W32.Gudek
W32.Gudek is a worm that propagates by sending emails containing malicious attachments. The worm may spread locally by injecting itself to various files including .DOC, .XLS, .PPT, .JPG, .MP3, .MPG and so on.
Alias: W32/Tiotua-P, Trojan.Win32.Autoit.aq
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
W32.Gudek will infect selected files on removable media drives. Then it will inject a code “Locked by Mr. Guddu”.
The worm also displays fake alert on system tray of Windows containing the following messages:
Warning!
You are infected by Unknown Virus! Contact with Mr. Guddu! Mail at mr.guddu.bd@gmail.com
Some other things that W32.Gudek can do to an infected computer are disabling security and system tools application, preferably to prevent users from removing the worm manually or automatically. Some of the items it can render useless are the following:
- Registry Editor
- Security Options
- Group Policy
- DOS Command
- Task Manager
- Folder Options
- Schedule
Distribution
W32.Gudek attempts to propagate via network shared drives and peer-to-peer file-sharing applications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System Init" = "%System%\Sÿstem.exe" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBootAlternate\"AlternateShell" = "%System%\Sÿstem.exe" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBootAlternate\"AlternateShell" = "%System%\Sÿstem.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe Sÿstem.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\explore\command\"@" = "Sÿstem.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\Explorer\command\"" = "Sÿstem.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shell\Open With\command\"" = "Sÿstem.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"1" = "Wincmd.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"2" = "zlclient.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"3" = "nvprotect.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"4" = "Regworkshop.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"5" = "Mcshield.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"6" = "avp.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"7" = "ccprovsp.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\"8" = "Attrib.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\"DisallowRun" = "1" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\"shared" = "\Documents.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"DisallowRun" = "1" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"1" = "Wincmd.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"2" = "zlclient.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"3" = "nvprotect.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"4" = "Regworkshop.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"5" = "Mcshield.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"6" = "avp.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"7" = "ccprovsp.exe" HKEY_CURRENT_USER\S-1-5-21-1343024091-1336601894-839522115-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"8" = "Attrib.exe"Associated Files and Folders:
C:\Documents and Settings\All Users\My Documents\Sÿstem.exe %ProgramFiles%\Sÿstem.exe %System%\Sÿstem.exe %System%\Winnt.sys %SystemDrive%:\Autoexec.bat %SystemDrive%:\New Folder.exe %SystemDrive%:\WinSys.sys %SystemDrive%:\bootsect.exe %DriveLetter%\Sÿstem.exe %DriveLetter%\autorun.inf [Network Drive]:\Documents.exe %Windir%\Sÿstem.exe %Windir%\Winnt.sys %Windir%\Tasks\At1.job %Windir%\Tasks\At2.job %Windir%\Tasks\At3.job %Windir%\Tasks\At4.job %Windir%\Tasks\At5.job %Windir%\Tasks\At6.job %Windir%\Tasks\At7.job %Windir%\Tasks\At8.job %Windir%\Tasks\At9.job %Windir%\Tasks\At10.job
How to Remove W32.Gudek
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32.Gudek, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Additional virus removal tool like Norton Power Eraser provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.
5. Go to Norton Power Eraser web page and download the tool.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Exclude Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.
Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.
10. Now click on Fix to start removing the threats including W32.Gudek remnants if there are any.
11. When done, Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close Norton Power Eraser.
Mahmud Jami
May 10, 2008 @ 03:36:43
Hi,
This virus “W32.Gudek” deleted my all ms-office files, and other important files. How I can recover my files?
Jami