24 July 2009 0 Comment
W32.Palevo is a worm that may infect computer by exploiting known software vulnerabilities. System will experience a reduced in system performance due to the infection. W32.Palevo can also end security-related process on infected computer that lowers overall security settings. More
21 July 2009 0 Comment
W32.Fujacks.CB is a USB removable drive-spreading worm that also drops autorun.inf file on infected drives to run the worm when the drive is accessed. W32.Fujacks.CB may also propagate on unsecured network drives by creating a copy of itself on target drives. More
27 June 2009 0 Comment
W32/Autorun.worm.es is a generic detection for worm that will create a copy of the malicious file on the root of any accessible drives on the computer incorporating with an autorun.inf file. If the drive is accessed, W32/Autorun.worm.es will look for and infect other drives it found mounted on the compromised computer. More
17 June 2009 3 Comments
W32.Fujacks.CA is a computer worm that may spread through unsecured network shared resources. It targets executable files on the compromised computer to spread locally. More
12 May 2009 3 Comments
Win32/Nuqel.E is a worm that may disable certain Windows utility programs such as Folder Options, Task Manager, Registry Editor and Control Panel to prevent users from manually removing the threat. Win32/Nuqel.E propagates on unsecured network shares and send spam messages on contacts via the chat program Yahoo! Messenger.
Recently, this detection was intentionally displayed on computer by a rogue program Spyware Protect 2009. This detection does not guarantee that Win32/Nuqel.E is present on computer. It was rather a trick use by rogue security program to mislead computer users to purchase the registered version.
Files added by Win32/Nuqel.E virus
Windows registry entries created by Win32/Nuqel.E
Alias:WORM_IMAUT.E, W32.Imaut.N, Worm:Win32/Sohanad.F, Troj/Tiotua-D, W32/YahLover.worm
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Manual Removal:
1. Stop Win32/Nuqel.E process by pressing Ctrl+Alt+Del. Windows Task Manager will open. Look for the following process:
SVICHOSSST.exe
2. Update your installed anti-virus program.
3. Run a full system scan and clean/delete all detected infected file(s). A manual removal of virus-related files should also be performed.
4. Edit Windows registry and delete Win32/Nuqel.E entries. [how to edit registry]
5. Exit registry editor.
6. Remove Win32/Nuqel.E start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. System Configuration Utility will open. Go to Startup tab and uncheck the following Startup item(s):
SVICHOSSST.exe
7. Click Apply and restart Windows.
Win32/Nuqel.E Removal Tool:
In order to completely remove the threat, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate anti-virus and security provider.
Win32/Nuqel.E attempts to connect to a remove host server where it will download settings to %System%\setting.ini that will point the computer to another host, update the worm and get new URL and text content to be sent to Yahoo Messenger users.
Malicious Files Added by Win32/Nuqel.E:
%System%\SVICHOSSST.exe
%System%\autorun.ini
Win32/Nuqel.E Registry Entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = “Explorer.exe SVICHOSSST.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = “%System%\SVICHOSSST.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\share = “< location >\New Folder.exe”
10 April 2009 0 Comment
W32.Downadup.E is a worm that propagates on Internet by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. W32.Downadup.E will also attempt to download a copy of its variant W32.Downadup.C on to the compromised computer and spread it on the attached network if any was found.
31 December 2008 27 Comments
W32.Downadup.B is a worm that propagates and infects computers by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. W32.Downadup.B will reduce security settings of compromised computer by ending security-related process and blocks them from accessing security websites. This worm will spread on unsecured network shares and removable USB drives. More
23 December 2008 3 Comments
W32.Imaut.E is a member of the family known as Imaut, Sohanad, AutoIt and Autorun worms. This infection spreads via removable media drives and unsecured network shares. It also uses several instant messenger programs as another venue of propagation. While inside the infected computer, W32.Imaut.E alters a number of system settings to perform its malicious actions and download additional threats from a remote server. More
4 December 2008 2 Comments
W32.Ackantta@mm propagates on computer via removable drives and gathers email addresses from the infected computer to send itself. Once executed, W32.Ackantta@mm will create an autorun.inf file so that it runs automatically when the infected drive is mounted. More
24 November 2008 63 Comments
W32.Downadup is a worm that can kill antivirus programs and block infected computers from visiting legitimate security web sites. This worm also spreads on local and network drives by taking advantage of the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. W32.Downadup also creates its own Service on Windows to run itself each time Windows starts. Its method to spread stretches from local network and the Internet by taking advantages of software and security weaknesses. More