Worm.Win32.Mabezat_7b303f475b
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.Win32.IEDummy.FD, Worm.Win32.Mabezat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 7b303f475b3f95c66d6c27405b1de2d3
SHA1: 4e3f53f46a13de7a4c104b45fa0e2ac643cbd98e
SHA256: 239ac3538120147f67e2af9327afe6e105b35479ee26fbf98863d788e5bcc985
SSDeep: 6144:t/0uo7DuOuNv7tlf 31E9caWtbyeLJKlxuKLWA5y2bp7ar2kJnqzg2z6nF5kr7/I:tJw2NvDfqE9cdRLJKP5028r2kJQU
Size: 449024 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2008-04-13 21:32:45
Summary:
Worm. A program that is primarily replicating on networks or removable drives.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
tazebama.dl_:2120
Pluguin.exe:1736
7b303f475b3f95c66d6c27405b1de2d3.exe:412
server.exe:1308
The Worm injects its code into the following process(es):
tazebama.dl_:612
REGIST~1.EXE:1796
iexplore.exe:1060
File activity
The process tazebama.dl_:612 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%System%\freecell.exe (8372 bytes)
D:\plugins\process\Make Windows Original.exe (3597 bytes)
D:\plugins\import\RCX6.tmp (22780 bytes)
%Program Files%\Wireshark\WIRESHARK.EXE (6756 bytes)
%System%\mobsync.exe (9520 bytes)
C:\totalcmd\TCUNINST.EXE (5028 bytes)
%WinDir%\pchealth\helpctr\binaries\msconfig.exe (8395 bytes)
D:\1.taz (6507 bytes)
%System%\sol.exe (7654 bytes)
%System%\sndrec32.exe (3587 bytes)
%Program Files%\Java\jre6\bin\javaws.exe (4565 bytes)
%Program Files%\WinPcap\Uninstall.exe (6028 bytes)
D:\plugins\process\RCX7.tmp (204596 bytes)
%Program Files%\Messenger\msmsgs.exe (10214 bytes)
%System%\mstsc.exe (6794 bytes)
%System%\Restore\rstrui.exe (4752 bytes)
%Program Files%\Windows NT\Pinball\pinball.exe (8942 bytes)
D:\DISABLEJAVAWARNSEC.EXE (8360 bytes)
%Program Files%\Windows NT\Pinball\PINBALL.EXE (8942 bytes)
D:\plugins\import\import .exe (6177 bytes)
%System%\mspaint.exe (8115 bytes)
%WinDir%\pchealth\helpctr\binaries\HelpCtr.exe (7217 bytes)
%Program Files%\Outlook Express\wab.exe (13790 bytes)
%Program Files%\Windows NT\dialer.exe (7613 bytes)
%System%\sndvol32.exe (5977 bytes)
%System%\charmap.exe (6014 bytes)
D:\RCX1.tmp (204596 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\ADBERDR950_EN_US.EXE (7859 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (2958 bytes)
D:\plugins\import\RCX5.tmp (204596 bytes)
%System%\narrator.exe (11588 bytes)
D:\plugins\WinrRarSerialInstall.exe (3627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\RCX2.tmp (203804 bytes)
%System%\magnify.exe (10526 bytes)
%Program Files%\Outlook Express\msimn.exe (11260 bytes)
C:\zPharaoh.exe (6057 bytes)
%System%\odbcad32.exe (6508 bytes)
%Documents and Settings%\%current user%\Application Data\tazebama\zPharaoh.dat (889 bytes)
%Program Files%\Outlook Express\wabmig.exe (8118 bytes)
D:\plugins\plugins .exe (4227 bytes)
%System%\notepad.exe (16796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (4935 bytes)
%System%\mshearts.exe (8916 bytes)
C:\1.taz (6507 bytes)
%Program Files%\Windows Media Player\wmplayer.exe (11474 bytes)
D:\plugins\process\process .exe (3837 bytes)
C:\totalcmd\TOTALCMD.EXE (11553 bytes)
\\XP6\PIPE\srvsvc (72 bytes)
\\MAS\PIPE\srvsvc (72 bytes)
%Program Files%\NetMeeting\conf.exe (1340 bytes)
%System%\winmine.exe (6694 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\msnsusii.exe (5278 bytes)
D:\zPharaoh.exe (3867 bytes)
D:\plugins\import\NokiaN73Tools.exe (4347 bytes)
%System%\osk.exe (10844 bytes)
%Program Files%\Windows NT\Accessories\wordpad.exe (3825 bytes)
%System%\ntbackup.exe (3474 bytes)
D:\plugins\process\RCX8.tmp (297732 bytes)
%System%\spider.exe (4518 bytes)
%System%\calc.exe (5761 bytes)
%Program Files%\Movie Maker\moviemk.exe (16062 bytes)
D:\plugins\RCX4.tmp (259356 bytes)
D:\plugins\RCX3.tmp (204596 bytes)
The Worm deletes the following file(s):
D:\plugins\process\Make Windows Original.exe (0 bytes)
D:\plugins\WinrRarSerialInstall.exe (0 bytes)
C:\zPharaoh.exe (0 bytes)
D:\zPharaoh.exe (0 bytes)
D:\autorun.inf (0 bytes)
D:\plugins\plugins .exe (0 bytes)
C:\autorun.inf (0 bytes)
D:\plugins\import\import .exe (0 bytes)
D:\plugins\process\process .exe (0 bytes)
D:\plugins\import\NokiaN73Tools.exe (0 bytes)
The process REGIST~1.EXE:1796 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\tazebama.dll (32 bytes)
%Documents and Settings%\hook.dl_ (2783 bytes)
%Documents and Settings%\tazebama.dl_ (2783 bytes)
The process 7b303f475b3f95c66d6c27405b1de2d3.exe:412 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\server.exe (5128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\REGIST~1.EXE (5284 bytes)
The process server.exe:1308 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%System%\Microsoft\Pluguin.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (227 bytes)
The process iexplore.exe:1060 makes changes in a file system.
The Worm creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (14104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (32 bytes)
%Documents and Settings%\%current user%\Application Data\logs.dat (15 bytes)
The Worm deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\server.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (0 bytes)
Registry activity
The process tazebama.dl_:612 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 E5 E9 67 FD B1 91 72 24 E3 05 37 4F 4A 82 E3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"
The process tazebama.dl_:2120 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 D7 44 C1 9D 8D 34 34 56 5C 97 C1 19 EB 94 1A"
The process REGIST~1.EXE:1796 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 38 BC A5 13 DC 9C 13 BF 43 62 DB 3B 1F BF CE"
The process Pluguin.exe:1736 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 3F 5A 0E 70 C7 6B CB D7 44 45 9A B9 81 A8 9E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process 7b303f475b3f95c66d6c27405b1de2d3.exe:412 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 4D FD BE 86 31 46 67 C0 AA 5F 6E 68 98 F7 8B"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The process server.exe:1308 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D F3 BA 9D 13 E8 37 5C D1 5D 2B 8B 61 91 68 E4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Policies" = "%System%\Microsoft\Pluguin.exe"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{54KA0532-877C-JH6X-5I5C-T2J358F0CL6I}]
"StubPath" = "%System%\Microsoft\Pluguin.exe Restart"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"Policies" = "%System%\Microsoft\Pluguin.exe"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Avgnt" = "%System%\Microsoft\Pluguin.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Avirnt" = "%System%\Microsoft\Pluguin.exe"
The process iexplore.exe:1060 makes changes in a system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 D1 96 46 DE 79 F9 5B 4F 4F CA FC 86 FC 66 EB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Lammer]
"FirstExecution" = "08/10/2013 -- 14:16"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%\Microsoft]
"Pluguin.exe" = "Pluguin"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Lammer]
"NewIdentification" = "Lammer"
The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Worm modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
tazebama.dl_:2120
Pluguin.exe:1736
7b303f475b3f95c66d6c27405b1de2d3.exe:412
server.exe:1308 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%System%\freecell.exe (8372 bytes)
D:\plugins\process\Make Windows Original.exe (3597 bytes)
D:\plugins\import\RCX6.tmp (22780 bytes)
%Program Files%\Wireshark\WIRESHARK.EXE (6756 bytes)
%System%\mobsync.exe (9520 bytes)
C:\totalcmd\TCUNINST.EXE (5028 bytes)
%WinDir%\pchealth\helpctr\binaries\msconfig.exe (8395 bytes)
D:\1.taz (6507 bytes)
%System%\sol.exe (7654 bytes)
%System%\sndrec32.exe (3587 bytes)
%Program Files%\Java\jre6\bin\javaws.exe (4565 bytes)
%Program Files%\WinPcap\Uninstall.exe (6028 bytes)
D:\plugins\process\RCX7.tmp (204596 bytes)
%Program Files%\Messenger\msmsgs.exe (10214 bytes)
%System%\mstsc.exe (6794 bytes)
%System%\Restore\rstrui.exe (4752 bytes)
D:\wincheck.exe (9172 bytes)
%Program Files%\Windows NT\Pinball\pinball.exe (8942 bytes)
D:\DISABLEJAVAWARNSEC.EXE (8360 bytes)
%Program Files%\Windows NT\Pinball\PINBALL.EXE (8942 bytes)
D:\plugins\import\import .exe (6177 bytes)
%System%\mspaint.exe (8115 bytes)
%WinDir%\pchealth\helpctr\binaries\HelpCtr.exe (7217 bytes)
%Program Files%\Outlook Express\wab.exe (13790 bytes)
%Program Files%\Windows NT\dialer.exe (7613 bytes)
%System%\sndvol32.exe (5977 bytes)
%System%\charmap.exe (6014 bytes)
D:\RCX1.tmp (204596 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\ADBERDR950_EN_US.EXE (7859 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (2958 bytes)
D:\plugins\import\RCX5.tmp (204596 bytes)
%System%\narrator.exe (11588 bytes)
D:\plugins\WinrRarSerialInstall.exe (3627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\RCX2.tmp (203804 bytes)
%System%\magnify.exe (10526 bytes)
%Program Files%\Outlook Express\msimn.exe (11260 bytes)
C:\zPharaoh.exe (6057 bytes)
%System%\odbcad32.exe (6508 bytes)
%Documents and Settings%\%current user%\Application Data\tazebama\zPharaoh.dat (889 bytes)
%Program Files%\Outlook Express\wabmig.exe (8118 bytes)
D:\plugins\plugins .exe (4227 bytes)
%System%\notepad.exe (16796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (4935 bytes)
%System%\mshearts.exe (8916 bytes)
C:\1.taz (6507 bytes)
%Program Files%\Windows Media Player\wmplayer.exe (11474 bytes)
D:\plugins\process\process .exe (3837 bytes)
C:\totalcmd\TOTALCMD.EXE (11553 bytes)
\\XP6\PIPE\srvsvc (72 bytes)
\\MAS\PIPE\srvsvc (72 bytes)
%Program Files%\NetMeeting\conf.exe (1340 bytes)
%System%\winmine.exe (6694 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\msnsusii.exe (5278 bytes)
D:\zPharaoh.exe (3867 bytes)
D:\plugins\import\NokiaN73Tools.exe (4347 bytes)
%System%\osk.exe (10844 bytes)
%Program Files%\Windows NT\Accessories\wordpad.exe (3825 bytes)
%System%\ntbackup.exe (3474 bytes)
D:\plugins\process\RCX8.tmp (297732 bytes)
%System%\spider.exe (4518 bytes)
%System%\calc.exe (5761 bytes)
%Program Files%\Movie Maker\moviemk.exe (16062 bytes)
D:\plugins\RCX4.tmp (259356 bytes)
D:\plugins\RCX3.tmp (204596 bytes)
%Documents and Settings%\tazebama.dll (32 bytes)
%Documents and Settings%\hook.dl_ (2783 bytes)
%Documents and Settings%\tazebama.dl_ (2783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\server.exe (5128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\REGIST~1.EXE (5284 bytes)
%System%\Microsoft\Pluguin.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XxX.xXx (14104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UuU.uUu (32 bytes)
%Documents and Settings%\%current user%\Application Data\logs.dat (15 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Avgnt" = "%System%\Microsoft\Pluguin.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Avirnt" = "%System%\Microsoft\Pluguin.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
