W32.Aboc

Updated: March 20, 2013 Virus 0 Comment

W32.Aboc is a computer virus that will propagate on USB removable drives and infects the system with another virus called W32.Virut.CF. W32.Aboc is also capable of downloading additional threats from a remote server and executes it on the affected computer. By making some changes on the system, this virus may be able to hide its presence and avoid antivirus detection.

When executed, the worm will drop several files under Windows folder. Please refer to Malicious Files section for a complete list. Next, W32.Aboc will adjust the registry to gain start-up spot on Windows. It will add some entries that will able to load the virus each time you start Windows.

To allow network access, the virus will also tweak registry and modify the firewall for this sole purpose. Then, it modifies windows keys to avoid own removal. Also by tweaking the registry, the virus will disable your Internet browser’s proxy settings.

W32.Aboc then attempts to establish a connection with an array of domains to which it will download additional threat. It also infects legitimate Windows files like logonui.exe and wuaucldt.exe

W32.Aboc virus spread normally through spam email messages. It is typically attached as a valuable file to a spam email that normally disguises as promotional items from a known brand. Locally, it will transmit via removable drives such as memory stick, flash drive, or external hard disk.

Technical Information:

Damage Level: Low

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Manual Removal of W32.Aboc:

1. Temporarily Disable System Restore.
2. Update the virus definitions.
3. Restart Windows in Safe Mode.
4. Run a full system scan and clean/delete all infected files.
5. Delete/Modify any values added to the registry.
6. Exit registry editor and restart Windows.

Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found here or on websites of legitimate anti-virus and security provider.

Technical Details and Additional Information:

Other functionalities of this Trojan:
- Hide its presence on the system
- Disable proxy access on Internet Explorer
- Modify Windows Registry

Malicious Files Added by W32.Aboc:
%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\SYSTEMIL2.EXE
%Windir%\SYSTEMIL.EXE
%SystemDrive%\SYSTEMIL.EXE
%SystemDrive%\Pictures.exe
%SystemDrive%\Documents.exe
%SystemDrive%\Photos.exe
%SystemDrive%\Games.exe

Associated Windows Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”SystemIL” = “%Windir%\SYSTEMIL.EXE”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SystemIL” = “%Windir%\SYSTEMIL.EXE”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\”%System%\winlogon.exe” = “%System%\winlogon.exe:*:enabled:@shell32.dll,-1″