WORM_OTORUN.PSQ

October 08, 2012

Analysis by: jasperm

PLATFORM:

Windows 2000, XP, Server 2003

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

Threat Type: Worm
Destructiveness: No
Encrypted: Yes
In the wild: Yes

OVERVIEW

This worm may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It may create registry entries under a certain registry key.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

TECHNICAL DETAILS

File Size:

287,566 bytes

Memory Resident:

Yes

Initial Samples Received Date:

10 Nov 2010

Payload:

Modifies system registry, Hides files and processes

Arrival Details

This worm may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

%Application Data%\Java\?shimgvw?.exe
%Application Data%\Java\?Jview?.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{User name}? = %Application Data%\Java\?shimgvw?.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
jre? = %Application Data%\Java\?Jview?.exe

Other System Modifications

This worm modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control
WaitToKillServiceTimeout = 2000

(Note: The default value data of the said registry entry is 20000.)

HKEY_CLASSES_ROOT\jpegfile\DefaultIcon
@ = %pplication Data%Java\?shimgvw?.exe,0

(Note: The default value data of the said registry entry is shimgvw.dll,3.)

HKEY_CURRENT_USER\Control Panel\Desktop
AutoEndTasks = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Control Panel\Desktop
HungAppTimeout = 400

(Note: The default value data of the said registry entry is 5000.)

HKEY_CURRENT_USER\Control Panel\Desktop
WaitToKillAppTimeout = 400

(Note: The default value data of the said registry entry is 20000.)

It also creates the following registry entry(ies) as part of its installation routine:

HKEY_CLASSES_ROOT\exefile
NeverShowExt =

HKEY_CLASSES_ROOT\jpegfile
NeverShowExt =

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = 1

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
SuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0

(Note: The default value data of the said registry entry is 1.)

It may create registry entries under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirstRunDisabled = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ansavgd
Debugger = "cmd.exe /c del /f /q "

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
attrib.exe
Debugger = "rundll32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
autorunme.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
blastclnn.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
blastclnnn.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
cscript.exe
Debugger = "rundll32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
egui.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
EHttpSrv.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ekrn.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ise32.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MSASCui.exe
Debugger = "rundll32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Nbrowser.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
New Folder.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Njeeves.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32krn.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32kui.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
npcsvc32.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
npc_login.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
npc_tray.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
npflgutl.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
npfports.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
npfrules.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
npfsvc32.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
npfuser.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
npfwiz.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nprosec.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nuaa.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Nvcoa.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nvcsched.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nvoy.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
reg32.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rtpsvc.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
scsaver.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SSCVIHOST.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wscript.exe
Debugger = "rundll32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
npflgutl.exe
Debugger = "cmd.exe /c del /f /q"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirstRunDisabled = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = 1

Propagation

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage}
[Autorun]
;{garbage}
UseAutoPlay=1
;{garbage}
Action=Open folder to view files
;{garbage}
Open=RECYCLER\thumbs.db
;{garbage}
Shell\Open\Default=1
;{garbage}
Shell\Explore\Command=RECYCLER\thumbs.db
;{garbage}

Other Details

Based on analysis of the codes, it has the following capabilities:

It creates registry entries to disable Security Center functions.
It creates registry entries to prevent execution of certain files types.

It does the following:

It creates a folder named RECYLER in the following folder which is the Microsoft CD Burning folder:
- %Temp%\Application Data\Microsoft\CD Burning
It then drops a copy of itself in the said folder as &"thumbs.db&". It also drops an AUTORUN.INF file in the above mentioned folder.
If a user uses the Microsoft CD burning feature to burn files to a CD, the added files, including a copy of itself are also burned to the CD.
It creates the following registry to disable Security Center functions:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirewallOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UacDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
FirstRunDisabled = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
AntiVirusOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
AntiVirusDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
FirewallDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
FirewallOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
UpdatesDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
UacDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
FirstRunDisabled = 1
It creates the following registry entries to prevent execution of certain files types:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavgd
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe
Debugger = "rundll32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunme.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blastclnn.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blastclnnn.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe
Debugger = "rundll32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ise32.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
Debugger =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nbrowser.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\New Folder.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npcsvc32.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npc_login.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npc_tray.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npflgutl.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfports.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfrules.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfsvc32.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfuser.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfwiz.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprosec.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoa.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcsched.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvoy.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg32.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtpsvc.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scsaver.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SSCVIHOST.exe
Debugger = "cmd.exe /c del /f /q"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe
Debugger = "rundll32.exe"

(Note: %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp or C:\WINNT\Temp.)

SOLUTION

Minimum Scan Engine:

8.900

FIRST VSAPI PATTERN FILE:

7.610.01

FIRST VSAPI PATTERN DATE:

10 Nov 2010

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Identify and terminate files detected as WORM_OTORUN.PSQ

[ Learn More ]

If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CLASSES_ROOT\exefile
- NeverShowExt =
In HKEY_CLASSES_ROOT\jpegfile
- NeverShowExt =
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- EnableLUA = 0
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {user name}? = %Application Data%\Java\?shimgvw?.exe
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- jre? = %Application Data%\Java\?Jview?.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- EnableLUA = 0
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- AntiVirusOverride = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- AntiVirusDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- FirewallDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- FirewallOverride = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- UpdatesDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- UacDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- FirstRunDisabled = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusOverride = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- AntiVirusDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirewallDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirewallOverride = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- UpdatesDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- UacDisableNotify = 1
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
- FirstRunDisabled = 1

To delete the registry value this malware created:

Open Registry Editor. To do this, click Start>Run, type regedit in the text box provided, then press Enter.
In the left panel of the Registry Editor window, double-click the following:
HKEY_CLASSES_ROOT>exefile
In the right panel, locate and delete the entry:
NeverShowExt =
In the left panel of the Registry Editor window, double-click the following:
HKEY_CLASSES_ROOT>jpegfile
In the right panel, locate and delete the entry:
NeverShowExt =
In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Policies>System
In the right panel, locate and delete the entry:
EnableLUA = 0
In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
{user name}? = %Application Data%\Java>?shimgvw?.exe
Again In the right panel, locate and delete the entry:
jre? = %Application Data%\Java>?Jview?.exe
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>policies>system
In the right panel, locate and delete the entry:
EnableLUA = 0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Security Center
In the right panel, locate and delete the entry:
AntiVirusOverride = 1
Again In the right panel, locate and delete the entry:
AntiVirusDisableNotify = 1
Again In the right panel, locate and delete the entry:
FirewallDisableNotify = 1
Again In the right panel, locate and delete the entry:
FirewallOverride = 1
Again In the right panel, locate and delete the entry:
UpdatesDisableNotify = 1
Again In the right panel, locate and delete the entry:
UacDisableNotify = 1
Again In the right panel, locate and delete the entry:
FirstRunDisabled = 1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Security Center>Svc
In the right panel, locate and delete the entry:
AntiVirusOverride = 1
Again In the right panel, locate and delete the entry:
AntiVirusDisableNotify = 1
Again In the right panel, locate and delete the entry:
FirewallDisableNotify = 1
Again In the right panel, locate and delete the entry:
FirewallOverride = 1
Again In the right panel, locate and delete the entry:
UpdatesDisableNotify = 1
Again In the right panel, locate and delete the entry:
UacDisableNotify = 1
Again In the right panel, locate and delete the entry:
FirstRunDisabled = 1
Close Registry Editor.

Step 4

Delete this registry key

[ Learn More ]

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ansavgd
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- attrib.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- autorunme.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- blastclnn.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- blastclnnn.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- cscript.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- egui.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- EHttpSrv.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ekrn.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ise32.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- MSASCui.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Nbrowser.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- New Folder.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Njeeves.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- nod32.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- nod32krn.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- nod32kui.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- npcsvc32.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- npc_login.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- npc_tray.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- npflgutl.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- npfports.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- npfrules.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- npfsvc32.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- npfuser.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- npfwiz.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- nprosec.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- nuaa.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Nvcoa.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- nvcsched.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- nvoy.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- reg32.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- rtpsvc.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- scsaver.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- SSCVIHOST.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- wscript.exe

To delete the registry key this malware/grayware created:

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Image File Execution Options
Still in the left panel, locate and delete the key:
ansavgd
Again Still in the left panel, locate and delete the key:
attrib.exe
Again Still in the left panel, locate and delete the key:
autorunme.exe
Again Still in the left panel, locate and delete the key:
blastclnn.exe
Again Still in the left panel, locate and delete the key:
blastclnnn.exe
Again Still in the left panel, locate and delete the key:
cscript.exe
Again Still in the left panel, locate and delete the key:
egui.exe
Again Still in the left panel, locate and delete the key:
EHttpSrv.exe
Again Still in the left panel, locate and delete the key:
ekrn.exe
Again Still in the left panel, locate and delete the key:
ise32.exe
Again Still in the left panel, locate and delete the key:
MSASCui.exe
Again Still in the left panel, locate and delete the key:
Nbrowser.exe
Again Still in the left panel, locate and delete the key:
New Folder.exe
Again Still in the left panel, locate and delete the key:
Njeeves.exe
Again Still in the left panel, locate and delete the key:
nod32.exe
Again Still in the left panel, locate and delete the key:
nod32krn.exe
Again Still in the left panel, locate and delete the key:
nod32kui.exe
Again Still in the left panel, locate and delete the key:
npcsvc32.exe
Again Still in the left panel, locate and delete the key:
npc_login.exe
Again Still in the left panel, locate and delete the key:
npc_tray.exe
Again Still in the left panel, locate and delete the key:
npflgutl.exe
Again Still in the left panel, locate and delete the key:
npfports.exe
Again Still in the left panel, locate and delete the key:
npfrules.exe
Again Still in the left panel, locate and delete the key:
npfsvc32.exe
Again Still in the left panel, locate and delete the key:
npfuser.exe
Again Still in the left panel, locate and delete the key:
npfwiz.exe
Again Still in the left panel, locate and delete the key:
nprosec.exe
Again Still in the left panel, locate and delete the key:
nuaa.exe
Again Still in the left panel, locate and delete the key:
Nvcoa.exe
Again Still in the left panel, locate and delete the key:
nvcsched.exe
Again Still in the left panel, locate and delete the key:
nvoy.exe
Again Still in the left panel, locate and delete the key:
reg32.exe
Again Still in the left panel, locate and delete the key:
rtpsvc.exe
Again Still in the left panel, locate and delete the key:
scsaver.exe
Again Still in the left panel, locate and delete the key:
SSCVIHOST.exe
Again Still in the left panel, locate and delete the key:
wscript.exe
Close Registry Editor.

Step 5

Restore this modified registry value

[ Learn More ]

In HKEY_CLASSES_ROOT\jpegfile\DefaultIcon
- From: @ = %Application Data%\Java\?shimgvw?.exe,0
  To: @ = shimgvw.dll,3
In HKEY_CURRENT_USER\Control Panel\Desktop\
- From: AutoEndTasks = 1
  To: AutoEndTasks = 0
In HKEY_CURRENT_USER\Control Panel\Desktop
- From: HungAppTimeout = 400
  To: HungAppTimeout = 5000
In HKEY_CURRENT_USER\Control Panel\Desktop
- From: WaitToKillAppTimeout = 400
  To: WaitToKillAppTimeout = 20000
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: HideFileExt = 1
  To: HideFileExt = 0
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: SuperHidden = 0
  To: SuperHidden = 1
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: ShowSuperHidden = 0
  To: ShowSuperHidden = 1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
- From: WaitToKillServiceTimeout = 2000
  To: WaitToKillServiceTimeout = 20000

To restore the registry value this malware/grayware modified:

Open Registry Editor. Click Start>Run, type REGEDIT in the text box provided, and then press Enter.
In the left panel, double-click the following:
HKEY_CLASSES_ROOT>jpegfile>DefaultIcon
In the right panel, locate the registry value:
@ = %Application Data%\Java>?shimgvw?.exe,0
Right-click on the value name and choose Modify. Change the value data of this entry to:
@ = shimgvw.dll,3
In the left panel, double-click the following:
HKEY_CURRENT_USER>Control Panel>Desktop>
In the right panel, locate the registry value:
AutoEndTasks = 1
Right-click on the value name and choose Modify. Change the value data of this entry to:
AutoEndTasks = 0
In the left panel, double-click the following:
HKEY_CURRENT_USER>Control Panel>Desktop
In the right panel, locate the registry value:
HungAppTimeout = 400
Right-click on the value name and choose Modify. Change the value data of this entry to:
HungAppTimeout = 5000
Again In the right panel, locate the registry value:
WaitToKillAppTimeout = 400
Right-click on the value name and choose Modify. Change the value data of this entry to:
WaitToKillAppTimeout = 20000
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Explorer>Advanced
In the right panel, locate the registry value:
HideFileExt = 1
Right-click on the value name and choose Modify. Change the value data of this entry to:
HideFileExt = 0
Again In the right panel, locate the registry value:
SuperHidden = 0
Right-click on the value name and choose Modify. Change the value data of this entry to:
SuperHidden = 1
Again In the right panel, locate the registry value:
ShowSuperHidden = 0
Right-click on the value name and choose Modify. Change the value data of this entry to:
ShowSuperHidden = 1
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control
In the right panel, locate the registry value:
WaitToKillServiceTimeout = 2000
Right-click on the value name and choose Modify. Change the value data of this entry to:
WaitToKillServiceTimeout = 20000
Close Registry Editor.

Step 6

Search and delete this folder

[ Learn More ]

Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. RECYCLER

Step 7

Search and delete AUTORUN.INF files created by WORM_OTORUN.PSQ that contain these strings

[ Learn More ]

Step 8

Scan your computer with your Trend Micro product to delete files detected as WORM_OTORUN.PSQ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

WORM_OTORUN.PSQ

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

WORM_OTORUN.PSQ

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific