Worm.Win32.Ainslot.VB_e606cf95c2
Trojan.MSIL.Agent.cebd (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.NSIS.StartPage.FD, Worm.Win32.Ainslot.VB.FD, GenericAutorunWorm.YR, WormAinslot_VariantOfZeus.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: e606cf95c25139b71c2f20c30f885613
SHA1: 47798d30ebbbe4958213c7d8ee77e6cca6791512
SHA256: d7f10ce01bae5e58ea5de2796bc52ddcb690c66d7d9773ae733b168fe5af6937
SSDeep: 12288:qr2StwhfVy9L10C3CBVufLO2pi eBO ekugasKFfWw7xJ3NeqINodJfbRysoq:8fqZV8yCyvui2pzekkugasFwr38qINow
Size: 758272 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2013-08-19 05:45:42
Summary:
Worm. A program that is primarily replicating on networks or removable drives.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
reg.exe:1712
reg.exe:1104
reg.exe:448
reg.exe:1208
reg.exe:948
The Worm injects its code into the following process(es):
WAT_REMOVER_v3.exe:1804
cvtres.exe:1696
e606cf95c25139b71c2f20c30f885613.exe:1548
File activity
The process WAT_REMOVER_v3.exe:1804 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2JKRA1CR\country[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\dAg (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9299MYNE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\back_dis.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\accept3.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\close.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\decline.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\box.bmp (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\complist.txt (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\skip.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\noc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\x.bmp (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\accept2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\locate.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\inetc3.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\accept_disabled.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1Z48SJB0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZQUTY6FC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (25504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2JKRA1CR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\accept1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\accept.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\back.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\1clogo.bmp (4992 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1.tmp (0 bytes)
The process cvtres.exe:1696 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\VMB (33 bytes)
%Documents and Settings%\%current user%\Application Data\CSOTRM2ARQ.exe (35 bytes)
The process e606cf95c25139b71c2f20c30f885613.exe:1548 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\WAT_REMOVER_v3.exe (264 bytes)
%Documents and Settings%\%current user%\Application Data\IciesvNd\WIFyUQi.exe.lnk (873 bytes)
%Documents and Settings%\%current user%\Application Data\IciesvNd\79EPZk1dyR0LCEXbNbykW6H7Vi4q (98308 bytes)
Registry activity
The process reg.exe:1712 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 03 AE 29 E4 5A B2 60 97 56 69 FE 26 50 CF 51"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"scI9oFjEns" = "%Documents and Settings%\%current user%\Application Data\IciesvNd\WIFyUQi.exe.lnk"
The process reg.exe:1104 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 3D A2 B6 7B 21 35 71 EB 6C 35 57 D3 6A 04 C5"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"CSOTRM2ARQ.exe" = "%Documents and Settings%\%current user%\Application Data\CSOTRM2ARQ.exe:*:Enabled:Windows Messanger"
The process reg.exe:448 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 B7 13 47 BB 58 36 A6 B5 13 B7 9E 3B A5 45 FD"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
The process reg.exe:1208 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 0C 11 93 6F 03 C8 2A 8F E8 19 3B 04 96 FF 96"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%\Microsoft.NET\Framework\v2.0.50727]
"cvtres.exe" = "%WinDir%\Microsoft.NET\Framework\v2.0.50727\cvtres.exe:*:Enabled:Windows Messanger"
The process reg.exe:948 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 94 AD C3 FC 05 A2 9E 18 05 B5 E2 64 34 AD 1C"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
The process WAT_REMOVER_v3.exe:1804 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKCR\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}]
"id0" = "20082013"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\1ClickDownload]
"LastInstall0" = "30317931"
[HKCU\Software\1ClickDownload]
"LastInstall3" = "30317931"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\1ClickDownload]
"UID" = "282948265"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 6A F0 66 4F 3D 33 6F C6 E6 EE 1D 32 CA D5 8E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process cvtres.exe:1696 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 5D 70 13 FA 79 81 C6 5B 49 C4 27 1A 1D DF 8D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"Y02JN1EWM3" = "VMB"
[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"Y02JN1EWM3" = "August 20, 2013"
The process e606cf95c25139b71c2f20c30f885613.exe:1548 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"WAT_REMOVER_v3.exe" = "WAT_REMOVER_v3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 5A 66 7D 59 26 BE 5F 27 52 73 1E 18 C1 45 E3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://torntvz.com/ping.php?partner=h33tn&product=TornTV&build=18_3 |  184.169.173.88 |
| hxxp://data.torntv.net/country.asp?st=-1&uid=282948265&tuid=3131649&sref=TTV_18-3c_h33tn&vmdt=|vm|&bld=18I&cnt=ru |  176.34.177.58 |
| vmb.sytes.net |  212.7.218.63 |
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
reg.exe:1712
reg.exe:1104
reg.exe:448
reg.exe:1208
reg.exe:948 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2JKRA1CR\country[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\dAg (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9299MYNE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\back_dis.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\accept3.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\close.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\decline.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\box.bmp (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\complist.txt (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\skip.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\noc (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\x.bmp (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\accept2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\locate.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\inetc3.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\accept_disabled.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1Z48SJB0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZQUTY6FC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (25504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2JKRA1CR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\accept1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\accept.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\back.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc3.tmp\1clogo.bmp (4992 bytes)
%Documents and Settings%\%current user%\Application Data\VMB (33 bytes)
%Documents and Settings%\%current user%\Application Data\CSOTRM2ARQ.exe (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WAT_REMOVER_v3.exe (264 bytes)
%Documents and Settings%\%current user%\Application Data\IciesvNd\WIFyUQi.exe.lnk (873 bytes)
%Documents and Settings%\%current user%\Application Data\IciesvNd\79EPZk1dyR0LCEXbNbykW6H7Vi4q (98308 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"scI9oFjEns" = "%Documents and Settings%\%current user%\Application Data\IciesvNd\WIFyUQi.exe.lnk" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
