W32.Azero.A
W32.Azero.A is a computer virus that infects executable files on specific folder of the infected unit. This virus may also end running process that belongs to Windows Task Manager.
Alias: Win32/Azero.A, W32/AutoRun-LG, W32/Wisy-Gen, Downloader.generic7.guh, Virus:win32/azero.a, W32/dloader.gghf, PE_AZERO.A
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
When first executed, this virus will create the following folders:
%UserProfile%\applications data\excel
%UserProfile%\applications data\media player
%UserProfile%\applications data\Microsoft
%UserProfile%\applications data\office
%UserProfile%\applications data\Windows
%UserProfile%\applications data\word
W32.Azero.A infects any files it may found under Program Files folder. Compromised files are given an .Exe and/or .SCR extension.
This virus will also alter registry settings to accomplish the following:
- Hide file extensions for various file types
- Disables hidden files and folders options
- Hides full path from address bar of Windows Explorer
W32.Azero.A may also replaced desktop wallpaper and set default screen saver on the infected computer with own graphics. Image used to perform this payload are EMANRESU ANGEL.bmp or PEEHS ANGEL.bmp that are presently located under the created Microsoft folder.
Added Registry Entries:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"VisualStyle" = "%System%\desktop.sysm" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\"AlternateShell" = "%System%\commandprompt.sysm" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\"AlternateShell" = "%System%\commandprompt.sysm" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\"AlternateShell" = "%System%\commandprompt.sysm" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sysm\" @" = "system mechanic" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sysm\defaulticon\"@" = "%System%\netsetup.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.sysm\shell\open\command\"@" = "%1"Associated Files and Folders:
%System%\Windows 3d.scr %System%\commandprompt.sysm %System%\desktop.sysm %UserProfile%\application data\Microsoft\[4 RANDOM LETTERS].exe %System%\maxtrox.txt %UserProfile%\Application Data\Microsoft\[4 RANDOM NUMBERS]
How to Remove W32.Azero.A
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32.Azero.A, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete please restart the computer.