PE_PIKORAV.SM-O
Windows 98, ME, NT, 2000, XP, Server 2003
![](/vinfo/imgFiles/legend.jpg)
Threat Type: File infector
Destructiveness: Yes
Encrypted: Yes
In the wild: Yes
OVERVIEW
This File infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It infects by appending its code to target host files.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It deletes itself after execution.
TECHNICAL DETAILS
Arrival Details
This File infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This File infector drops the following files:
- %System Root%\Documents and Settings\Infotmp.txt
(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)
It injects itself into the following processes as part of its memory residency routine:
- svchost.exe
Other System Modifications
This File infector adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{Service name}\
000
Service = "{Service name}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{Application name}
Debugger = "ntsd -d"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_{Service name}
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\AppMgmt
=
Where {application name} may be any of the following:
- 360SoftMgrSvc.exe
- 360hotfix.exe
- 360rp.exe
- 360rpt.exe
- 360safe.exe
- 360safebox.exe
- 360sd.exe
- 360se.exe
- 360speedld.exe
- 360tray.exe
- CCenter.exe
- KVMonXP.kxp
- KVSrvXP.exe
- MPMon.exe
- MPSVC.exe
- MPSVC1.exe
- MPSVC2.exe
- McNASvc.exe
- McProxy.exe
- McSACore.exe
- Mcagent.exe
- Mcods.exe
- Mcshield.exe
- MpfSrv.exe
- RavMonD.exe
- RavTask.exe
- RsAgent.exe
- RsTray.exe
- ScanFrm.exe
- SfCtlCom.exe
- TMBMSRV.exe
- TmProxy.exe
- UfSeAgnt.exe
- ast.exe
- avcenter.e
- avgnt.exe
- avguard.exe
- avmailc.exe
- avp.exe
- avwebgrd.exe
- bdagent.exe
- ccSvcHst.exe
- egui.exe
- ekrn.exe
- kavstart.exe
- kissvc.exe
- kmailmon.exe
- kpfw32.exe
- kpfwsvc.exe
- krnl360svc.exe
- kswebshield.exe
- kwatch.exe
- livesrv.exe
- mcmscsvc.exe
- mcsysmon.exe
- mcvsshld.exe
- msksrver.exe
- qutmserv.exe
- rsnetsvr.exe
- safeboxTray.exe
- sched.exe
- seccenter.exe
- vsserv.exe
- zhudongfangyu.exe
File Infection
This File infector infects the following file types:
- .EXE
- .EXE files inside a .RAR
It infects the following file types in shared networks to ensure its propagation:
- .EXE
- .EXE files inside .RAR
It infects by appending its code to target host files.
It avoids infecting folders containing the following strings:
- ComPlus Applications
- Common Files
- Documents and Settings
- InstallShield Installation Information
- Internet Explorer
- MSN Gaming Zone
- Messenger
- Microsoft frontpage
- Movie Maker
- NetMeeting
- Outlook Express
- RECYCLER
- System Volume Information
- Thunder
- Thunder Network
- WINDOWS
- WinNT
- WinRAR
- Windows Media Player
- Windows NT
- WindowsUpdate
Propagation
This File infector creates the following folders in all removable drives:
- recycle.{645FF040-5081-101B-9F08-00AA002F954E}
It drops the following copy(ies) of itself in all removable drives:
- recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
OPEN=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe
shell\open=´ò¿ª(&O)
shell\open\Command=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe Show
shell\open\Default=1//
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command=recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe Show
Dropping Routine
This File infector drops the following files:
- %System%\drivers\{random}.sys - RTKT_AGENT.SMB
HOSTS File Modification
This File infector overwrites the HOSTS file in the following locations:
- %System%\drivers\etc\host (On Windows 2000, XP, and Server 2003)
Other Details
This File infector deletes itself after execution.
NOTES:
This file infector disables Windows System File Checker (SFC).
It attempts to stop the following services and replace them with the copy of itself. The file name of the copy will base on the filename of the service being replaced:
- 6to4 (6to4.dll)
- AppMgmt (appmgmts.dll)
- BITS (qmgr.dll)
- Browser (browser.dll)
- CryptSvc (cryptsvc.dll)
- EventSystem (es.dll)
- FastUserSwitchingCompatibility (shsvcs.dll)
- helpsvc (pchsvc.dll)
- Ias (ias.dll)
- Iprip (iprip.dll)
- Irmon (irmon.dll)
- Netman (netman.dll)
- Nla (mswsock.dll)
- Ntmssvc (ntmssvc.dll)
- NWCWorkstation (NWCWorkstation.dll)
- Nwsapagent (Nwsapagent.dll)
- RemoteRegistry (regsvc.dll)
- Schedule (schedsvc.dll)
- SSDPSRV (ssdpsrv.dll)
- Tapisrv (tapisrv.dll)
- upnphost (upnphost.dll)
- WmdmPmSN (mspmsnsv.dll)
- WmdmPmSp (WmdmPmSp.dll)
- xmlprov (xmlprov.dll)
The service names mentioned above are used in the creation of the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{Service name}
SOLUTION
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Remove the malware/grayware file dropped/downloaded by PE_PIKORAV.SM-O. (Note: Please skip this step if the threat(s) listed below have already been removed.)
- RTKT_AGENT.SMB
Step 3
Restart in Safe Mode
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Application name}
- Debugger = "ntsd -d"
- Debugger = "ntsd -d"
Step 5
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
- LEGACY_{Service name}
- LEGACY_{Service name}
Step 6
Restore this deleted registry key/value from backup
*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmtStep 7
Search and delete these folders
Step 8
Search and delete this file
Step 9
Search and delete AUTORUN.INF files created by PE_PIKORAV.SM-O that contain these strings
Step 10
Restart in normal mode and scan your computer with your Trend Micro product for files detected as PE_PIKORAV.SM-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 11
Restore these deleted files from backup
*Note: Only Microsoft-related keys/values will be restored. If this malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
Step 12
Scan your computer with your Trend Micro product to delete files detected as PE_PIKORAV.SM-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.