W32.Wergimog
Description and removal guide about W32.Wergimog is offered on this article. Be aware that this worm may infect USB drives to spread on computers. It may also endanger network-shared drives.
W32.Wergimog is a computer worm with backdoor utility. It will allow a remote attacker to have an access on infected system. This worm usually spreads by dropping a copy of itself on removable USB drives. W32.Wergimog will utilize Windows autorun function to execute itself when the compromised drive is accessed.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista, Windows 7
Characteristics
When executed, W32.Wergimog will create a copy of itself on Windows and System folder as a file with random name. It forms a start-up entry by modifying Windows registry.
If the worm effectively added necessary registry entries, it will run every time Windows starts.
Next, the worm will inject harmful code on Explorer.exe as additional option to load itself and perform other malicious tasks.
W32.Wergimog will try to create a backdoor by hooking up to specified location using TCP port 2040 or 80. When connected, it will execute the following actions:
- Download and run a malicious file
- Flood network traffic with UDP and SYN attacks
- Monitor and list the directory on the infected computer
- Collect user name on the PC and send it to remote attacker
- Open Internet browser to unknown web site address
The worm will also strip sensitive information including host name, user name, password, port numbers that are stored in the following files:
%ProgramFiles%\FileZilla\sitemanager.xml
%ProgramFiles%\FileZilla\recentservers.xml
It may not directly attack Mozilla Firefox users, but some of its goal is focus in stealing information related to this browser including the following:
- Current version of Firefox
- Home page settings
- Directory where Firefox is installed
- All information it may found on Firefox SQLite database
Distribution
W32.Wergimog typically spreads via spam email messages. It may also be dropped by other malware. Once inside the computer, it will attempt to spread itself by making a copy on removable media drives. It will also include an autorun.inf file that will take advantage of Windows autorun function to launch the attack when the infected drive is accessed.
How to Remove W32.Wergimog
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Open your antivirus application and update the virus definitions. This method ensures that your antivirus program can detect even newer variants of W32.Wergimog
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Select Safe Mode with Networking.
- System will boot Windows loading only necessary drivers and system files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable, better place them in quarantine. Once the scan is complete please proceed with the next step.
Online Virus Scanner:
Another way to remove W32.Wergimog without the need to install additional antivirus application is to perform a thorough scan with free online virus scanner that can be found here or on websites of legitimate anti-virus and security provider.
5. Go to Online Virus Scanner list and run a virus scan. This may require plug-ins, add-on or Activex object, please install if you want to proceed with scan.
6. After completing the necessary download, your system is now ready for online virus scanning.
7. Select an option in which you can thoroughly scan the computer to make sure that it will find and delete entirely all infections not detected on previous scan.
8. Remove or delete all detected items.
9. When scanning is finished you may now restart the computer in normal mode.
Alternative Removal Method for W32.Wergimog
Option 1 : Use Windows System Restore to return Windows to previous state
If W32.Wergimog enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before W32.Wergimog infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.
Option 2 : W32.Wergimog manual uninstall guide
IMPORTANT! Manual removal of W32.Wergimog requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.
1. Kill any running process that belongs to W32.Wergimog.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for W32.Wergimog files (refer to Technical Reference) and click End Process.
2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section below.
- Close registry editor. Changes made will be save automatically.
3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.
4. Delete all files dropped by W32.Wergimog.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.