WORM_MEYLME.B

Posted on September 12th, 2010 - Download and remove viruses, malware, spyware and trojans from your computer.
Malware type: Worm

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 2000, XP, Server 2003

Encrypted: No

Description:

Trend Micro has received multiple samples of this worm from multiple, independent sources, including customer reports and internal sources. These indicate that this worm poses a high risk to users due to the increased possibility of infection.

To get a one-glance comprehensive view of the behavior of this worm, refer to the Threat Diagram shown below.

WORM_MEYLME.B Behavior Diagram

Malware Overview

This worm arrives via removable drives. It may be downloaded unknowingly by a user when visiting certain malicious Web sites.

When executed, it deletes files. As a result, programs and applications may not run properly. It also deletes registry keys.

It propagates via email. It uses Messaging Application Protocol Interface (MAPI) to send email messages with a copy of itself as attachment.

It drops copies of itself in all removable drives to propagate via removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

It also drops a copy of itself in network shares using a VB script detected by Trend Micro as VBS_MYELME.B.

It deletes itself after execution.

Solution:
Important Windows XP Cleaning Instructions

Users running Windows XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Note: To fully remove all associated malware, perform the clean solution for VBS_MEYLME.B.

Identifying the Malware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as WORM_MEYLME.B.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Terminating the Malware Process

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager. Press CTRL+SHIFT+ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.
*NOTE: If the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Removing Added Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer’s registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>policies>
    Explorer
  3. In the right panel, locate and delete the entry:
    HideSCAHealth = “1″
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>policies>
    system
  5. In the right panel, locate and delete the following entries:
    • EnableLUA = “0″
    • EnableVirtualization = “0″
    • PromptOnSecureDesktop = “0″
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>lanmanserver>Shares
  7. In the right panel, locate and delete the following entries:
    • updates = “CSC”
    • Flags = “0″
    • MaxUses = “100″
    • Path = “C:\Windows\system”
    • Permissions = “0″
    • Remark = “Public share for update.”
    • Type = 0″
  8. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Image File Execution Options>
    {file}
    •’ Note that {file} refers to the following:

    • _aVP32.ExE
    • _aVPCC.ExE
    • _aVPM.ExE
    • 00hoeav.com
    • 0w.com
    • 360rpt.ExE
    • 360safe.ExE
    • 360safebox.ExE
    • 360tray.ExE
    • 6.bat
    • 6fnlpetp.exe
    • 6x8be16.cmd
    • a2cmd.ExE
    • a2free.ExE
    • a2service.ExE
    • a2upd.ExE
    • abk.bat
    • adobe Gamma Loader.exe
    • algsrvs.exe
    • algssl.exe
    • angry.bat
    • aNtIaRP.ExE
    • antihost.exe
    • anti-trojan.exe
    • aNtS.ExE
    • apu.stt
    • apu-0607g.xml
    • aPVxdWIN.ExE
    • arSwp.ExE
    • ashdisp.exe
    • ashEnhcd.exe
    • ashLogV.exe
    • ashMaiSv.exe
    • ashPopWz.exe
    • ashQuick.exe
    • ashServ.exe
    • ashSkPcc.exe
    • ashUpd.exe
    • ashWebSv.exe
    • ast.ExE
    • aswBoot.exe
    • aswRegSvr.exe
    • aswUpdSv.exe
    • autorun.bin
    • autoRun.ExE
    • autorun.ini
    • autorun.reg
    • autorun.txt
    • autorun.wsh
    • autoRunKiller.ExE
    • autoruns.exe
    • autorunsc.exe
    • avadmin.exe
    • avastSS.exe
    • avcenter.exe
    • avciman.exe
    • avconfig.exe
    • aVCONSOL.ExE
    • aVENGINE.ExE
    • avgamsvr.exe
    • avgas.exe
    • avgcc.exe
    • avgcc32.exe
    • avgemc.exe
    • avginet.exe
    • avgnt.exe
    • avgrssvc.exe
    • avgrsx.exe
    • avgscan.exe
    • avgscanx.exe
    • avgserv.exe
    • avguard.exe
    • avgupsvc.exe
    • avgw.exe
    • avgwdsvc.exe
    • avltd.exe
    • avmailc.exe
    • avMonitor.ExE
    • avnotify.exe
    • avp.com
    • avp.exe
    • aVP32.ExE
    • aVPCC.ExE
    • aVPM.ExE
    • avscan.exe
    • avzkrnl.dll
    • bad1.exe
    • bad2.exe
    • bad3.exe
    • bdagent.exe
    • bdsubwiz.exe
    • BdSurvey.exe
    • BIOSREad.exe
    • blackd.exe
    • blackice.exe
    • caiss.exe
    • caissdt.exe
    • catcache.dat
    • cauninst.exe
    • Cavapp.ExE
    • cavasm.ExE
    • CavaUd.ExE
    • CaVCmd.exe
    • CaVCtx.exe
    • CavEmSrv.ExE
    • Cavmr.ExE
    • CavMUd.ExE
    • Cavoar.ExE
    • CavQ.ExE
    • CaVRep.exe
    • CaVRid.exe
    • CaVSCons.ExE
    • cavse.ExE
    • CavSn.ExE
    • CavSub.ExE
    • CaVSubmit.ExE
    • CavUMaS.ExE
    • CavUserUpd.ExE
    • Cavvl.ExE
    • CCenter.ExE
    • CEmRep.ExE
    • ckahcomm.dll
    • ckahrule.dll
    • ckahum.dll
    • cleaner.exe
    • cleaner3.exe
    • clldr.dll
    • CMain.ExE
    • copy.exe
    • curidsbase.kdz
    • destrukto.vbs
    • dF5Serv.exe
    • diffs.dll
    • drvins32.exe
    • drwadins.exe
    • drweb32w.exe
    • drweb386.exe
    • drwebscd.exe
    • drwebupw.exe
    • drwebwcl.exe
    • drwreg.exe
    • e.cmd
    • e9ehn1m8.com
    • edb.chk
    • egui.exe
    • ekrn.exe
    • EMdISK.exe
    • f0.cmd
    • FileKan.exe
    • flashy.exe
    • FPaVServer.exe
    • FProttray.exe
    • fpscan.exe
    • fptrayproc.exe
    • FPWin.exe
    • FrameworkService.exe
    • Frameworkservice.ExE
    • FRW.ExE
    • FrzState2k.exe
    • fs6519.dll.vbs
    • fssf.exe
    • fssync.dll
    • fun.xls.exe
    • g2pfnid.com
    • GetSI.dll
    • GFUpd.ExE
    • guard.exe
    • GuardField.ExE
    • guardgui.exe
    • guardxkickoff.exe
    • guardxkickoff_x64.exe
    • guardxservice.exe
    • guardxup.exe
    • h3.bat
    • Hijackthis.ExE
    • hookinst.exe
    • host.exe
    • i.bat
    • iamapp.exe
    • iamserv.exe
    • IceSword.ExE
    • ICLOad95.ExE
    • ICLOadNt.ExE
    • ICMON.ExE
    • ICSUPP95.ExE
    • ICSUPPNt.ExE
    • Identity.exe
    • iefqwp.cmd
    • IEShow.exe
    • IFaCE.ExE
    • ij.bat
    • InstallCaVS.ExE
    • InstLsp.ExE
    • Iparmor.ExE
    • iSafe.exe
    • iSafInst.exe
    • KaSaRP.ExE
    • kav.bav
    • kav32.ExE
    • kavbase.kdl
    • KaVPFW.ExE
    • kavstart.ExE
    • ker.vbs
    • KeyMgr.exe
    • killVBS.vbs
    • kissvc.ExE
    • kl1.sys
    • klavemu.kdl
    • klbg.cat
    • klbg.sys
    • klif.cat
    • klif.sys
    • klim5.sys
    • kmailmon.ExE
    • KPfwSvc.ExE
    • KRegEx.ExE
    • KVSrvxP.ExE
    • KVWSC.ExE
    • kwatch.ExE
    • licmgr.ex
    • licreg.exe
    • lky.exe
    • lockdown2000.exe
    • m2nl.bat
    • mbam.exe
    • mcagent.exe
    • mcappins.exe
    • mcaupdate.exe
    • mcdash.exe
    • Mcdetect.exe
    • mcinfo.exe
    • mcinsupd.exe
    • mcmnhdlr.exe
    • mcregwiz.exe
    • McShield.exe
    • Mctray.exe
    • mcupdmgr.exe
    • mcupdui.exe
    • McVSEscn.exe
    • mcvsftsn.exe
    • mcvsmap.exe
    • mghtml.exe
    • Mmsk.ExE
    • MooLive.exe
    • msdos.pif
    • msfir80.exe
    • MSGrc32.vbs
    • msime80.exe
    • msizap.exe
    • msmsgs.exe
    • msvcm80.dll
    • msvcp80.dll
    • msvcr71.dll
    • msvcr80.dll
    • mzvkbd.dll
    • mzvkbd3.dll
    • naiavfin.exe
    • naPrdMgr.exe
    • Navapsvc.ExE
    • NaVaPW32.ExE
    • NaVW32.ExE
    • netcfg.dll
    • new folder.exe
    • njibyekk.com
    • nod32.exe
    • nod32krn.exe
    • nod32kui.exe
    • oasclnt.exe
    • olb1iimw.bat
    • OnaccessInstaller.ExE
    • Pagent.exe
    • Pagentwd.exe
    • PavFnSvr.exe
    • pavprsrv.exe
    • PavReport.exe
    • pavsched.exe
    • PaVSRV51.ExE
    • pavtest.exe
    • pctsauxs.exe
    • pctsSvc.exe
    • pctstray.exe
    • PFW.ExE
    • preupd.exe
    • prloader.dll
    • procexp.exe
    • psctrlc.exe
    • PsCtrlS.exe
    • PSHost.exe
    • PsImSvc.exe
    • pskmssvc.exe
    • QQdoctor.ExE
    • QtnMaint.exe
    • RaV.ExE
    • ravmon.exe
    • Ravservice.ExE
    • RavStub.ExE
    • RaVtRaY.ExE
    • rcukd.cmd
    • reload.exe
    • rescue32.exe
    • rescuecd.zip
    • rfwmain.ExE
    • rfwProxy.ExE
    • rfwsrv.ExE
    • Rfwstub.ExE
    • rose.exe
    • RStray.ExE
    • Runiep.ExE
    • safeboxtray.ExE
    • sal.xls.exe
    • sched.exe
    • SCVHOSt.exe
    • scvhosts.exe
    • SCVHSOt.exe
    • SCVVHOSt.exe
    • scvvhosts.exe
    • SCVVHSOt.exe
    • seccenter.exe
    • SendLogs.exe
    • session.exe
    • shstat.exe
    • Socksa.ex
    • SOLOCFG.exe
    • SOLOLItE.exe
    • SOLOSCaN.exe
    • SOLOSENt.exe
    • Sphinx.exe
    • spidercpl.exe
    • spiderml.exe
    • spidernt.exe
    • spiderui.exe
    • spml_set.exe
    • Spybotsd.exe
    • SREngLdr.ExE
    • ssvichosst.exe
    • sxs.exe
    • system.exe
    • tca.exe
    • temp.exe
    • temp2.exe
    • toy.exe
    • tPSrv.exe
    • trojandetector.ExE
    • trojanwall.ExE
    • trojdie.KxP
    • UdaterUI.exe
    • uiscan.exe
    • unp_test.ExE
    • update.exe
    • updater.dll
    • UPSdbMaker.ExE
    • userdump.exe
    • UUpd.ExE
    • v.exe
    • Vba32act.exe
    • Vba32arkit.exe
    • Vba32ECM.exe
    • Vba32ifs.exe
    • vba32ldr.exe
    • Vba32PP3.exe
    • Vba32Qtn.exe
    • vbcmserv.exe
    • vbcons.exe
    • vbglobal.exe
    • vbimport.exe
    • vbinst.exe
    • vbscan.exe
    • vbsystry.exe
    • VetMsg.exe
    • virusutilities.exe
    • Visthaux.exe
    • VPC32.ExE
    • VPtRaY.ExE
    • VSECOMR.ExE
    • VSHWIN32.ExE
    • vsmon.exe
    • vsserv.exe
    • VSStat.ExE
    • VstskMgr.exe
    • WEBPROxY.ExE
    • WEBSCaNx.ExE
    • whi.com
    • WinGrc32.dll
    • WOPtILItIES.ExE
    • Wradmin.exe
    • WrCtrl.exe
    • wscntfy.exe
    • wsctool.exe
    • yannh.cmd
    • ybj8df.exe
    • zonealarm.exe
  9. In the right panel, locate and delete the entry:
    Debugger = “csrss.exe”

Deleting/Restoring Other Registry Entry

  1. Still in the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
  2. In the right panel, locate the entry:
    Shell = “Explorer.exe %Windows%\csrss.exe”
    (Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
  3. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Explorer.exe
  4. Close Registry Editor.

Deleting Malware-created AUTORUN.INF/s

  1. Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
  2. In the Named input box, type:
    AUTORUN.INF
  3. In the Look In drop-down list, select a drive, then press Enter.
  4. Select the file, then open using Notepad.
  5. Check if the following lines are present in the file:
    [AutoRun]
    open=open.exe
    icon=%System%\shell32.dll,8
    action=Open Drive to view files
    shell\open=Open
    shell\open\command=open.exe
    shell\open\default=1
    (Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows 2000 or C:\Windows\System32 on Windows XP and Server 2003.)
  6. If the lines are present, delete the file.
  7. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
  8. Close Search Results.

Deleting the Malware Files

  1. Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
  2. In the Named input box, type:
    %Windows%\csrss.exe
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the file then press SHIFT+DELETE.
  5. Repeat steps 2 to 4 for the following files:
    • %Windows%\system\updates.exe

Running Trend Micro Antivirus

Scan your computer with Trend Micro antivirus and delete files detected as WORM_MEYLME.B. To do this, Trend Micro customers must download the latest virus pattern file and scan their computers. Other Internet users can use HouseCall, the Trend Micro online threat scanner.

Restoring Deleted or Overwritten Files

The following files, which have been deleted or overwritten by the malware, can be restored from backup by using installers:

  • %System%\drivers\etc\hosts

Restoring Deleted or Overwritten Key

The following registry key, which have been deleted or overwritten by the malware, can be restored from backup by using installers:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv

Disabling the Shared Folders

The sharing of the following folder, which has been shared by the malware, must be disabled:

  • %Windows%\system

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Memory resident:  Yes

Size of malware: 290,816 Bytes

Initial samples received on: Sep 9, 2010

Related toVBS_MEYLME.B

Details:

Arrival Details

This worm arrives via removable drives and network shares. It may be downloaded unknowingly by a user when visiting the following malicious websites:

  • http://{BLOCKED}s.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr

Installation

This worm drops the following copy(ies) of itself:

  • %Windows%\csrss.exe
  • %Windows%\system\updates.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Techniques

This worm modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = “Explorer.exe %Windows%\csrss.exe”

(Note: The default value data for the said registry entry is Explorer.exe.)

Other System Modifications

This worm creates the following registry key(s)/entry(ies):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\Explorer
HideSCAHealth = “1″

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\system
EnableLUA = “0″
EnableVirtualization = “0″
PromptOnSecureDesktop = “0″

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\Shares
updates = “CSC”
Flags = “0″
MaxUses = “100″
Path = “%Windows%\system”
Permissions = “0″
Remark = “Public share for update.”
Type = 0″

It deletes the following file(s):

  • %System%\drivers\etc\hosts

It deletes the following registry key(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv

(Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It adds the following registry entry(ies) so that a copy of itself is executed when certain files are run:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options\{file}
Debugger = “csrss.exe”

Note that {file} refers to the following:

  • _aVP32.ExE
  • _aVPCC.ExE
  • _aVPM.ExE
  • 00hoeav.com
  • 0w.com
  • 360rpt.ExE
  • 360safe.ExE
  • 360safebox.ExE
  • 360tray.ExE
  • 6.bat
  • 6fnlpetp.exe
  • 6x8be16.cmd
  • a2cmd.ExE
  • a2free.ExE
  • a2service.ExE
  • a2upd.ExE
  • abk.bat
  • adobe Gamma Loader.exe
  • algsrvs.exe
  • algssl.exe
  • angry.bat
  • aNtIaRP.ExE
  • antihost.exe
  • anti-trojan.exe
  • aNtS.ExE
  • apu.stt
  • apu-0607g.xml
  • aPVxdWIN.ExE
  • arSwp.ExE
  • ashdisp.exe
  • ashEnhcd.exe
  • ashLogV.exe
  • ashMaiSv.exe
  • ashPopWz.exe
  • ashQuick.exe
  • ashServ.exe
  • ashSkPcc.exe
  • ashUpd.exe
  • ashWebSv.exe
  • ast.ExE
  • aswBoot.exe
  • aswRegSvr.exe
  • aswUpdSv.exe
  • autorun.bin
  • autoRun.ExE
  • autorun.ini
  • autorun.reg
  • autorun.txt
  • autorun.wsh
  • autoRunKiller.ExE
  • autoruns.exe
  • autorunsc.exe
  • avadmin.exe
  • avastSS.exe
  • avcenter.exe
  • avciman.exe
  • avconfig.exe
  • aVCONSOL.ExE
  • aVENGINE.ExE
  • avgamsvr.exe
  • avgas.exe
  • avgcc.exe
  • avgcc32.exe
  • avgemc.exe
  • avginet.exe
  • avgnt.exe
  • avgrssvc.exe
  • avgrsx.exe
  • avgscan.exe
  • avgscanx.exe
  • avgserv.exe
  • avguard.exe
  • avgupsvc.exe
  • avgw.exe
  • avgwdsvc.exe
  • avltd.exe
  • avmailc.exe
  • avMonitor.ExE
  • avnotify.exe
  • avp.com
  • avp.exe
  • aVP32.ExE
  • aVPCC.ExE
  • aVPM.ExE
  • avscan.exe
  • avzkrnl.dll
  • bad1.exe
  • bad2.exe
  • bad3.exe
  • bdagent.exe
  • bdsubwiz.exe
  • BdSurvey.exe
  • BIOSREad.exe
  • blackd.exe
  • blackice.exe
  • caiss.exe
  • caissdt.exe
  • catcache.dat
  • cauninst.exe
  • Cavapp.ExE
  • cavasm.ExE
  • CavaUd.ExE
  • CaVCmd.exe
  • CaVCtx.exe
  • CavEmSrv.ExE
  • Cavmr.ExE
  • CavMUd.ExE
  • Cavoar.ExE
  • CavQ.ExE
  • CaVRep.exe
  • CaVRid.exe
  • CaVSCons.ExE
  • cavse.ExE
  • CavSn.ExE
  • CavSub.ExE
  • CaVSubmit.ExE
  • CavUMaS.ExE
  • CavUserUpd.ExE
  • Cavvl.ExE
  • CCenter.ExE
  • CEmRep.ExE
  • ckahcomm.dll
  • ckahrule.dll
  • ckahum.dll
  • cleaner.exe
  • cleaner3.exe
  • clldr.dll
  • CMain.ExE
  • copy.exe
  • curidsbase.kdz
  • destrukto.vbs
  • dF5Serv.exe
  • diffs.dll
  • drvins32.exe
  • drwadins.exe
  • drweb32w.exe
  • drweb386.exe
  • drwebscd.exe
  • drwebupw.exe
  • drwebwcl.exe
  • drwreg.exe
  • e.cmd
  • e9ehn1m8.com
  • edb.chk
  • egui.exe
  • ekrn.exe
  • EMdISK.exe
  • f0.cmd
  • FileKan.exe
  • flashy.exe
  • FPaVServer.exe
  • FProttray.exe
  • fpscan.exe
  • fptrayproc.exe
  • FPWin.exe
  • FrameworkService.exe
  • Frameworkservice.ExE
  • FRW.ExE
  • FrzState2k.exe
  • fs6519.dll.vbs
  • fssf.exe
  • fssync.dll
  • fun.xls.exe
  • g2pfnid.com
  • GetSI.dll
  • GFUpd.ExE
  • guard.exe
  • GuardField.ExE
  • guardgui.exe
  • guardxkickoff.exe
  • guardxkickoff_x64.exe
  • guardxservice.exe
  • guardxup.exe
  • h3.bat
  • Hijackthis.ExE
  • hookinst.exe
  • host.exe
  • i.bat
  • iamapp.exe
  • iamserv.exe
  • IceSword.ExE
  • ICLOad95.ExE
  • ICLOadNt.ExE
  • ICMON.ExE
  • ICSUPP95.ExE
  • ICSUPPNt.ExE
  • Identity.exe
  • iefqwp.cmd
  • IEShow.exe
  • IFaCE.ExE
  • ij.bat
  • InstallCaVS.ExE
  • InstLsp.ExE
  • Iparmor.ExE
  • iSafe.exe
  • iSafInst.exe
  • KaSaRP.ExE
  • kav.bav
  • kav32.ExE
  • kavbase.kdl
  • KaVPFW.ExE
  • kavstart.ExE
  • ker.vbs
  • KeyMgr.exe
  • killVBS.vbs
  • kissvc.ExE
  • kl1.sys
  • klavemu.kdl
  • klbg.cat
  • klbg.sys
  • klif.cat
  • klif.sys
  • klim5.sys
  • kmailmon.ExE
  • KPfwSvc.ExE
  • KRegEx.ExE
  • KVSrvxP.ExE
  • KVWSC.ExE
  • kwatch.ExE
  • licmgr.ex
  • licreg.exe
  • lky.exe
  • lockdown2000.exe
  • m2nl.bat
  • mbam.exe
  • mcagent.exe
  • mcappins.exe
  • mcaupdate.exe
  • mcdash.exe
  • Mcdetect.exe
  • mcinfo.exe
  • mcinsupd.exe
  • mcmnhdlr.exe
  • mcregwiz.exe
  • McShield.exe
  • Mctray.exe
  • mcupdmgr.exe
  • mcupdui.exe
  • McVSEscn.exe
  • mcvsftsn.exe
  • mcvsmap.exe
  • mghtml.exe
  • Mmsk.ExE
  • MooLive.exe
  • msdos.pif
  • msfir80.exe
  • MSGrc32.vbs
  • msime80.exe
  • msizap.exe
  • msmsgs.exe
  • msvcm80.dll
  • msvcp80.dll
  • msvcr71.dll
  • msvcr80.dll
  • mzvkbd.dll
  • mzvkbd3.dll
  • naiavfin.exe
  • naPrdMgr.exe
  • Navapsvc.ExE
  • NaVaPW32.ExE
  • NaVW32.ExE
  • netcfg.dll
  • new folder.exe
  • njibyekk.com
  • nod32.exe
  • nod32krn.exe
  • nod32kui.exe
  • oasclnt.exe
  • olb1iimw.bat
  • OnaccessInstaller.ExE
  • Pagent.exe
  • Pagentwd.exe
  • PavFnSvr.exe
  • pavprsrv.exe
  • PavReport.exe
  • pavsched.exe
  • PaVSRV51.ExE
  • pavtest.exe
  • pctsauxs.exe
  • pctsSvc.exe
  • pctstray.exe
  • PFW.ExE
  • preupd.exe
  • prloader.dll
  • procexp.exe
  • psctrlc.exe
  • PsCtrlS.exe
  • PSHost.exe
  • PsImSvc.exe
  • pskmssvc.exe
  • QQdoctor.ExE
  • QtnMaint.exe
  • RaV.ExE
  • ravmon.exe
  • Ravservice.ExE
  • RavStub.ExE
  • RaVtRaY.ExE
  • rcukd.cmd
  • reload.exe
  • rescue32.exe
  • rescuecd.zip
  • rfwmain.ExE
  • rfwProxy.ExE
  • rfwsrv.ExE
  • Rfwstub.ExE
  • rose.exe
  • RStray.ExE
  • Runiep.ExE
  • safeboxtray.ExE
  • sal.xls.exe
  • sched.exe
  • SCVHOSt.exe
  • scvhosts.exe
  • SCVHSOt.exe
  • SCVVHOSt.exe
  • scvvhosts.exe
  • SCVVHSOt.exe
  • seccenter.exe
  • SendLogs.exe
  • session.exe
  • shstat.exe
  • Socksa.ex
  • SOLOCFG.exe
  • SOLOLItE.exe
  • SOLOSCaN.exe
  • SOLOSENt.exe
  • Sphinx.exe
  • spidercpl.exe
  • spiderml.exe
  • spidernt.exe
  • spiderui.exe
  • spml_set.exe
  • Spybotsd.exe
  • SREngLdr.ExE
  • ssvichosst.exe
  • sxs.exe
  • system.exe
  • tca.exe
  • temp.exe
  • temp2.exe
  • toy.exe
  • tPSrv.exe
  • trojandetector.ExE
  • trojanwall.ExE
  • trojdie.KxP
  • UdaterUI.exe
  • uiscan.exe
  • unp_test.ExE
  • update.exe
  • updater.dll
  • UPSdbMaker.ExE
  • userdump.exe
  • UUpd.ExE
  • v.exe
  • Vba32act.exe
  • Vba32arkit.exe
  • Vba32ECM.exe
  • Vba32ifs.exe
  • vba32ldr.exe
  • Vba32PP3.exe
  • Vba32Qtn.exe
  • vbcmserv.exe
  • vbcons.exe
  • vbglobal.exe
  • vbimport.exe
  • vbinst.exe
  • vbscan.exe
  • vbsystry.exe
  • VetMsg.exe
  • virusutilities.exe
  • Visthaux.exe
  • VPC32.ExE
  • VPtRaY.ExE
  • VSECOMR.ExE
  • VSHWIN32.ExE
  • vsmon.exe
  • vsserv.exe
  • VSStat.ExE
  • VstskMgr.exe
  • WEBPROxY.ExE
  • WEBSCaNx.ExE
  • whi.com
  • WinGrc32.dll
  • WOPtILItIES.ExE
  • Wradmin.exe
  • WrCtrl.exe
  • wscntfy.exe
  • wsctool.exe
  • yannh.cmd
  • ybj8df.exe
  • zonealarm.exe

Propagation via Email

This worm gathers email addresses from Microsoft Outlook contacts and uses Messaging Application Protocol Interface (MAPI) to send email messages with a link to a copy of itself. The email messages it sends out bear the following details:

Subject: (any of the following)
• Just for you
• Here you have

Message body:
Hello:

This is The Document I told you about,you can find it Here. http://www.{BLOCKED}ocuments.com/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.

Cheers,

It can also gather email addresses from the Yahoo! contacts and uses the SendEmail tool to send an email with the following details:

Subject: hi

Message body:
Hello:

This is The Free Dowload Sex Movies, you can find it Here.

http://www.{BLOCKED}movies.com/library/SEX21.023342010.wmv

Enjoy your time.

Cheers,

It makes use of Gmail as its SMTP server to send the above email using the following user name and password pairs as credentials:

UPass one:

  • SMTPUsername: {BLOCKED}taylor2003
  • SMTPPassword: {BLOCKED}1984

UPass two:

  • SMTPUsername: {BLOCKED}e.brain
  • SMTPPassword: {BLOCKED}fm

Both the links mentioned in these emails lead to http://{BLOCKED}s.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr.

Propagation via Physical/Removable/Floppy Drives

This worm drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed. The said .INF file contains the following strings:

[AutoRun]
open=open.exe
icon=%System%\shell32.dll,8
action=Open Drive to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1

Propagation via Network Shares

This worm uses a VB script, found in the malware code, to list down all the users in the network and drops a copy of itself as N73.Image12.03.2009.JPG.scr or {computer_name} CV 2010.exe in drives C to H.

A copy is also dropped in shared folders, specifically the following:

  • New Folder
  • music
  • print

It forces the %Windows%\system folder to be shared as \\{computer_name}\updates.

The shared folders and drives where the malware drops a copy of itself are enumerated at the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
{number} = “{folder path}”

Trend Micro detects the aforementioned script as VBS_MEYLME.B.

Other Details

This worm stops and deletes the following services related to antivirus applications:

  • Avast! Antivirus
  • aswUpdSv
  • avast! Mail Scanner
  • avast! Web Scanner
  • AntiVirService
  • AntiVirMailGuard
  • AntiVirSchedulerService
  • McShield
  • AntiVirFirewallService
  • NIS
  • MSK80Service
  • 0053591272669638mcinstcleanup
  • mfefire
  • McNASvc
  • Mc0obeSv
  • McMPFSvc
  • McProxy
  • Mc0DS
  • mcmscsvc
  • McAfee SiteAdvisor Service
  • mfevtp
  • Avgfws9
  • AVG Security Toolbar Service
  • avg9wd
  • AVGIDSAgent
  • PAVFNSVR
  • Gwmsrv
  • PSHost
  • PSIMSVC
  • PAVSRV
  • PavPrSrv
  • PskSvcRetail
  • Panda Software Controller
  • TPSrv
  • SfCtlCom
  • TmProxy
  • TMBMServer
  • Arrakis3
  • LIVESRV
  • scan
  • VSSERV
  • sdAuxService
  • sdCoreService
  • AVP

This disables antivirus applications, which in turn renders the affected system unprotected from threats.

It also terminates the following processes if found running in the system:

  • Usbguard.exe
  • CPE17AntiAutoruna.exe
  • outlook.exe

It attempts to access URLs to download files. Based from this worm’s code, the files are saved as the following:

  • %System%\SendEmail.dll
  • %Windows%\tryme1.exe
  • %Windows%\ff.exe
  • %Windows%\gc.exe
  • %Windows%\ie.exe
  • %Windows%\im.exe
  • %Windows%\op.exe
  • %Windows%\pspv.exe
  • %Windows%\rd.exe
  • %Windows%\re.exe

These are mostly networking and password utilities.

However, as of this writing, the URLs it attempts to access are inaccessible.

Affected Platforms

This worm runs on Windows 2000, XP, and Server 2003.

Analysis By: Jessa De La Torre

Updated By: Karl Dominguez

Revision History:

Sep 10, 2010 – Modified Malware Report
Tags: , , ,
Posted in How to Remove, Virus Removal Tools

Trojan.Batnari

Posted on May 8th, 2010 - Download and remove viruses, malware, spyware and trojans from your computer.

Risk Level: Very Low. Type: Trojan.

Tags: ,
Posted in Virus Removal Tools

Trojan.FakeAV!gen29

Posted on May 8th, 2010 - Download and remove viruses, malware, spyware and trojans from your computer.

Risk Level: Very Low. Type: Trojan.

Tags: ,
Posted in Virus Removal Tools

Packed.Generic.300

Posted on May 8th, 2010 - Download and remove viruses, malware, spyware and trojans from your computer.

Risk Level: Very Low. Type: Trojan, Virus, Worm.

Tags: ,
Posted in Virus Removal Tools

SONAR.PDF!gen1.2

Posted on May 8th, 2010 - Download and remove viruses, malware, spyware and trojans from your computer.

Risk Level: Very Low. Type: Trojan, Virus, Worm.

Tags: ,
Posted in Virus Removal Tools

SONAR.MaliciousTraf.2

Posted on May 8th, 2010 - Download and remove viruses, malware, spyware and trojans from your computer.

Risk Level: Very Low. Type: Trojan, Virus, Worm.

Tags: ,
Posted in Virus Removal Tools

SONAR.ProcessHijack.2

Posted on May 8th, 2010 - Download and remove viruses, malware, spyware and trojans from your computer.

Risk Level: Very Low. Type: Trojan, Virus, Worm.

Tags: ,
Posted in Virus Removal Tools

SONAR.RogueAV!gen1.2

Posted on May 8th, 2010 - Download and remove viruses, malware, spyware and trojans from your computer.

Risk Level: Very Low. Type: Trojan, Virus, Worm.

Tags: ,
Posted in Virus Removal Tools

Trojan.Holisnif

Posted on May 8th, 2010 - Download and remove viruses, malware, spyware and trojans from your computer.

Risk Level: Very Low. Type: Trojan.

Tags: ,
Posted in Virus Removal Tools

New version of Yahoo IM worm hits Skype too

Posted on May 7th, 2010 - Download and remove viruses, malware, spyware and trojans from your computer.
Worm targets Windows users on Skype and Yahoo IM, injects malicious links in e-mail, Word, and Excel files, and automatically copies itself to USB drives, Bkis says.

Originally posted at InSecurity Complex

Tags: ,
Posted in Virus Removal Tools
266 queries.
Copyright 2011 (c) All Rights Reserved. Virus Removal Tool
scan and remove viruses online. Fixing a computer virus or spyware problem can be a simple task with experts advice at side.

What is the Best Trojan Remover Software Available?

If you are confused about the best Trojan remover to use due to a seemingly infinite number of choices on the market, you are not alone. There are tons of reviews and claims about a variety of products but no conclusive evidence that any of them actually work.

The article to follow will describe the features vital to ensuring that you are getting the best software possible for removing Trojans from your computer. The focus of this article will be on purchased software (versus free Trojan removers) due to the fact that most free software has a EULA (End User Licensing Agreements) that allows adware to be injected onto your computer.

First the symptoms associated with Trojan horse viruses will be described and you can decide if Trojans are indeed the issue. If so, the features described will give you a starting point to choosing a product that can make your problem go away.

If you have the following issues on your system a Trojan virus might be your problem: 1. You are getting pop-up ads 2. Computer performance is slower than previously 3. Your system is continually freezing or crashing 4. Your mouse is having reverse function issues between buttons 5. Internet Explorer is at a crawl 6. Your modem light is blinking frantically whether you are online or not 7. Your mouse is leaving a trail on your monitor 8. Websites are appearing that you never asked for 9. Toolbars are showing up in your browser that were not requested 10. Websites are added to your favorites without being requested 11. New software programs show up when you start the computer

It is a challenge to locate Trojans if you do not purchase one of the best Trojan remover programs because Trojans disguise themselves in adware and spyware and are difficult to locate, yet remove. Not only are you faced with slow computer problems, you have a higher likelihood of having your identity stolen, which can take years to fix at a huge cost to you financially. If the symptoms above leave you suspecting that you have Trojans, you will want the following attributes that the best Trojan remover applications contain:

Trait One: A Large Definitions Database

The definitions database size is basically the number of threat types that certain software can identify (thus remove). The larger the definitions list, the better the chance that your threats can be identified and eliminated. You want to find a database of at least 250,000 definitions in order to know that your chances of removing Trojans can be a success. Trait Two: The Software Must Do More than Removing Trojans Alone

There are a number of additional types of threats that should be removed beyond just Trojans. These include malware, adware, keylogger trackers, and various types of spyware. Trait Three: Ease of Use

It is a good bet that if it takes an advanced degree to figure out the software, you may want to move to a program with a more simplistic user interface. The best Trojan remover products will have an easy to use navigation on one page and will fully describe each of the buttons that are shown in the software. Trait Four: Free Scan Just to be sure that you are faced with threats, you will want to have the chance to scan your system for free before purchasing the full version of the software that contains a repair feature. This will allow you to decide whether or not you need the software.

Trait Five: Unlimited Use License Most of the best products have this trait. The full version should allow you to have unlimited use of the software once purchased so you can maintain your system through the year. It should also give a multiple license discount if you want several computers in the house licenses to the same software.

After purchasing the full version of the software, make sure to restart your computer to see the results. The best Trojan remover products should clear the threats on the first round. It is always good to do several scans and repairs to ensure your system is clean. The entire cycle should only take about 10 minutes.