W32.Niuniu
W32.Niuniu can propagate via unsecured network shares and removable media storage devices by means of infected .html files. W32.Niuniu will copy itself on available removable media devices and also drops an autorun.inf file that points to a hidden .exe file.
Technical Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Manual Removal of W32.Niuniu:
1. Temporarily Disable System Restore (Windows Me/XP/Vista/7) . [how to]
2. Update the virus definitions.
3. Restart Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate anti-virus and security provider.
Technical Details and Additional Information:
Other functionalities of this Trojan:
- Infects files that are *.HTM, CONN.ASP, DEFAULT.ASP, DEFAULT.PHP, INDEX.ASP and INDEX.PHP.
- Deletes all .GHO found on the infected computer.
- Opens Internet Explorer and redirect to unsolicited location.
Malicious Files Added by W32.Niuniu:
%System%\crsss.exe
%DriveLetter%:\niu.exe
%DriveLetter%:\autorun.inf
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”(Default)” = “C:\WINDOWS\system32\crsss.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer\Advanced\Folder\Hidden\SHOWALL\”CheckedValue” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\WindowsUpdate\”DisableWindowsUpdateAccess” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\System\”DisableTaskMgr” = “1″