W32.Sillyban.A
W32.Sillyban.A propagates by copying itself to unsecured mapped network drives. It may display warning messages if infected computer visited Orkut and YouTube pages. W32.Sillyban.A will create numerous malicious files and modify Windows registry to run itself when Windows is started. It also monitors Internet browser title if it belongs to Mozilla Firefox. The message it will display will contain this text:
“USE INTERNET EXPLORER YOU DOPE, I DONT HATE MOZILLA BUT USE IE OR ELSE…”
If Orkut or YouTube pages were visited, the worm will display the following messages accordingly:
“Orkut is BANNED you fool, The administrators didn’t write this program guess who did?”
“YouTube is BANNED you fool, The administrators didn’t write this program guess who did?”
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
How to Remove W32.Sillyban.A:
FIRST AID TO STOP W32.Sillyban.A:
If this virus have infected the system, registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with W32.Sillyban.A, please restore Windows to previous configuration.
MANUAL REMOVAL OF W32.Sillyban.A:
1. Update installed anti-virus application to have the latest definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.
3. Thoroughly scan the system and clean/delete all infected file(s).
4. Delete/Modify any values added to the registry if present.
- Click on Start. Search or Run regedit.exe to begin registry editor.
Note: You may refer to links on sidebar for a complete tutorial on Safe Mode and Registry Editor.
5. Exit registry editor and restart Windows.
ADDITIONAL TOOLS AND PROGRAMS:
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.
Technical Details and Additional Information:
Other functionalities of this Trojan:
- This worm can close any active windows and plays an .MP3 audio.
- It will place an autorun.inf file on each drive so that it executes when the drive is accessed.
- W32.Sillyban.A also duplicate itself on any drive as text file named reproduce.txt.
Malicious Files Added by W32.Sillyban.A:
C:\heap41\2.mp3
C:\heap41\autorun.inf
C:\heap41\drivelist.txt
C:\heap41\reproduce.txt
C:\heap41\script1.txt
C:\heap41\std.txt
C:\heap41\svchost.exe
C:\heap41\offspring\autorun.inf
%Temp%\MicrosoftPowerPoint\2.mp3
%Temp%\MicrosoftPowerPoint\drivelist.txt
%Temp%\MicrosoftPowerPoint\Icon.ico
%Temp%\MicrosoftPowerPoint\Install.txt
%Temp%\MicrosoftPowerPoint\pathlist.txt
%Temp%\MicrosoftPowerPoint\svchost.exe
%UserProfile%\Start Menu\Programs\Startup\.lnk
File Location for Windows Versions:
- %Temp% for all versions of Windows can be found on C:\Windows\Temp
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\policies\Explorer\Run\”status” = “present”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\policies\Explorer\Run\”winlogon” = “C:\heap41a\svchost.exe C:\heap41a\std.txt”
Squad
Oct 23, 2007 @ 07:16:32
Just wanted to say thanks for your help. because you gave a big help solving this problem and what is more import is.
IT just take a minute to do.
THANK YOU
Manmath Kirsan
Nov 10, 2007 @ 13:57:32
Hi, thanks for the information and the procedures given. It helped to solve my problem. Great job.
Thanks
Yuvraj
Nov 28, 2007 @ 10:32:44
Hey… Thanks!!!
Was a bit apprehensive about trying this because I know squat about messing with the registry and stuff, but it worked just fine!
Cheers!
Attu
Dec 02, 2007 @ 11:01:02
Man… thanks a alot for this help, But I don’t know how to restore the registry entry. The one with original value zero
precisesecurity
Dec 04, 2007 @ 00:43:46
Attu, if you cannot see that entry then I guess theres no need to execute the modification.
Trupti
Dec 18, 2007 @ 17:30:20
Thanks a lot for the detail procedure. It helped solve the problem. Well it definitely took a while for me as my USB keyboard does not work at boot time to press F8 , so I used msconfig option to boot in safe mode , and my mouse did not work in safe mode so it was bit difficult operating with keyboard only. But all done, and problem solved. Thanks a lot again!
Adrian Blake
Jun 20, 2008 @ 09:29:51
Thanks a lot I was apprehensive on going into “Safe Mode” however it worked and I much appreciate your help. I only need to find out now how I got it. Can’t see a reason here yet. I’ll investigate.
RocknPop
From UK…in KSA.
Amrish Patel
Jul 23, 2008 @ 11:28:39
I want to say thanks for your help. Because you gave a big help solving this problem and what is more important is IT people just take a minute to do.
anandhi
Sep 23, 2008 @ 11:38:14
Thanks this helped to remove the worm from my system.
But I am still not able to connect to my printer and shared networks.
I have mapped some remote drive also. – that also gives me a Error
” The network Path not found ”
Please help me recover from this .
rjroopam
Nov 01, 2008 @ 17:47:47
Yes, this really helped. I was a bit apprehensive before but it went smoothly.
Thanks you very much.
God bless
katarina
Jan 06, 2009 @ 12:27:50
Thank you so much, you’re a life saver!