My good old friend Worm:W32/Autorun

I went to www.dwelle.org and avast alarmed me that there are some trojans trying to install themselve… I clicked abort connection, and instantly my floppy started to run… and it repeated it every few seconds…

I knew instantly that that autorun worm is back again…

So i’ve checked following:

Did it created this:
C:\Program Files\Microsoft Common\svchost.exe
YES it did!

and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger = "C:\Program Files\Microsoft Common\svchost.exe
YES it did!

Bummer!
Then I turned on MBAM and it instantly found something suspicious in that file. But recommendation was to ignore.
Few minutes after that I got message from avast! that there is virus in my memory and that it is dangerous to work with virus in memory and that I should schedule boot scan and restart. I clicked No. (there was no description of what kind of problem it is, just that there is “something” in my memory.

I restarted comp manually. And after restart floppy was still grinding and avast did not reported anything!

I have deleted that registry string and renamed file. After doing that floppy stopped with it activity.

Tried to scan on virustotal, and only panda and other one unknown (to me) software found it suspicious. Just as suspicious file. No major AV software found it suspicious.

Here is some description:
http://www.f-secure.com/v-descs/worm_w32_autorun_kk.shtml
I’m not sure that this is exactly my version of worm, because no AV detects it.

Now that floppy stopped to grind i think that worm stopped to reproduce itself via autorun. But have I removed it completely?

Why avast failed to detect threat???

How can I protect myself from future attacks of this worm?

Thanks

Hi,
can you send us the sample, please? Send zipped file with password “infected” to virus@avast.com.

Thanks

Sent sample to virus@avast.com

Here is an update:

Today when I turned on my PC, avast stopped this with Network shield:

iframecash.net/load

So I googled it up and found that I was infected with:
Worm.Win32.AutoRun.aqtn

:frowning:

It created:
%System%\logon.exe
%Windir%\Temp\rdl1.tmp

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0x00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = “Explorer.exe logon.exe”

And KILLED entire HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 !!!

More info can be found here:
http://www.threatexpert.com/report.aspx?md5=d3901b30efdc2b677d1ccbbc12c40b78

any suggestions how to fix up this mess?
please help.
thanks

How about trying an MBAM scan^^(www.malwarebytes.org)^^

Post back the results here^^

-AnimeLover^^

Hi

A manual removal routine:
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the virus process.
Delete the original virus file (the location will depend on how the program originally penetrated the victim machine).
Delete the following parameters from the system registry (Make a backup of the registry then edit the registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 1
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions = 1
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
“Worms” = “%System%\logon.bat”
Delete the following files:
%System%\config\csrss.exe
%WinDir%\media\arona.exe
%System%\logon.bat
%System%\config\autorun.inf
h:\autorun.inf
f:\autorun.inf
i:\autorun.inf
g:\autorun.inf
k:\autorun.inf
l:\autorun.inf
o:\autorun.inf
j:\autorun.inf

Update your antivirus databases and perform a full scan of the computer, then run this Flash_Disinfector
from here: http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

polonus

Updated MBAM and ran full scan. Log:

Malwarebytes’ Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

26.8.2009 17:26:20
mbam-log-2009-08-26 (17-26-20).txt

Scan type: Full Scan (C:|F:|G:|)
Objects scanned: 256114
Time elapsed: 1 hour(s), 39 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) → Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\856FODAJ\ftp[1].exe (Trojan.Agent) → Quarantined and deleted successfully.
G:\Software\Learn to Draw\LearnToDraw\CRACK_Learn to Draw for Beginners 1.0\Keygen.exe (Malware.NSPack) → Quarantined and deleted successfully.
C:\WINDOWS\system32\logon.exe (Trojan.Agent) → Delete on reboot.

I hope this will solve problem.
What happened with avast? Why it failed to stop threat?
My avast version is 4.8-1335. Green window is popping now and then informing me that new version is available… should I install it?

Thank you all for help.


Welcome to the forums, forumer9. :slight_smile:

Yes, of course you should install the new version as yours is now old and might be why you had a problem.


In your 1st post you said MBAM told you to ignore,that sounds unusual.If you go to the ignore list in MBAM are there any entries ?

no, nothing is in ignore list.

when MBAM detected it I was asked what do I want to do.
There were 2 options: Delete (or something like that) and Ignore.
And recommendation by MBAM was to ignore it.

???