Worm.Win32.Dorkbot_f9a4519e02
Gen:Variant.Graftor.121091 (BitDefender), Worm:Win32/Dorkbot.I (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Agent.adgv (v) (VIPRE), BackDoor.IRC.NgrBot.42 (DrWeb), Gen:Variant.Graftor.121091 (B) (Emsisoft), Artemis!F9A4519E02C2 (McAfee), Suspicious.Mystic (Symantec), Trojan.Win32.Loktrom (Ikarus), Gen:Variant.Graftor.121091 (FSecure), Inject.BZVA (AVG), Win32:Vitro (Avast), TROJ_GEN.R021C0DKA13 (TrendMicro), Backdoor.Win32.Farfli.FD, Worm.Win32.Dorkbot.FD, mzpefinder_pcap_file.YR, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericDownloader.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Backdoor, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: f9a4519e02c2577673d711a7f6962d16
SHA1: 289c05fd5560e3c5f82253caa56f6f804dcbc3ff
SHA256: 0716eaecb2fea414ad15e1f1f67a58be87314e6ed214277678d4c88646f76f4f
SSDeep: 1536:yXcxTLIUH22hNPkxEY0nbe6i4YrJENmjIDCJDGYygwtHZRzoeJPIHYZ0gr4OOUkS:yRUB9kxEY0beD4YbUGQYqXz/PIHjMRSu
Size: 153088 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Frsera
Created at: 2007-03-21 10:15:03
Summary:
Worm. A program that is primarily replicating on networks or removable drives.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
| DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
| UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
| SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
| USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Worm creates the following process(es):
mspaint.exe:3040
1.exe:3180
notepad.exe:2792
charmap.exe:3928
%original file name%.exe:2656
%original file name%.exe:2744
wipmania.com:4056
wipmania.com:764
wipmania.com:1376
2.exe:3624
2.exe:3256
2.exe:3344
The Worm injects its code into the following process(es):
ctfmon.exe:252
mspaint.exe:2068
1.exe:3356
notepad.exe:1556
charmap.exe:2280
charmap.exe:2504
File activity
The process mspaint.exe:2068 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\1.exe (115 bytes)
%Documents and Settings%\%current user%\Application Data\2.exe (235 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\Gpwiwo.exe (1281 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wipmania.com (0 bytes)
%Documents and Settings%\%current user%\Application Data\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\1.tmp (0 bytes)
The process mspaint.exe:3040 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Cqwiwk.exe (673 bytes)
The Worm deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process 1.exe:3356 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5181719\enowpea40.exe (601 bytes)
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5181719\Desktop.ini (63 bytes)
The process notepad.exe:1556 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)
The process %original file name%.exe:2656 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wipmania.com (28360 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\n[1].api (34495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wipmania.com (0 bytes)
The process wipmania.com:764 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)
The process 2.exe:3624 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\c731200 (0 bytes)
Registry activity
The process ctfmon.exe:252 makes changes in the system registry.
The Worm deletes the following value(s) in system registry:
The Worm disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process mspaint.exe:2068 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 E7 A0 5B F5 A7 1F 6A 33 67 A5 DD 40 DB 20 89"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 01 00 00 00 00 00 00 00"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Gpwiwo" = "%Documents and Settings%\%current user%\Application Data\Identities\Gpwiwo.exe"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process mspaint.exe:3040 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A C6 2A 2B 96 25 4B 05 64 86 E9 12 39 F1 DE 69"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Cqwiwk" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Cqwiwk.exe"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 1.exe:3356 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 3E 28 72 6F D6 05 11 AE E5 9E 4E 3F 3B 42 5C"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Taskman" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5181719\enowpea40.exe"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"enowpea4" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5181719\enowpea40.exe"
The Worm adds the reference to itself to be executed when a user logs on:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5181719\enowpea40.exe"
The process 1.exe:3180 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 69 EB 9F 65 71 A5 F5 81 C3 0B 94 79 7E B0 B7"
The process notepad.exe:2792 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 49 FC 7B 2F 7F B5 89 1F 2C 4C 4D BB 11 50 49"
The process notepad.exe:1556 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 45 96 3C 4C 73 F9 EF 3A F0 ED AB 8A 45 1B 6A"
The process charmap.exe:2280 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 20 C9 AB 7A FB 48 80 49 56 5D F5 F4 D3 C3 39"
The process charmap.exe:3928 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C EE 39 60 73 BC 39 CA DA B1 45 F9 A6 15 3E 50"
The process charmap.exe:2504 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A D5 64 51 CE C4 D6 43 AE 7C D7 DF 02 77 E9 2A"
The process %original file name%.exe:2656 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"wipmania.com" = "wipmania"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 0C 5C 03 20 76 09 E7 87 26 C0 0A 0B 8C 5A 22"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:2744 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 EF 45 91 BA C6 19 4D B6 82 3E F6 91 74 E1 CA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process wipmania.com:4056 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA E3 28 EC 36 B6 F5 C0 00 AA 22 CE 9A 53 06 C2"
The process wipmania.com:764 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 6E 99 0D 6F 59 D9 03 64 BE 8C 32 3A FE 46 7A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process wipmania.com:1376 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D CA 86 69 7D 61 0B 71 6B 0E 3F B0 6F 4D 73 93"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process 2.exe:3624 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 94 02 30 B2 80 62 55 4F D2 47 D0 84 AE 6C 8D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process 2.exe:3256 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 4C CA DA F1 5D C5 2A 48 1A 78 ED 82 2D 3B 0B"
The process 2.exe:3344 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 45 89 C6 F9 55 E5 61 25 AA CA 7C D3 15 D9 5E"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://api.wipmania.com.stcus.ru/icon/n.api (Malicious) |  69.197.137.58 |
| hxxp://api.wipmania.com/ (ET POLICY External IP Lookup Attempt To Wipmania ) |  |
| hxxp://194.140.237.48/33000.exe (Malicious) |  |
| hxxp://205.208.153.79/6541.exe (Malicious) | |
| a.a411000.com |  58.253.72.36 |
| v.k211132.com |  Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Worm installs the following user-mode hooks in urlmon.dll:
URLDownloadToFileA
URLDownloadToFileW
The Worm installs the following user-mode hooks in WININET.dll:
InternetWriteFile
HttpSendRequestA
HttpSendRequestW
The Worm installs the following user-mode hooks in dnsapi.dll:
DnsQuery_A
DnsQuery_W
The Worm installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Worm installs the following user-mode hooks in kernel32.dll:
MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA
The Worm installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
ZwQueryDirectoryFile
ZwEnumerateValueKey
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mspaint.exe:3040
1.exe:3180
notepad.exe:2792
charmap.exe:3928
%original file name%.exe:2656
%original file name%.exe:2744
wipmania.com:4056
wipmania.com:764
wipmania.com:1376
2.exe:3624
2.exe:3256
2.exe:3344 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Documents and Settings%\%current user%\Application Data\1.exe (115 bytes)
%Documents and Settings%\%current user%\Application Data\2.exe (235 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\Gpwiwo.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Cqwiwk.exe (673 bytes)
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5181719\enowpea40.exe (601 bytes)
C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5181719\Desktop.ini (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)
%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wipmania.com (28360 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\n[1].api (34495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Gpwiwo" = "%Documents and Settings%\%current user%\Application Data\Identities\Gpwiwo.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Cqwiwk" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Cqwiwk.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"enowpea4" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5181719\enowpea40.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr" - Remove the references to the Worm by modifying the following registry value(s) (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-5181719\enowpea40.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
