W32.Usbwatch
W32.Usbwatch is a worm that propagates by copying itself to removable USB devices and unsecured network drives. W32.Usbwatch steals user nameĀ and password from the compromised system and gathers network configuration and information. An autorun.inf file is created to run the worm each time the drive is accessed.
Alias: W32/AutoRun-NV
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Technical Details and Additional Information:
What can W32.Usbwatch do to infected system?
- The worm will make a copy to all removable drives found on infected system.
- Gathers information like account name, running programs and hardware information.
- Monitor drives from C through H.
Malicious Files Added by W32.Usbwatch
%UserProfile%\Local Settings\Temp\devwinmgmt.msc
%UserProfile%\Temp\getself.bat
%CurrentFolder%\explore.exe
%CurrentFolder%\wauclt.exe
%CurrentFolder%\svchost.exe
%CurrentFolder%\svchost2.exe
%DriveLetter%\vmc[THREE RANDOM LETTERS].exe
%DriveLetter%\Autorun.inf
Associated Windows Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”Hidden” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoDriveTypeAutoRun” = “0″
W32.Usbwatch – Removal
Removing W32.Usbwatch Manually:
1. If using Windows ME or XP, System Restore must be disabled to prevent the threat from restoring itself. [Windows XP System Restore]
2. Update the virus definitions.
3. Reboot Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
6. Exit registry editor and restart Windows.
Anti-virus Tools
Online Virus Scanner:
Online virus scanner can provide scan and clean functions just like any anti-virus software without the need to install additional AV product. Perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate security software provider.
Scan with Norton Power Eraser:
Norton Power Eraser is a virus removal tool created by Norton Antivirus to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.