MicrosoftPowerPoint.exe / Winlogons / MsUpdate / H / AutoIt Virus (ver 1.0.46.17)

VIRUS FILES

File Name: MicrosoftPowerPoint.exe
Icon:  Folder with a small “my comp” icon within it
Type:  Applicaion
Description: MicrosoftPowerPoint
Size:  261 KB (268,082 bytes)
Size on disk: 272 KB (278,528 bytes)
Modified: Tuesday, June 26, 2007, 1:06:24 PM
Attributes: Read-only, Hidden+System, Archive

File Name: Winlogons.exe
Icon:  Folder
Type:  Winlogons
Description: MicrosoftPowerPoint
Size:  261 KB (268,082 bytes)
Size on disk: 272 KB (278,528 bytes)
Modified: Wednesday, October 31, 2007, 10:20:00 PM
Attributes: Read-only, Hidden+System, Archive

File Name: MsUpdate.exe
Icon:  ’H’ in green color
Type:  Application
Description: AutoHotKey
Size:  230 KB (235,520 bytes)
Modified: Wednesday, June 20, 2007, 10:38:52 PM
Attributes: Archive
File version: 1.0.46.17
Internal Name: AutoHotKey
SYMPTOMS

These two hidden system files automatically copies to ur removable drives:
MicrosoftPowerPoint.exe
autorun.inf
Double Clicking of the removable drives doesn’t work
Tools>Folder Options is disabled
YOu are unable to see your hidden files

BEHIND THE SCREEN

DeleteDir C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMP
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPTMP4351$.TMP
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPMsUpdate~1
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPMsUpdate.exe
CreateFile C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMPmonitor
CreateRegValue REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOncewextract_cleanup0

runs the file
C:Documents and SettingsPiyush ChandraLocal SettingsTempIXP000.TMPMsUpdate.exe

CreateRegValue REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorerRunExplorer

Creates a value:
Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorerRun
Value: Explorer
New data(Unicode null-terminated string):Winlogons

Deletes the value:
Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
Value: wextract_cleanup0
Data(Unicode null-terminated string):
rundll32.exe C:WINDOWSsystem32advpack.dll,DelNodeRunDLL32 “C:DOCUME~1PIYUSH~1LOCALS~1TempIXP000.TMP”
THE VIRUS PROGRAM

<the script is of type Trojan-Downloader.Win32.AutoIt.t>

The virus has been written in AutoHotKey 1.0.46.17

xxxxxx Deleted by PiyushLabs for security reasons xxxxxx

SOLUTION

End Task Open Run and paste the following codes one by one.TASKKILL /f /t /fi  “IMAGENAME eq svchost.exe” /fi “USERNAME ne NT AUTHORITY*”
TASKKILL /f /t /fi  “IMAGENAME eq MsUpdate.exe”
TASKKILL /f /t /fi  “IMAGENAME eq Winlogons.exe” Enable CMD Open Run and paste the following codes.reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableCmd /t REG_DWORD /d 0 /freg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableCmd /t REG_DWORD /d 0 /f

Delete  Open Run>CMD and paste the following codes one by one.

del “%userprofile%LOCAL SETTINGSTEMPMSDATA” /f /a
del “%userprofile%Local SettingsTempIXP000.TMP” /f /a
del “%temp%~DF450D.tmp.exe” /f /a
del “%windir%system32Winlogons.exe” /f /a

Delete the virus from the pen drives if u use any. (**** replace K with ur  the drive name.. )

del K:autorun.inf /a /f
del K:MicrosoftPowerPoint.exe /a /f

Registry  Open Run>CMD and paste the following codes one by one.

reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce /va

reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesexplorerRun

reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” /v Shell /t REG_SZ /d Explorer.exe

PRECAUTIONS

Never double click your pen-drives. It spreads through removable drives. Always use folder view for navigation. And enable the view to see system files n hidden files. And delete the files in the pendrives.