Network Worm: Worm.Win32.AutoRun.oor
Risk level: high
virus symptoms
The sample is a network worm which was developed use the “Delphi”, it is used the “nspack” packers way in an attempt to evade signature scanning, the size of packers “33,792 bytes”, the icon for the virus”
“, the extension “exe”, mainly through the “file bundle”, “download tools download”, “removable storage media” and other modes, the main purpose of the virus is to download a large number of trojan and malicious programs.
After the user’s computer was infected will be shut down for the security software for no reason, network performance is Slow, can not boot from safe mode, windows system without undue error occurred.
Infection of the operating system
Windows 2000/Windows XP / Windows 2003
Transmission
Web Trojans, file bundle, download manager
Manual Solution:
1, manually delete the following files:
% Temp% \ dll8.Tmp
% SystemRoot% system32 \ isb.Ini
X: \ GRIL.PIF
X: \ AutoRun.inf (X: is any disk drive letter)
2, manually replace the following documents:
% SystemRoot% \ system32 \ dllcache \ linkinfo.dll replace the% SystemRoot% \ system32 \ linkinfo.Dll
3, manually delete the following Registry value:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ [Security Software]
4, manually modify the following registry:
Key: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \
Folder \ Hidden \ SHOWALL
Value: SHOWALL
Data: 1
Variable declaration:
% SystemDriver% partition where the operating system, typically “C: \”
Where% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user documentation directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program default installation directory, typically: “C: \ ProgramFiles”
Viruses create files:
% SystemDriver% \ sam.Dll
% SystemRoot% \ Fonts \ isnsts.VBS
% Temp% \ Temp \ dll8.Tmp
% SystemRoot% system32 \ isb.Ini
% SystemRoot% \ system32 \ dllcache \ linkinfo.Dll
% SystemRoot% \ fonts \ safeg.Sys
% SystemRoot% \ lubb.Fon
% SystemRoot% \ fonts \ lvbasb.Sys
X: \ GRIL.PIF
X: \ AutoRun.inf (X: is any drive letter)
Viruses modify the file:
% SystemRoot% \ system32 \ linkinfo.Dll
Virus delete the file:
% SystemDriver% \ sam.Dll
% SystemRoot% \ Fonts \ bsv.VBS
% SystemRoot% \ fonts \ safeg.Sys
% SystemRoot% \ lubb.Fon
% SystemRoot% \ fonts \ lvbasb.Sys
Virus to create the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ safeg
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lubb
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lvbasb
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ [all hijack]
Viruses modify the registry:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \
Folder \ Hidden \ SHOWALL \ CheckedValue
Virus delete the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ (4D36E967-E325-11CE-BFC1-08002BE10318)
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ (4D36E967-E325-11CE-BFC1-08002BE10318)
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ [Security Software]
Connect to the network virus
http://wind **. ch.ma / dd.txt
Hi there, just became aware of your blog through Google, and found that it is truly informative. I am gonna watch out for brussels. I’ll appreciate if you continue this in future. A lot of people will be benefited from your writing. Cheers!
Best Ways To Find Good Directory…
[...]If you know what is your job you can be a lot more successful than when you have no skills..[...]…
Cool sites…
[...]we came across a cool site that you might enjoy. Take a look if you want[...]……
Recent Blogroll Additions……
[...]usually posts some very interesting stuff like this. If you’re new to this site[...]……
Title…
This is my Excerpt…
Extra Reading…
[...]we like to honor other sites on the web, even if they aren’t related to us, by linking to them. Below are some sites worth checking out[...]…
Rooms to rent waterford…
[...]usually posts some quite fascinating stuff like this. If you are new to this site[...]…
Google Search…
[...]The facts mentioned within the post are a number of the most beneficial out there [...]…
WOW! check this out!……
Amazing Post, worth a read……
Phen375 reviews…
I’m impressed, I need to say. Really rarely do I encounter a weblog that’s both educative and entertaining, and let me inform you, you may have hit the nail on the head. Your concept is excellent; the problem is one thing that not enough people are t…
ukash…
ukash kart…
Health…
Health Articles…
borsa…
borsa haberleri…
Como tocar la guitara…
Aprender a tocar la guitara electrica…
su deposu…
yatay su deposu…
Check this out…
[...] that is the end of this article. Here you’ll find some sites that we think you’ll appreciate, just click the links over[...]……
prefabrik özellikleri…
prefabrik sss…
bakırköy branda tente…
kadıköy branda tente…
Dini resimleri…
islami resimler…
toptan mallar…
toptan mallar…
Cool sites…
[...]we found a cool web site that you simply may well appreciate. Just take a appear in the event you want[...]……
…
Valuable info Lucky me I discovered your website accidentally, and I’m surprised why this coincidence did not took place earlier! I bookmarked it…
That is high time to confess that you affected us with your professional article just about this good topic. Hence, we will seek to create the dissertation references on the ground of your issue. Or credibly, that is accomplishable to detect some thesis service.
Very good dissertation thesis about this good topic made by buy thesis service or buy dissertation service will be a good move to the success.
If you try to find place where you can get resume company here is very fine place for you about this topic, which keep examples and gives an befalling to learn how make great CV resumes . But this site is more attractive, and more essential.
I apprize your data referring to this good post. I would like tell that I haven’t find a kind of good thesis writer before this time. Are you able write the very well sited dissertation and history dissertation?
thanx alot…
Auto Trackback by Al khafji Team Flow us on Twitter…
Do you see that you do a kind of great research just about this post. Continue doing this! People buy essays just about this selecting the essay writing.
It very delightful how detailed theme on education topic has been well enlarge here within this blog. Please keep it up. we like it. I know that you are a well-recognized and devoted source on the Internet and I will use this for my research paper services needs. Thanks.
Serious college students trouble about their academic future, so they try to utilize a experienced buy papers online service, which is important.
I naturally don’t use scam companies. We buy essays cheap from experts.
Not agree on several issues but the whole thing, so impressive. Successful year!
This ties in to How to remove Worm Win32 AutoRun oor, Worm Win32 AutoRun oor removal . Since there are diverse blogs with entirely diverse positions, they all challenge your thinking. It is at these moments when you wish you had not commenced browsing the World Wide Web. Tell it as you visualise it – that is the genuine way.
Apple now has Rhapsody as an app, which is a great start, but it is currently hampered by the inability to store locally on your iPod, and has a dismal 64kbps bit rate. If this changes, then it will somewhat negate this advantage for the Zune, but the 10 songs per month will still be a big plus in Zune Pass’ favor.
I think be “top commentator” is likely to be considered as a spammer…
Nice reading. I like your site design as well. continue your good work.
Good morning, This page can be quite helpful and fun to read. I am a huge follower of the things blogged about. I also love reading the comments, but it seems like a great deal of readers need to stay on topic to try and add something to the original topic. I would also encourage all of you to bookmark this page to your most used service to help get the word out. Thanks
I read a column about this topic and liked it. this looking a as being a combatant and honor besieged allotment. People put that life regarding the line given the title as in liberty and amity.