Autorun

MicrosoftPowerPoint.exe/H icon logo taskbar/ monitor/~DF450D.tmp.exe The Kaspersky Latest Update do not detect this virus yet on 8 Nov, 2007. And i did it b4 as i promised . . . This is the new version of the old “orkut virus” if u remember … Mu hu ha ha ha ….. but it doesnt do anything like that now… : ) And i have got the website of the programmer who developed this virus… It’s http://sapn4.tripod.com/ But PLZ i request, do not go to that site, or else ur comp will be seriously affected. The virus automatically starts d’loading. There’s nothing on the site but a few google ads. Its quite old virus now. But still Kaspersky doesn’t detect it. Probably no one reported.. he he VIRUS FILES File Name: MicrosoftPowerPoint.exe Icon: Folder with a small “my comp” icon within it Type: Applicaion Description: MicrosoftPowerPoint Size: 261 KB (268,082 bytes) Size on disk: 272 KB (278,528 bytes) Modified: Tuesday, June 26, 2007, 1:06:24 PM Attributes: Read-only, Hidden+System, Archive File Name: Winlogons.exe Icon: Folder Type: Winlogons Description: MicrosoftPowerPoint Size: 261 KB (268,082 bytes) Size on disk: 272 KB (278,528 bytes) Modified: Wednesday, October 31, 2007, 10:20:00 PM Attributes: Read-only, Hidden+System, Archive File Name: MsUpdate.exe Icon: ‘H’ in green color Type: Application Description: AutoHotKey Size: 230 KB (235,520 bytes)

Modified: Wednesday, June 20, 2007, 10:38:52 PM Attributes: Archive File version: 1.0.46.17 Internal Name: AutoHotKey PARTIALLY DETECTED BY KASPERSKY Trojan-Downloader.Win32.AutoIt.t -> monitor 2.6 KB SYMPTOMS These two hidden system files automatically copies to ur removable drives: MicrosoftPowerPoint.exe autorun.inf Double Clicking of the removable drives doesn’t work Tools>Folder Options is disabled YOu are unable to see your hidden files BEHIND THE SCREEN DeleteDir C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\ CreateFile C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP CreateFile C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\MsUpdate~1 CreateFile C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\MsUpdate.exe CreateFile C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\monitor CreateRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\we xtract_cleanup0 runs the file C:\Documents and Settings\Piyush Chandra\Local Settings\Temp\IXP000.TMP\MsUpdate.exe CreateRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\expl orer\Run\Explorer Creates a value: Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ explorer\Run Value: Explorer New data(Unicode null-terminated string):Winlogons Deletes the value: Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnc e Value: wextract_cleanup0 Data(Unicode null-terminated string): rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 “C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\” THE VIRUS PROGRAM The virus has been written in AutoHotKey 1.0.46.17 xxxxxx Deleted by PiyushLabs for security reasons xxxxxx SOLUTION End Task Open Run and paste the following codes one by one.TASKKILL /f /t /fi “IMAGENAME eq svchost.exe” /fi “USERNAME ne NT AUTHORITY\*” TASKKILL /f /t /fi “IMAGENAME eq MsUpdate.exe” TASKKILL /f /t /fi “IMAGENAME eq Winlogons.exe” Enable CMD Open Run and paste the following codes.reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCmd /t REG_DWORD /d 0 /freg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCmd /t REG_DWORD /d 0 /f Delete Open Run>CMD and paste the following codes one by one. del “%userprofile%\LOCAL SETTINGS\TEMP\MSDATA\” /f /a del “%userprofile%\Local Settings\Temp\IXP000.TMP\” /f /a del “%temp%\~DF450D.tmp.exe” /f /a del “%windir%\system32\Winlogons.exe” /f /a Delete the virus from the pen drives if u use any. (**** replace K with ur the drive name.. ) del K:\autorun.inf /a /f del K:\MicrosoftPowerPoint.exe /a /f Registry Open Run>CMD and paste the following codes one by one. reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /va reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v Shell /t REG_SZ /d Explorer.exe PRECAUTIONS Never double click your pen-drives. It spreads through removable drives. Always use folder view for navigation. And enable the view to see system files n hidden files. And delete the files in the pendrives.