WORM_AUTORUN.BKR

Publish Date: 26 de listopada de 2013

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVER ALL RISK RATING:

DAMAGE POTENTIAL::

DISTRIBUTION POTENTIAL::

REPORTED INFECTION:

Low

Medium

High

Critical

Threat Type:
Worm
Destructiveness:
No
Encrypted:
In the wild::
Yes

OVERVIEW

Elimina archivos para impedir la ejecución correcta de programas y aplicaciones.

TECHNICAL DETAILS

File size: 41,656 bytes

File type: EXE

Memory resident: Yes

INITIAL SAMPLES RECEIVED DATE: 26 de listopada de 2013

Técnica de inicio automático

Se registra como un servicio del sistema para garantizar su ejecución automática cada vez que se inicia el sistema mediante la introducción de las siguientes claves de registro:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\vds2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\VMAuthd Service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\VMnet DHCP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\VMwareNATService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\vmount3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Installer information

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanworkstation2

Otras modificaciones del sistema

Elimina los archivos siguientes:

%System%\drivers\HookHelp.sys
%System%\drivers\HookSys.sys
%System%\drivers\RsNTGdi.sys
%System%\drivers\HookCont.sys
%System%\drivers\safeboxkrnl.sys
%System%\drivers\360AntiARP.sys
%System%\drivers\ProtoDrv.sys
%System%\drivers\easdrv.sys
%System%\drivers\eamon.sys
%System%\drivers\epfwtdir.sys
%User Profile%\Cookies\wilbert@atdmt[2].txt
%User Profile%\Cookies\wilbert@bing[2].txt
%User Profile%\Cookies\wilbert@c.atdmt[2].txt
%User Profile%\Cookies\wilbert@c.msn[2].txt
%User Profile%\Cookies\wilbert@doubleclick[1].txt
%User Profile%\Cookies\wilbert@microsoft[1].txt
%User Profile%\Cookies\wilbert@msnportal.112.2o7[1].txt
%User Profile%\Cookies\wilbert@msn[2].txt
%User Profile%\Cookies\wilbert@scorecardresearch[2].txt
%User Profile%\Cookies\wilbert@www.bing[2].txt
%User Profile%\Cookies\wilbert@www.msn[1].txt

Elimina las carpetas siguientes:

%System Root%\AUTOEXEC.EXE
%System Root%\AutoRun.inf

(Nota: %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).

)

Agrega las siguientes entradas de registro como parte de la rutina de instalación:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
DependOnService = "Virtual Disk Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
Description = "Provides software volume and hardware volume management service."

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
DisplayName = "vds2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
ImagePath = "%Windows%\ctfmon.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vds2
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
DependOnService = "VMware Authorization Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
Description = "{random characters}"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
DisplayName = "VMAuthd Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
ImagePath = "%Windows%\inetinfo.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMAuthd Service
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
DependOnService = "VMware DHCP Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
Description = "DHCP service for virtual networks"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
DisplayName = "VMnet DHCP"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
ImagePath = "%Windows%\winlogon.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMnet DHCP
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
DependOnService = "VMware NAT Service"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
Description = "Network address translation for virtual networks"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
DisplayName = "VMwareNATService"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
ImagePath = "%System%\TIMPlatform.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\VMwareNATService
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
DependOnService = "VMware Virtual Mount Manager Extended"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
DisplayName = "vmount3"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
ImagePath = "%Windows%\inf\realplayer.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\vmount3
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
DependOnService = "VMware Virtual Mount Manager Extended"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
Description = "{random characters}"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
DisplayName = "Installer information"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
ImagePath = "%Program Files%\INTERN~1\iedws.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Installer information
Type = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
DependOnService = "Workstation"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
Description = "Creates and maintains client network connections to remote servers. "

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
DisplayName = "lanmanworkstation2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
ImagePath = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\lanmanworkstation2
Type = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Windows%\inf\realplayer.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Windows%\ctfmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%System%\TIMPlatform.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Windows%\inetinfo.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%System%\TIMPlatform.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Windows%\winlogon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Windows%\winlogon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Windows%\ctfmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%System%\TIMPlatform.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Windows%\ctfmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Windows%\inetinfo.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Windows%\inetinfo.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Windows%\inf\realplayer.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%System%\TIMPlatform.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Windows%\winlogon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Windows%\inf\realplayer.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Windows%\ctfmon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
DEBUGGER = "%Windows%\inetinfo.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
DEBUGGER = "%Windows%\winlogon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
DEBUGGER = "%Windows%\inf\realplayer.exe"

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "3"

(Note: The default value data of the said registry entry is 1.)

Elimina las siguientes claves de registro:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}

Rutina de infiltración

Infiltra los archivos siguientes:

%Windows%\ctfmon.exe
%Windows%\inetinfo.exe
%Windows%\winlogon.exe
%System%\TIMPlatform.exe
%Windows%\inf\realplayer.exe
%Program Files%\INTERN~1\iedws.exe
%Program Files%\INTERN~1\SIGNUP\iedws.exe
A:\AUTOEXEC.EXE
A:\AutoRun.inf
%System Root%\AUTOEXEC.EXE
%System Root%\AutoRun.inf

(Nota: %Windows% es la carpeta de Windows, que suele estar en C:\Windows o C:\WINNT).

. %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows XP y Server 2003 en C:\Windows\System32).

. %Program Files% es la carpeta Archivos de programa predeterminada, que suele estar en C:\Archivos de programa).

. %System Root% es la carpeta raíz, normalmente C:\. También es la ubicación del sistema operativo).

)

SOLUTION

Minimum scan engine: 9.300

Step 1

Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.

Step 2

Reiniciar en modo seguro

[ learnMore ]

Step 3

Eliminar esta clave del Registro

[ learnMore ]

Importante: si modifica el Registro de Windows incorrectamente, podría hacer que el sistema funcione mal de manera irreversible. Lleve a cabo este paso solo si sabe cómo hacerlo o si puede contar con ayuda de su administrador del sistema. De lo contrario, lea este artículo de Microsoft antes de modificar el Registro del equipo.

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- vds2

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- VMAuthd Service

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- VMnet DHCP

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- VMwareNATService

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- vmount3

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- Installer information

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- lanmanworkstation2

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- RavMonD.exe

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- 360rpt.exe

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- 360Safe.exe

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- 360tray.exe

Step 4

Eliminar este valor del Registro

[ learnMore ]

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
- DependOnService = "Virtual Disk Service"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
- Description = "Provides software volume and hardware volume management service."

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
- DisplayName = "vds2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
- ImagePath = "%Windows%\ctfmon.exe"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
- ObjectName = "LocalSystem"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
- ErrorControl = "1"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
- Start = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vds2
- Type = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
- DependOnService = "VMware Authorization Service"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
- Description = "{random characters}"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
- DisplayName = "VMAuthd Service"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
- ImagePath = "%Windows%\inetinfo.exe"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
- ObjectName = "LocalSystem"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
- ErrorControl = "1"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
- Start = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMAuthd Service
- Type = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
- DependOnService = "VMware DHCP Service"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
- Description = "DHCP service for virtual networks"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
- DisplayName = "VMnet DHCP"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
- ImagePath = "%Windows%\winlogon.exe"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
- ObjectName = "LocalSystem"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
- ErrorControl = "1"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
- Start = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMnet DHCP
- Type = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
- DependOnService = "VMware NAT Service"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
- Description = "Network address translation for virtual networks"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
- DisplayName = "VMwareNATService"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
- ImagePath = "%System%\TIMPlatform.exe"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
- ObjectName = "LocalSystem"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
- ErrorControl = "1"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
- Start = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareNATService
- Type = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
- DependOnService = "VMware Virtual Mount Manager Extended"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
- DisplayName = "vmount3"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
- ImagePath = "%Windows%\inf\realplayer.exe"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
- ObjectName = "LocalSystem"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
- ErrorControl = "1"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
- Start = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmount3
- Type = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
- DependOnService = "VMware Virtual Mount Manager Extended"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
- Description = "{random characters}"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
- DisplayName = "Installer information"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
- ImagePath = "%Program Files%\INTERN~1\iedws.exe"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
- ObjectName = "LocalSystem"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
- ErrorControl = "1"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
- Start = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Installer information
- Type = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
- DependOnService = "Workstation"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
- Description = "Creates and maintains client network connections to remote servers. "

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
- DisplayName = "lanmanworkstation2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
- ImagePath = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
- ObjectName = "LocalSystem"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
- ErrorControl = "1"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
- Start = "2"

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation2
- Type = "2"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
- DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
- DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
- DEBUGGER = "%Windows%\inf\realplayer.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
- DEBUGGER = "%Windows%\ctfmon.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
- DEBUGGER = "%System%\TIMPlatform.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
- DEBUGGER = "%Windows%\inetinfo.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
- DEBUGGER = "%System%\TIMPlatform.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
- DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
- DEBUGGER = "%Windows%\winlogon.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
- DEBUGGER = "%Windows%\winlogon.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
- DEBUGGER = "%Windows%\ctfmon.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
- DEBUGGER = "%System%\TIMPlatform.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
- DEBUGGER = "%Windows%\ctfmon.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
- DEBUGGER = "%Windows%\inetinfo.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
- DEBUGGER = "%Windows%\inetinfo.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
- DEBUGGER = "%Windows%\inf\realplayer.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
- DEBUGGER = "%System%\TIMPlatform.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
- DEBUGGER = "%Windows%\winlogon.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
- DEBUGGER = "%Windows%\inf\realplayer.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
- DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
- DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
- DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
- DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
- DEBUGGER = "%Windows%\ctfmon.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
- DEBUGGER = "%Windows%\inetinfo.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
- DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
- DEBUGGER = "%Windows%\winlogon.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
- DEBUGGER = "%Windows%\inf\realplayer.exe"

Para eliminar el valor del Registro que este malware/grayware/spyware ha creado:

Abra el Editor del Registro. Haga clic en Inicio>Ejecutar, escriba REGEDIT y, a continuación, pulse Intro.
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services>vds2
En el panel derecho, busque y elimine la entrada:
DependOnService = "Virtual Disk Service"
En el panel derecho, busque y elimine la entrada:
Description = "Provides software volume and hardware volume management service."
En el panel derecho, busque y elimine la entrada:
DisplayName = "vds2"
En el panel derecho, busque y elimine la entrada:
ImagePath = "%Windows%\ctfmon.exe"
En el panel derecho, busque y elimine la entrada:
ObjectName = "LocalSystem"
En el panel derecho, busque y elimine la entrada:
ErrorControl = "1"
En el panel derecho, busque y elimine la entrada:
Start = "2"
En el panel derecho, busque y elimine la entrada:
Type = "2"
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services>VMAuthd Service
En el panel derecho, busque y elimine la entrada:
DependOnService = "VMware Authorization Service"
En el panel derecho, busque y elimine la entrada:
Description = "{random characters}"
En el panel derecho, busque y elimine la entrada:
DisplayName = "VMAuthd Service"
En el panel derecho, busque y elimine la entrada:
ImagePath = "%Windows%\inetinfo.exe"
En el panel derecho, busque y elimine la entrada:
ObjectName = "LocalSystem"
En el panel derecho, busque y elimine la entrada:
ErrorControl = "1"
En el panel derecho, busque y elimine la entrada:
Start = "2"
En el panel derecho, busque y elimine la entrada:
Type = "2"
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services>VMnet DHCP
En el panel derecho, busque y elimine la entrada:
DependOnService = "VMware DHCP Service"
En el panel derecho, busque y elimine la entrada:
Description = "DHCP service for virtual networks"
En el panel derecho, busque y elimine la entrada:
DisplayName = "VMnet DHCP"
En el panel derecho, busque y elimine la entrada:
ImagePath = "%Windows%\winlogon.exe"
En el panel derecho, busque y elimine la entrada:
ObjectName = "LocalSystem"
En el panel derecho, busque y elimine la entrada:
ErrorControl = "1"
En el panel derecho, busque y elimine la entrada:
Start = "2"
En el panel derecho, busque y elimine la entrada:
Type = "2"
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services>VMwareNATService
En el panel derecho, busque y elimine la entrada:
DependOnService = "VMware NAT Service"
En el panel derecho, busque y elimine la entrada:
Description = "Network address translation for virtual networks"
En el panel derecho, busque y elimine la entrada:
DisplayName = "VMwareNATService"
En el panel derecho, busque y elimine la entrada:
ImagePath = "%System%\TIMPlatform.exe"
En el panel derecho, busque y elimine la entrada:
ObjectName = "LocalSystem"
En el panel derecho, busque y elimine la entrada:
ErrorControl = "1"
En el panel derecho, busque y elimine la entrada:
Start = "2"
En el panel derecho, busque y elimine la entrada:
Type = "2"
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services>vmount3
En el panel derecho, busque y elimine la entrada:
DependOnService = "VMware Virtual Mount Manager Extended"
En el panel derecho, busque y elimine la entrada:
DisplayName = "vmount3"
En el panel derecho, busque y elimine la entrada:
ImagePath = "%Windows%\inf\realplayer.exe"
En el panel derecho, busque y elimine la entrada:
ObjectName = "LocalSystem"
En el panel derecho, busque y elimine la entrada:
ErrorControl = "1"
En el panel derecho, busque y elimine la entrada:
Start = "2"
En el panel derecho, busque y elimine la entrada:
Type = "2"
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services>Installer information
En el panel derecho, busque y elimine la entrada:
DependOnService = "VMware Virtual Mount Manager Extended"
En el panel derecho, busque y elimine la entrada:
Description = "{random characters}"
En el panel derecho, busque y elimine la entrada:
DisplayName = "Installer information"
En el panel derecho, busque y elimine la entrada:
ImagePath = "%Program Files%\INTERN~1\iedws.exe"
En el panel derecho, busque y elimine la entrada:
ObjectName = "LocalSystem"
En el panel derecho, busque y elimine la entrada:
ErrorControl = "1"
En el panel derecho, busque y elimine la entrada:
Start = "2"
En el panel derecho, busque y elimine la entrada:
Type = "2"
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Services>lanmanworkstation2
En el panel derecho, busque y elimine la entrada:
DependOnService = "Workstation"
En el panel derecho, busque y elimine la entrada:
Description = "Creates and maintains client network connections to remote servers. "
En el panel derecho, busque y elimine la entrada:
DisplayName = "lanmanworkstation2"
En el panel derecho, busque y elimine la entrada:
ImagePath = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"
En el panel derecho, busque y elimine la entrada:
ObjectName = "LocalSystem"
En el panel derecho, busque y elimine la entrada:
ErrorControl = "1"
En el panel derecho, busque y elimine la entrada:
Start = "2"
En el panel derecho, busque y elimine la entrada:
Type = "2"
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Image File Execution Options>RavMonD.exe
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Image File Execution Options>360rpt.exe
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Image File Execution Options>360Safe.exe
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\inf\realplayer.exe"
En el panel izquierdo, haga doble clic en el siguiente elemento:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Image File Execution Options>360tray.exe
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\ctfmon.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%System%\TIMPlatform.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\inetinfo.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%System%\TIMPlatform.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\winlogon.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\winlogon.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\ctfmon.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%System%\TIMPlatform.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\ctfmon.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\inetinfo.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\inetinfo.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\inf\realplayer.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%System%\TIMPlatform.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\winlogon.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\inf\realplayer.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Program Files%\INTERN~1\iedws.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\ctfmon.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\inetinfo.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Program Files%\INTERN~1\SIGNUP\iedws.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\winlogon.exe"
En el panel derecho, busque y elimine la entrada:
DEBUGGER = "%Windows%\inf\realplayer.exe"
Cierre el Editor del Registro.

Step 5

Restaurar este valor del Registro modificado

[ learnMore ]

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- From: CheckedValue = "3"
  To: CheckedValue = ""1""

Step 6

Buscar y eliminar estos archivos

[ learnMore ]

Puede que algunos de los archivos del componente estén ocultos. Asegúrese de que tiene activada la casilla Buscar archivos y carpetas ocultos en la opción "Más opciones avanzadas" para que el resultado de la búsqueda incluya todos los archivos y carpetas ocultos.

%Windows%\ctfmon.exe
%Windows%\inetinfo.exe
%Windows%\winlogon.exe
%System%\TIMPlatform.exe
%Windows%\inf\realplayer.exe
%Program Files%\INTERN~1\iedws.exe
%Program Files%\INTERN~1\SIGNUP\iedws.exe
A:\AUTOEXEC.EXE
A:\AutoRun.inf
%System Root%\AUTOEXEC.EXE
%System Root%\AutoRun.inf

Step 7

Reinicie en modo normal y explore el equipo con su producto de Trend Micro para buscar los archivos identificados como WORM_AUTORUN.BKR En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.

Did this description help? Tell us how we did.

WORM_AUTORUN.BKR

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Zasoby

Wsparcie

O firmie Trend

WORM_AUTORUN.BKR

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Zasoby

Wsparcie

O firmie Trend

Obie Ameryki

Bliski Wschód i Afryka

Europa

Azja i Pacyfik