Hello, i decided to write something about this because i found the information available at this time.
This virus from what i have been seing recently spreads mostly from USB pens, on operative systems that have the Autorun Feature turned on for USB Removable devices.
It starts by:
1- writing a file named autorun.inf on your USB pendrive with the following content:
[autorun]
OPeN=rEcYClEr\sEtUp32.exe
IcON=%wIndIr%\sYstEm32\ShElL32.DlL,7
ACtION=Open USB
sHeLl\OpEN=oPEn
sHeLl\OpEN\cOMMaND=ReCyClER\sEtUp.exe
sHeLl\OpEN\deFaULt=1
It then writes the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Taskman"="C:\RECYCLER\S-{Numbers}\hd1.exe"
or
"Taskman"="E:\\hd1.exe"
depending from where did you run the virus file setup32.exe
{Numbers} represent the security ID's present on your machine. You may have more than one if more than one user has logged in at least once, so you may have more than one hd1.exe file.
To manually remove the virus:
1. You have to delete that "taskman" entry on the registry.
2. Manualy delete hd1.exe files from c:\RECYCLER folder.
2a. You can use at the command prompt from within RECYCLER folder: "dir /s /a hd1.exe" to see how many hd1.exe you have
2b. You can use attrib command to remove -S -H -R from hd1.exe/Desktop.ini files before deleting.
2c. You may have to terminate explore.exe process under task manager to successfully delete this file. If you still can't even after using attrib you have to use Windows Recovery Console, or any other bootable disk with full ntfs support tools, for instance, Hiren's Boot Tools.
I do not think there are any dll files altered with this virus after my tests. But checking windows dll files for integrity to see if they are in they are intact and in their original versions is a good idea afterwords.
Direct Link to this article
Thanks for reading
This virus from what i have been seing recently spreads mostly from USB pens, on operative systems that have the Autorun Feature turned on for USB Removable devices.
It starts by:
1- writing a file named autorun.inf on your USB pendrive with the following content:
[autorun]
OPeN=rEcYClEr\sEtUp32.exe
IcON=%wIndIr%\sYstEm32\ShElL32.DlL,7
ACtION=Open USB
sHeLl\OpEN=oPEn
sHeLl\OpEN\cOMMaND=ReCyClER\sEtUp.exe
sHeLl\OpEN\deFaULt=1
It then writes the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Taskman"="C:\RECYCLER\S-{Numbers}\hd1.exe"
or
"Taskman"="E:\\hd1.exe"
depending from where did you run the virus file setup32.exe
{Numbers} represent the security ID's present on your machine. You may have more than one if more than one user has logged in at least once, so you may have more than one hd1.exe file.
To manually remove the virus:
1. You have to delete that "taskman" entry on the registry.
2. Manualy delete hd1.exe files from c:\RECYCLER folder.
2a. You can use at the command prompt from within RECYCLER folder: "dir /s /a hd1.exe" to see how many hd1.exe you have
2b. You can use attrib command to remove -S -H -R from hd1.exe/Desktop.ini files before deleting.
2c. You may have to terminate explore.exe process under task manager to successfully delete this file. If you still can't even after using attrib you have to use Windows Recovery Console, or any other bootable disk with full ntfs support tools, for instance, Hiren's Boot Tools.
I do not think there are any dll files altered with this virus after my tests. But checking windows dll files for integrity to see if they are in they are intact and in their original versions is a good idea afterwords.
Direct Link to this article
Thanks for reading
No comments:
Post a Comment