PCBugSquad

Description:

The W32/Autorun-AAG worm is an infection that spreads through removable media devices such as flash drives, usb drives, and external hard drives.  A user becomes infected when they insert an infected device in the computer.  Once the device is inserted, your computer will autoplay the device and the infection will now spread to your computer.

During the infection process a file called olhrwef.exe will be created in your C:\Windows folder. This file will automatically start when you login into Windows. It will also create the C:\Windows\System32\nmdfgds0.dll file and add a autorun.inf file to every removable device on your computer. It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”cdoosoft” = “%System%\olhrwef.exe”

Manual Removal Instructions for W32/Autorun-AAG

End these processes if they exist:
Learn how to end processes

olhrwef.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\olhrwef.exe
C:\Windows\System32\nmdfgds0.dll
Autorun.inf from the root of all of your removable media devices

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”cdoosoft”

Description:

ANG Antivirus 09 is a rogue anti-spyware program from the same developers as Antivirus 2010.  This program displays false positive scan results to trick you into purchasing the software.  ANG Antivirus 09 also displays fake security alerts from your Windows taskbar and from within Internet Explorer to attempt to trick you into thinking you are infected.

Due to the fact that this program is always running it will begin to slow down your computer.  At this time we have not seen ANG AntiVirus 09 installed via Trojans, but that does not mean it wont be.  It most likely will in the near future because Antivirus 2010 was Trojan installed as well.  Please use the information below to remove this infection from your computer.

Threat Level: High

Manual Removal Instructions for ANG AntiVirus 09

End these processes if they exist:
Learn how to end processes

angpd.exe
rkgnd.exe

Delete these files if they exist:
Lean how to remove files

c:\Program Files\Common Files\System\mgnc
c:\Program Files\Common Files\System\mgnc\angpd.exe
c:\Program Files\Common Files\System\mgnc\angpd.xml
c:\Program Files\Common Files\System\mgnc\angpid.exe
c:\Program Files\Common Files\System\mgnc\mcdk.exe
c:\Program Files\Common Files\System\mgnc\rkgnd.exe
c:\Program Files\Common Files\System\mgnc\wsd.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_CURRENT_USER\Software\ANG AntiVirus 09
HKEY_CURRENT_USER\Software\Total Virus Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “UXPVP 1.0.7.0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “76112549345328287″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce “65438761234587528″

Description:

The W32.Ackantta.B@mm worm is an infection that spreads itself by copying itself to removable drives, shared folders, and by mass-mailing all of the email contacts it can find on your computer.  This infection is typically installed when a user opens up the attachment in an email that this infection sent from another machine.  The subject of these emails may be:

Job offer from Coca Cola!
Thank you for your application
You have got a new E-Card from your friend!
You have received A Hallmark E-Card!

The attachment names are:

copy of your CV.zip
e-card.zip
job-application-form.zip
postcard.zip

This attachment looks like a snowman:

If a user runs the attachment, it will open up an image that looks like a Christmas postcard.  It will then create the C:\Windows\System32\javale.exe and C:\Windows\System32\javame1.1.exe  files.  It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″ = “%System%\javale.exe”

The worm will also modify the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%\”javale.exe” = “%System%\javale.exe:*:Enabled:Explorer”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”javastation1.1″ = “02″

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”ultrasparc1.1″ = “25″

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = “0×1″

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”RunInvalidSignatures” = “no”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”LowRiskFileTypes” = “.zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav”

The worm then connects to the the http://whatismyip.com/automation/n09230945.asp url in order to determine its IP address.  It will then connect to another url to potentially download more malware such as Vundo.

Manual Removal Instructions for W32.Ackantta.B@mm

End these processes if they exist:
Learn how to end processes

javale.exe
javame1.1.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\System32\javale.exe
C:\Windows\System32\javame1.1.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″

Spyware Fighter is a new rogue anti-spyware program from the same developers as Rapid Antivirus and originates from Russia.  This program uses false positives, misleading advertisements, and fake alerts to scam you into purchasing their software.  We advise you to stay away from Spyware Fighter and install it immediately if you find it on your computer.  Most of all do not purchase the program as the program has no beneficial function.

We will update this guide when more information is available about this program.

Description:

VirusRemover2009 is a rogue anti-spyware program from the same developers as VirusRemover 2008.  This version of VirusRemover contains additional files not contained in the original.  It is unknown what these additional files do, but as the rest of the program is considered malware, the rest can’t be good. When running this program will display false infections on your computer.  These infections can’t be removed unless you purchase the software.

This program will also security alerts stating your computer is infected, when it is not.  These alerts are only being used to scare you into thinking you are infected.  We suggest you remove this program immediately.

Threat Level: High

Manual Removal Instructions for VirusRemover2009

Uninstall these programs:
Learn how to uninstall programs

VirusRemover2009 1.0.5.0 (remove only)

End these processes if they exist:
Learn how to end processes

VRM2009.exe

Delete these files if they exist:
Lean how to remove files

c:\Program Files\VirusRemover2009
c:\Program Files\VirusRemover2009\ExtSecurityCenter.exe
c:\Program Files\VirusRemover2009\ni_d.exe
c:\Program Files\VirusRemover2009\PP.exe
c:\Program Files\VirusRemover2009\Uninstall.exe
c:\Program Files\VirusRemover2009\Viruses.bdt
c:\Program Files\VirusRemover2009\VRM2009.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_CURRENT_USER\Software\ExtSecurityCenter
HKEY_CURRENT_USER\Software\VirusRemover2009
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run => VirusRemover2009

Description:

OS Protection is a rogue anti-spyware program is a rogue anti-spyware program that is same as Spyware Protect 2009.  This rogue uses false positives and Trojans to advertise itself.  When running, it will also spam your desktop with fake warnings and alerts stating that you should purchase the program.  As this program is considered malware, we suggest you remove it immediately.

Threat Level: Medium

Manual Removal Instructions for OS Protection

End these processes:
Learn how to end processes

OSProtection.exe

Delete these files:
Lean how to remove files

C:\Program Files\OS Protection\osprotection.exe
C:\Program Files\OS Protection\OS Protection.lnk
C:\Program Files\OS Protection\Uninstall OS Protection.lnk
C:\Program Files\OS Protection\

Remove these Registry keys:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\OS Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “OS Protection”

Though I have not been posting to the blog as much as I would have liked to when I started it, I have been keeping track of whats been goin on at some of the reputable security sites.  This evening I ran across an interesting article at BleepingComputer about a new rogue named Anti-Virus-1.  This particular rogue seems like a nasty one and uses some pretty tricky tactics to make you think it’s legit.  Definitely an interesting read:

How to remove Anti-virus-1 (Removal Guide)

and

Learning how to remove Anti-virus-1 teaches us some new tricks

Trace Sweeper is a rogue privacy software that when run on your computer displays fake exaggerated results that cannot be removed unless you first purchase the software. The program is also set to run automatically when your computer starts, which will cause your computer to operate slower and create pop-ups about how you should register the software.

Trace Sweeper screen shot

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. The current definitions for Symantec Antivirus contains methods of removing this virus.

Download Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

tracesweeper.exe

Delete these files:
Lean how to remove files

c:\Program Files\Trace Sweeper
c:\Program Files\Trace Sweeper\tracesweeper.exe
c:\Program Files\Trace Sweeper\tracesweeper.url
c:\Program Files\Trace Sweeper\unins000.dat
c:\Program Files\Trace Sweeper\unins000.exe
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper\Trace Sweeper on the Web.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper\Trace Sweeper.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Trace Sweeper\Uninstall Trace Sweeper.lnk

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly. Please edit the Registry only if you know what you are doing. Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”tracesweeper”
=”C:\Program Files\Trace Sweeper\tracesweeper.exe”

The WORM_KOOBFACE.D worm is malware that spreads itself through the online social site called Facebook.  When a user becomes infected with this worm, it will install a copy of itself as C:\Windows\fbtre6.exe and then further download the following files:

• C:\5465465465463.BAT
• C:\Windows\fmark2.dat

When fbtre6.exe is run it will display the following message in Windows:

Error installing Codec. Please contact support.

It is important to note that this infection will delete itself if it detects that you have not used Facebook.com on the infected computer.  If Facebook cookies are found, though, it will add a link to a location where it can be downloaded in the infected user’s Facebook profile.  It is through these links in infected user’s profiles that the infection spreads.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

fbtre6.exe

Delete these files:
Lean how to remove files

C:\Windows\fbtre6.exe
C:\5465465465463.BAT
C:\Windows\fmark2.dat

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sysftray = “C:\Windows\fbtre6.exe”

The WORM_SOHANAD.DR worm is once that propogates as an attachment to email messages that are spammed by other malware or users.  It is also possible, that this worm can be installed via other malware that download and install it on your computer.  When infected the following files will be created on your computer:

• C:\Windows\dc.exe
• C:\Windows\SVIQ.EXE
• C:\Windows\System\Fun.exe

Once running, the worm will read your Outlook address book and spam all of the addresses in your address book with emails containing the attachments:

• dc.exe
• Fun.exe

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

dc.exe
sviq.exe
fun.exe

Delete these files:
Lean how to remove files

C:\Windows\dc.exe
C:\Windows\SVIQ.EXE
C:\Windows\System\Fun.exe

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
dc = “C:\Windows\dc.exe”
dc2k5 = “C:\Windows\SVIQ.EXE”
Fun = “C:\Windows\System\Fun.exe”