W32.Iretsim
W32.Iretsim propagates by copying itself to removable media devices and can stop security-related processes on the infected computer. W32.Iretsim will drop autorun.inf file on located drives so that it will be loaded once the drive is accessed.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Technical Details and Additional Information:
What can W32.Iretsim do to infected system?
- The worm will disable Windows functions like syste restore, and folder options.
- Modify registry to run itself during Windows start-up.
- It will hide certain files like wupdmgr.exe, msvbvm60.dll, msgsvc.exe and msvbvm60.dll..
Malicious Files Added by W32.Iretsim
%DriveLetter%\Ketemu_Pocong_Di_Rumah_Sakit.scr
%DriveLetter%\Ketemu_Pocong_Di_Rumah_Sakit.pdf
%DriveLetter%\Kumpulan_Cerita_S-x_Education.scr
%DriveLetter%\Kumpulan_Cerita_S-x_Education.pdf
%DriveLetter%\Kumpulan_Kisah_Kisah_Misteri.scr
%DriveLetter%\Kumpulan_Kisah_Kisah_Misteri.pdf
%DriveLetter%\Misteri_Hilangnya_Pesawat_Adam_Air.scr
%DriveLetter%\Misteri_Hilangnya_Pesawat_Adam_Air.pdf
%DriveLetter%\Games Windows\Ramal Jodoh.pif
%DriveLetter%\Games Windows\Game Kartu.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Update.lnk
%ProgramFiles%\WindowsUpdate\wupdmgr.exe
%ProgramFiles%\msvbvm60.dll
%Windir%\system32\msgsvc.exe
%Windir%\J_06_JA.pdf
%Windir%\msvbvm60.dll
%Windir%\system32\sol.exe
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\”AntiVirusOverride” = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\”FirewallOverride” = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\”UncheckedValue” = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\”UncheckedValue” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\”RegisteredOrganization” = “G04T-70674K412T4″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\”RegisteredOwner” = “Kota Gudeg”
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”HideFileExt” = “1″
HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″
W32.Iretsim – Removal
Removing W32.Iretsim Manually:
1. If using Windows ME or XP, System Restore must be disabled to prevent the threat from restoring itself. [Windows XP System Restore]
2. Update the virus definitions.
3. Reboot Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.
Anti-virus Tools
Online Virus Scanner:
Online virus scanner can provide scan and clean functions just like any anti-virus software without the need to install additional AV product. Perform a thorough scan with free Online Virus Scanner that can be found here or on web sites of legitimate security software provider.
Scan with Norton Power Eraser:
Norton Power Eraser is a virus removal tool created by Norton Antivirus to remove unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.