W32.Rotinom
W32.Rotinom is a worm that will modify Windows registry for its own malicious purposes. W32.Rotinom usually spreads by making a copy of it on removable media drives. The worm will trick user by using folder icon on its executable file. Once opened, it results to actual execution of the worm.
Alias: W32/Rotinom, Trojan:Win32/Rotinom.B, Trojan.Win32.Agent2.ldt, Trojan:Win32/Folstart.A, TR/Agent2.ldt.36, Trojan-Dropper.Agent
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
Upon execution, W32.Rotinom will create a copy of itself on desired location.
%UserProfile%\Local Settings\Application Data\start\update.exe
Next, it will create numerous folders and configures registry entries. For the complete lists of these items, please see Associated Folders and Modified Registry Entries below.
Finally, W32.Rotinom will search for folders on the infected computer and create a duplicate copy in executable format. The worm will hide the original folder so that users may execute the worm if the fake folder is clicked.
Distribution
W32.Rotinom arrives on computers in several methods. The most popular method is through spam email messages. It is attached as useful file like documents, image, or greeting card. User may also get contaminated when a questionable link from instant messaging application is executed. The link is originally sent from a trusted address, but sender is unaware that Worm on his computer is transmitting malicious information. Most of the time, the message will contain tempting links about trending news and events.
HKEY_USERS\S-1-5-21-1085891436-353507534-1371566055-500 \Software\Microsoft\Windows\Current Version\Explorer\Advanced\"ShowSuperHidden" = "0" HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\User Shell Folders\"Startup" = "%UserProfile%\Local Settings\Application Data\start" HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Advanced\"Hidden" = "2" HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Advanced\"HideFileExt" = "1" HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Advanced\"WebViewBarricade" = "0" HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Shell Folders\"Startup" = "C:\Documents and Settings\Administrator\Local Settings\Application Data\start"Associated Folders:
%UserProfile%\Local Settings\Application Data\start\update.exe %UserProfile%\Local Settings\Application Data\S-1-5-31-1286970278978- 5713669491-166975984-320 %UserProfile%\Local Settings\Application Data\S-1-5-31-1286970278978- 5713669491-166975984-320\dmc %UserProfile%\Local Settings\Application Data\S-1-5-31-1286970278978- 5713669491-166975984-320\Rotinom %UserProfile%\Local Settings\Application Data\S-1-5-31-1286970278978- 5713669491-166975984-320\Rotinom\Usb 2.0 Driver %UserProfile%\Local Settings\Application Data\S-1-5-31-1286970278978- 5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320 %UserProfile%\Local Settings\Application Data\S-1-5-31-1286970278978- 5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\dmc %UserProfile%\Local Settings\Application Data\S-1-5-31-1286970278978- 5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr %UserProfile%\Local Settings\Application Data\S-1-5-31-1286970278978- 5713669491-166975984-320\tlsr %UserProfile%\Local Settings\Application Data\start
How to Remove W32.Rotinom
Restore Windows Components
During an infection, W32.Rotinom drops various files. The worm intentionally hides system files by setting options in the registry. With these accomplishments, the best solution is to return Windows to previous working state is trough System Restore. If previous restore point is saved, you may proceed with Windows System Restore.Manual Removal Procedure
1. If an anti-virus program is present, update the definition file. Each anti-virus program has its own way to update the database. Please refer to your software manufacturer’s manual.
2. Reboot Windows in Safe Mode to ensure that only minimal Windows components are loaded.
- After turning on the power of the computer, press F8 on your keyboard.
- It will display the Boot Options menu, select Safe Mode.
3. Run a full system scan and clean/delete all infected file.
4. Delete or modify any values added to the registry if present. Please see the reference. - To edit the registry, click on Start > Run and type regedit.exe in the field. - Alternatively, you may press Windows Key + R on your keyboard to open the RUN command.
5. Exit registry editor when done. You may now restart the computer.