Worm.Win32.Dorkbot_460d215e2a
HEUR:Trojan.Win32.Generic (Kaspersky), Worm.Win32.Dorkbot (VIPRE), Trojan.Win32.Loktrom!IK (Emsisoft), Worm.Win32.Dorkbot.FD, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.
MD5: 460d215e2ac7d46fbc1cc4099a2b2de9
SHA1: 719e33735cac4eb801f32b9fe36278880e1691c2
SHA256: 9876af85e1a8e0f76509ea091d1cb7531237dd66583764d8bc0626f124dfa333
SSDeep: 3072:8Z3emkuuW1Kaq2pmyYWAdkN5S1Fov0XoWW1JCUrAagcGRP:8RemHuWbmpoSsv0XoWW1rR8B
Size: 186880 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1995-12-11 12:36:30
Analyzed on: Windows7 SP1 64-bit
Summary:
Worm. A program that is primarily replicating on networks or removable drives.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
| DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
| UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
| SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
| USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Worm creates the following process(es):
WMIADAP.EXE:2344
%original file name%.exe:1012
IEXPLORE.EXE:800
IEXPLORE.EXE:2408
The Worm injects its code into the following process(es):
mspaint.exe:588
File activity
The process WMIADAP.EXE:2344 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (363 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (924 bytes)
The Worm deletes the following file(s):
C:\Windows\System32\wbem\Performance\WmiApRpl.h (0 bytes)
The process %original file name%.exe:1012 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\temp.bin (673 bytes)
The process mspaint.exe:588 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Itiyig.exe (673 bytes)
The Worm deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process IEXPLORE.EXE:800 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DF043008CE3228AF66.TMP (3839 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5B66229C-8CE5-11E3-A4E7-000C29A8BD90}.dat (12029 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFBD1598FF9BFB8D4B.TMP (4415 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5B66229B-8CE5-11E3-A4E7-000C29A8BD90}.dat (12781 bytes)
The Worm deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E8FD4644-8CDB-11E3-A7B7-000C29A8BD90}.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8FD4643-8CDB-11E3-A7B7-000C29A8BD90}.dat (0 bytes)
Registry activity
The process %original file name%.exe:1012 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "FB DD 9A 1B F2 20 CF 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "4C 21 3C F7 E8 20 CF 01"
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2B 00 00 00 09 00 00 00 00 00 00 00"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"
The process mspaint.exe:588 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "32 FB 57 28 F2 20 CF 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionReason" = "1"
"WpadDecisionTime" = "C9 E6 6B 20 F2 20 CF 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2D 00 00 00 09 00 00 00 00 00 00 00"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Itiyig" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Itiyig.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"
The process IEXPLORE.EXE:800 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"CompatibilityFlags" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"FullScreen" = "no"
[HKCU\Software\Microsoft\Internet Explorer\Recovery\AdminActive]
"{5B66229B-8CE5-11E3-A4E7-000C29A8BD90}" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"
"WpadNetworkName" = "Network 2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore]
"LoadTimeArray" = "88 01 00 00 2D 00 00 00 3B 00 00 00 5F 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "FB DD 9A 1B F2 20 CF 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore]
"Type" = "3"
"Time" = "DE 07 02 00 01 00 03 00 0F 00 0A 00 31 00 5D 03"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore]
"Type" = "3"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Window_Placement" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionTime" = "C9 E6 6B 20 F2 20 CF 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore]
"Time" = "DE 07 02 00 01 00 03 00 0F 00 0A 00 32 00 5F 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2C 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
"SecuritySafe" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore]
"Count" = "10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore]
"Count" = "10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore]
"LoadTimeArray" = "02 01 00 00 05 00 00 00 04 00 00 00 0B 00 00 00"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Internet Explorer\Recovery\AdminActive]
"{E8FD4643-8CDB-11E3-A7B7-000C29A8BD90}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"
The process IEXPLORE.EXE:2408 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"DeviceID" = "0"
"AdapterInfo" = "vendorId=0x15ad,deviceID=0x405,subSysID=0x40515ad,revision=0x0,version=7.14.1.5025hypervisor=Hypervisor detected (No SLAT)"
"DXFeatureLevel" = "0"
"Wow64-DeviceId" = "0"
"Wow64-SubSysId" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Wow64-VersionLow" = "0"
"Wow64-VendorId" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VersionHigh" = "0"
"Wow64-DXFeatureLevel" = "0"
"Wow64-Revision" = "0"
"SubSysId" = "0"
"Wow64-SoftwareFallback" = "0"
"Wow64-VersionHigh" = "0"
"VendorId" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"
[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Revision" = "0"
"VersionLow" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
WMIADAP.EXE:2344
%original file name%.exe:1012
IEXPLORE.EXE:800
IEXPLORE.EXE:2408 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (363 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\temp.bin (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Itiyig.exe (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DF043008CE3228AF66.TMP (3839 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5B66229C-8CE5-11E3-A4E7-000C29A8BD90}.dat (12029 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFBD1598FF9BFB8D4B.TMP (4415 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5B66229B-8CE5-11E3-A4E7-000C29A8BD90}.dat (12781 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Itiyig" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Itiyig.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
