Trojans: trojan.Win32.Generic.mrw

Risk level: Medium

virus Description

The virus is a Flash memory virus which is compiled using the GCC C-programming, size is 21,054 bytes, the icon is ““, viruses extension “exe”, mainly through the “file bundle”, ” Flash memory disk Autorun”, etc. to spread. The main purpose of the virus is to destroy some features of a computer and infected the user’s flash drive
After the user’s computer was infected, there will be computer and network running Slow, can not open task manager, flash drive auto run programs and other features.

Infection in the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download software download

Manually removal:

1, manually delete the following files:

% SystemRoot% \ system32 \ windowshelp.exe
U disk directory: \ driverusb.exe
U disk directory: \ autorun.inf

2, manually delete the following Registry:

HKEY-LOCAL-MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
Name: Windows Help
Data:% SystemRoot% \ system32 \ windowshelp.exe

3, turn off Windows automatic playback function

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user’s documents directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program default installation directory, typically: “C: \ ProgramFiles”
Virus

1, find the system directory at first % SystemRoot% \ system32 procedures under the Task Manager taskmgr.exe, there is delete the file, disable windows task manager;
2 copies itself to % SystemRoot% \ system32 directory, and rename it to windowshelp.exe, setting the property to read-only, system, hidden;
3, modify the registry startup items, so windowshelp.exe file and boot from boot;
4, through all removable storage devices, will find the virus copies itself to all flash drive directory, and rename it to dirverusb.exe, set file attributes to read-only, system, hidden;
5, create autorun.inf to all flash drive directory, targeting dirverusb.exe, so dirverusb.exe with flash drive automatically, and set their own property is read-only, system, hidden;
6, when mount the flash drive into the computer, the virus uses the windows  AutoPlay feature to achieve self-starting, running infected computers and other removable disks;

Virus to create the following files:

% SystemRoot% \ system32 \ windowshelp.exe
U disk directory: \ driverusb.exe
U disk directory: \ autorun.inf

Virus delete file:

% SystemRoot% \ system32 \ taskmgr.exe

Virus to create the registry:

HKEY-LOCAL-MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
Name: Windows Help
Data:% SystemRoot% \ system32 \ windowshelp.exe