W32.Temphid

15 July 2010 1 Comment

W32.Temphid is a worm that will propagate on removable USB drives by creating an autorun.inf file on the root of infected computer. When accessed, W32.Temphid will run and find another drives to infect such as newly inserted media drives. This Trojan will exploit the .lnk processing vulnerabilities on Windows operating system.

Technical Information:

Alias:Troj/Stuxnet-A, W32/Stuxnet-B

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Manual Removal of W32.Temphid:

1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Restart Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.

Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate anti-virus and security provider.

Technical Details and Additional Information:

Other functionalities of this Trojan:
- Injects a code to some process
- It can hide files by overwriting the API’s
- Modify Windows registry

Malicious Files Added by W32.Temphid:
%System%\drivers\mrxcls.sys
%System%\drivers\mrxnet.sys
%DriveLetter%\~WTR[FOUR NUMBERS].tmp
%DriveLetter%\~WTR4132.tmp
%DriveLetter%\~WTR4141.tmp

Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\”ImagePath” = “%System%\drivers\mrxcls.sys”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\”ImagePath” = “%System%\drivers\mrxnet.sys”