W32.Racita.A

28 October 2007 0 Comment

W32.Racita.A is a worm that will propagate by creating a copy of itself to specified mapped network drives. Affected drives will consist an explicit background image assigned by the worm. W32.Racita.A also reduce security settings on the compromised system by ending security-related process.

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

Technical Details and Additional Information:

What can W32.Racita.A do to infected system?
- The worm will disable System Restore by deleting the file %System%\rstrui.exe.
- Creates an autorun.inf file so that it will run when the drive is accessed.
- Set a background .JPG image of affected folder.

Malicious Files Added by W32.Racita.A
%Temp%\[RANDOM FILE NAME].bat
%Windir%\system32\readme.exe
C:\Documents and Settings\All Users\Application Data\foto.jpg
%DriveLetter%\foto.jpg
%DriveLetter%\desktop.ini
%DriveLetter%\Love_Girl.doc.exe
%DriveLetter%\Dark_Song.doc.exe
%DriveLetter%\Poopie.doc.exe
%DriveLetter%\Practica-1.doc.exe

Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”eomsistem” = “%Windir%\system32\readme.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\System\”disabletaskmgr” = “1″

W32.Racita.A – Removal

Removing W32.Racita.A Manually:
1. If using Windows ME or XP, System Restore must be disabled to prevent the threat from restoring itself. [Windows XP System Restore]
2. Update the virus definitions.
3. Reboot Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.

Anti-virus Tools

Scan with Norton Power Eraser:
Norton Power Eraser is a virus removal tool created by Norton Antivirus to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.

Scan with Portable Antivirus:
Most of the time, Trojan associated with a rogue program will disable Windows functionalities and prevent the compromised computer from executing any application including antivirus program locally installed. If this happens, you can try using a McAfee Portable Antivirus called Stinger. It can be downloaded for free.