xmss.exe c:\3i.com c:\adoberd9.0.exe c:\autorun.exe c:\awda2.exe Propagation: Win32.AutoRun is a family of worms that spread via USB disks or network share disks. The worm tries to download and execute several files from the Internet. Removal instruction: 1. Disable system restore. 2. Delete registry values created by virus. 3. Remove files dropped by virus (i.e., wuauclt.exe and autorun.inf). Do not delete system files! 4. Use free removal tool from Kaspersky Labs.