W32.Queneethan
W32.Queneethan is a computer worm will automatically create a malicious desktop short cut link. W32.Queneethan will spreads over the unsecured network shares and create its own registry entries to run itself when Windows is started.
Technical Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Manual Removal of W32.Queneethan:
1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Restart Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.
Online Virus Scanner:
It is best run a separate scan using free Online Virus Scanner. It can be used without the need to install additional antivirus application.
Technical Details and Additional Information:
Other functionalities of this Worm:
- Overwrites legitimate executable files.
- Alter Internet Explorer settings.
- Create a copy of itself on found drives from A: to Z:
Malicious Files Added by W32.Queneethan:
%CommonProgramFiles%\Microsoft Shared\explorer.exe
%SystemDrive%\MFILES\winlogon.exe
%CommonProgramFiles%\uiui8.dll
%SystemDrive%\Documents and Settings\All Users\Desktop\Intennet Exploner.lnk
%DriveLetter%\Tencent\QQ\Bin\TaskTray.dll
%DriveLetter%\Thunder Network\Thunder\Program\mp.dll
%DriveLetter%\Shareds.dll
%DriveLetter%\autorun.inf
Associated Windows Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktop Icons\ClassicStartMenu\”{871C5380-42A0-1069-A2EA-08002B30309D}” = “1″
HKEY_CLASSES_ROOT\exefile\”NeverShowExt” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”ModRiskFileTypes” = “.exe”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\”WriteProtect” = “0″