PCBugSquad

Description:

W32.SillyFDC.BAY is a removable media worm that spreads through infected flash drives, external hard drives, and other USB storage devices.  Once infected, your computer will then infect any other removable devices that become inserted into your computer. When infected, the worm will create the C:\Program Files\Common Files\xSafe.exe file and then add the following registry key so that it runs automatically when you start Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”xSafe” = “%ProgramFiles%\Common Files\xSafe.exe”

Manual Removal Instructions for W32.SillyFDC.BAY:

End these processes if they exist:
Learn how to end processes

xSafe.exe

Delete these files if they exist:
Lean how to remove files

C:\Program Files\Common Files\xSafe.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”xSafe”

Description:

W32.SillyFDC.BBA is a worm that spreads through removable media devices such as flash drives, external hard drives, and other USB storage devices.  Once infected, your computer will then infect any other removable devices that become inserted into your computer. When infected, the worm will create the SystemDrive%\SYSTEM\[SID]\Perfume.exe file and then add the following registry key so that it runs automatically when you start Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}

Manual Removal Instructions for W32.SillyFDC.BBA:

End these processes if they exist:
Learn how to end processes

Perfume.exe

Delete these files if they exist:
Lean how to remove files

%SystemDrive%\SYSTEM\[SID]\Perfume.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-22CX3C644241}

Description:

W32/AutoRun-ZX is a removable media worm that spreads by infecting devices such as flash drives, external hard drives, and other removable media.  Once an infected media is inserted into a clean machine, the clean computer will autplay the media and infect itself.

Once infected, the worm will create the file C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe.  It will then create the follow registry key to start itself automatically:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}

Manual Removal Instructions for W32/AutoRun-ZX

End these processes if they exist:
Learn how to end processes

Ogard.exe

Delete these files if they exist:
Lean how to remove files

C:\RESTORE\k-1-3542-4232123213-7676767-8888886\Ogard.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}

Description:

W32/Autorun-AAI is a worm that targets removable media.  This worm typically spreads to your computer when you insert removable media such as flash drives, external hard drives, etc that have this infection on them.  Once these devices are inserted, your computer will autoplay the autorun.inf and the worm will run, infecting your computer.  Then if you insert any clean flash drives into your computer, the worm will infect those as well.

Once infected, the worm will create the file C:\Windows\Winbows.exe.  It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “winbows.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “imege.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows” = “picture.exe”

Manual Removal Instructions for W32/Autorun-AAI

End these processes if they exist:
Learn how to end processes

winbows.exe
picture.exe
imege.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\winbows.exe
C:\Windows\imege.exe
C:\Windows\picture.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”windows”

Description:

WORM_KOOBFACE.AZ is a worm that targets social media sites. It does this by monitoring the cookies on your computer that contain login information to various social sites.  When login information is found it will login to your account and start sending messages to your friends and contacts on the site.  For example, if you use Facebook, it will login to your account and send all your friends messages about a video they should see. These messages will contain links to the infection that will further infect the person who visits the link.

The social sites that this infection monitors are:

• facebook.com
• hi5.com
• friendster.com
• myyearbook.com
• myspace.com
• bebo.com
• tagged.com
• netlog.com
• fubar.com
• livejournal.com

Once infected, the worm will create the file C:\Windows\freddy35.exe.  This file is the main program that sends infected messages to your friends. It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”sysftray2″ = “%WinDir%\freddy35.exe”

Manual Removal Instructions for WORM_KOOBFACE.AZ

End these processes if they exist:
Learn how to end processes

freddy35.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\freddy35.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”sysftray2″

Description:

The W32/Autorun-AAG worm is an infection that spreads through removable media devices such as flash drives, usb drives, and external hard drives.  A user becomes infected when they insert an infected device in the computer.  Once the device is inserted, your computer will autoplay the device and the infection will now spread to your computer.

During the infection process a file called olhrwef.exe will be created in your C:\Windows folder. This file will automatically start when you login into Windows. It will also create the C:\Windows\System32\nmdfgds0.dll file and add a autorun.inf file to every removable device on your computer. It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”cdoosoft” = “%System%\olhrwef.exe”

Manual Removal Instructions for W32/Autorun-AAG

End these processes if they exist:
Learn how to end processes

olhrwef.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\olhrwef.exe
C:\Windows\System32\nmdfgds0.dll
Autorun.inf from the root of all of your removable media devices

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”cdoosoft”

Description:

The W32.Ackantta.B@mm worm is an infection that spreads itself by copying itself to removable drives, shared folders, and by mass-mailing all of the email contacts it can find on your computer.  This infection is typically installed when a user opens up the attachment in an email that this infection sent from another machine.  The subject of these emails may be:

Job offer from Coca Cola!
Thank you for your application
You have got a new E-Card from your friend!
You have received A Hallmark E-Card!

The attachment names are:

copy of your CV.zip
e-card.zip
job-application-form.zip
postcard.zip

This attachment looks like a snowman:

If a user runs the attachment, it will open up an image that looks like a Christmas postcard.  It will then create the C:\Windows\System32\javale.exe and C:\Windows\System32\javame1.1.exe  files.  It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″ = “%System%\javale.exe”

The worm will also modify the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%\”javale.exe” = “%System%\javale.exe:*:Enabled:Explorer”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”javastation1.1″ = “02″

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”ultrasparc1.1″ = “25″

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = “0×1″

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”RunInvalidSignatures” = “no”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”LowRiskFileTypes” = “.zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav”

The worm then connects to the the http://whatismyip.com/automation/n09230945.asp url in order to determine its IP address.  It will then connect to another url to potentially download more malware such as Vundo.

Manual Removal Instructions for W32.Ackantta.B@mm

End these processes if they exist:
Learn how to end processes

javale.exe
javame1.1.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\System32\javale.exe
C:\Windows\System32\javame1.1.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″

The WORM_KOOBFACE.D worm is malware that spreads itself through the online social site called Facebook.  When a user becomes infected with this worm, it will install a copy of itself as C:\Windows\fbtre6.exe and then further download the following files:

• C:\5465465465463.BAT
• C:\Windows\fmark2.dat

When fbtre6.exe is run it will display the following message in Windows:

Error installing Codec. Please contact support.

It is important to note that this infection will delete itself if it detects that you have not used Facebook.com on the infected computer.  If Facebook cookies are found, though, it will add a link to a location where it can be downloaded in the infected user’s Facebook profile.  It is through these links in infected user’s profiles that the infection spreads.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

fbtre6.exe

Delete these files:
Lean how to remove files

C:\Windows\fbtre6.exe
C:\5465465465463.BAT
C:\Windows\fmark2.dat

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sysftray = “C:\Windows\fbtre6.exe”

The WORM_SOHANAD.DR worm is once that propogates as an attachment to email messages that are spammed by other malware or users.  It is also possible, that this worm can be installed via other malware that download and install it on your computer.  When infected the following files will be created on your computer:

• C:\Windows\dc.exe
• C:\Windows\SVIQ.EXE
• C:\Windows\System\Fun.exe

Once running, the worm will read your Outlook address book and spam all of the addresses in your address book with emails containing the attachments:

• dc.exe
• Fun.exe

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

Download Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

dc.exe
sviq.exe
fun.exe

Delete these files:
Lean how to remove files

C:\Windows\dc.exe
C:\Windows\SVIQ.EXE
C:\Windows\System\Fun.exe

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
dc = “C:\Windows\dc.exe”
dc2k5 = “C:\Windows\SVIQ.EXE”
Fun = “C:\Windows\System\Fun.exe”