Installation
The worm copies its executable file with random names as shown below:
%System%\<rnd>dir.dll
%Program Files%\Internet Explorer\<rnd>.dll
%Program Files%\Movie Maker\<rnd>.dll
%All Users Application Data%\<rnd>.dll
%Temp%\<rnd>.dll
%System%\<rnd>.tmp
%Temp%\<rnd>.tmp
<rnd> is a random string of symbols.
You can use Windows Search to find them. Remember to select "Search system folder", "Search hidden files and folders", and "Search subfolders" under More advanced options.
In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
The worm also modifies the following system registry key value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = " %System%\<rnd>.dll"
So, how to remove it?
Just get the latest update of your antivirus...
Or you can manually remove it, see my next post here
You can use Windows Search to find them. Remember to select "Search system folder", "Search hidden files and folders", and "Search subfolders" under More advanced options.
In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
The worm also modifies the following system registry key value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = "
So, how to remove it?
Just get the latest update of your antivirus...
Or you can manually remove it, see my next post here
No comments:
Post a Comment