Worm.Win32.AutoRun.aks

Материал из Total Malware Info

Перейти к: навигация, поиск

Worm.Win32.AutoRun.aks Червь, создающий свои копии на локальных дисках и доступных для записи сетевых ресурсах. Является приложением Windows (PE-EXE файл). Имеет размер 39636 байт. Упакован при помощи Upack, распакованный размер 208 к.б.

Содержание

Инсталляция

Копирует свой исполняемый файл как: 

%Program Files%\Common Files\Microsoft Shared\<rnd>.exe
%Program Files%\Common Files\System\<rnd>.exe
%Program Files%\meex.exe

где, <rnd> - последовательность из 7 прописных латинских букв. Для автоматического запуска при следующем старте системы вирус добавляет ссылки на свой исполняемый файл в ключи автозапуска системного реестра: 

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<rnd>=%Program Files%\Common Files\System\<rnd>.exe
<rnd>=%Program Files%\Common Files\Microsoft Shared\<rnd>.exe

где, <rnd> - последовательность из 7 прописных латинских букв. Так же создает файлы: 

%Program Files%\Common Files\Microsoft Shared\<rnd>.inf
%Program Files%\Common Files\System\<rnd>.inf
%Program Files%\<rnd>.inf

Данный файл имеет размер 169 байта и не детектируется Антивирусом Касперского как вредоносный объект.

Распространение

Копирует свой исполняемый файл в корень следующих разделов: 

d:\
e:\
f:\
g:\
h:\
i:\
j:\
k:\
l:\
m:\
n:\
o:\
p:\
q:\
r:\
s:\
t:\
u:\
v:\
w:\
x:\
y:\
z:\

с именем следующего вида: 

<rnd>.exe

где, <rnd> - последовательность из 7 прописных латинских букв. Так же вместе со своим исполняемым файлом червь помещает в корень раздела сопровождающий файл: 

<X>:\autorun.inf, где X – буква съемного раздела.

который запускает исполняемый файл червя, каждый раз, когда пользователь открывает зараженный раздел при помощи программы ”Проводник”.

Деструктивная активность

Завершает процессы со следующими именами: 

Ras.exe
avp.com
avp.exe
runiep.exe
PFW.exe
FYFireWall.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
KPfwSvc.exe
RavTask.exe
Rav.exe
RavMon.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
QQDoctor.exe
EGHOST.exe
360Safe.exe
iparmo.exe
adam.exe
IceSword.exe
360rpt.exe
360tray.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavMonD.exe
RavStub.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe

Изменяет значения ключей реестра на следующие: 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\ Options\FYFireWall.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\Options\KAVPF.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

Скачивает файлы по следующим ссылкам: 

http://www.******.com/TDown1.exe
http://www.******.com/ReadDown.txt

на момент создания описания ни одна из ссылок не работала. и сохраняет их в папку: 

%WinDir%\Program Files

после чего запускает на выполнение.

Рекомендации по удалению

Если ваш компьютер не был защищен антивирусом и оказался заражен данной вредоносной программой, то для её удаления необходимо выполнить следующие действия:

  1. При помощи <Диспетчера задач> завершить вредоносный процесс.
  2. Удалить оригинальный файл червя (его расположение на зараженном компьютере зависит от способа, которым программа попала на компьютер).
  3. Удалить параметры в ключах системного реестра:
    4. [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<rnd>=%Program Files%\Common Files\System\<rnd>.exe
<rnd>=%Program Files%\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\ Options\FYFireWall.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\Options\KAVPF.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zjb.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\irsetup.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe]
"Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSC.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ghost.exe]
 "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastU3.exe] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com] "Debugger" = C:\Program Files\Common Files\Microsoft Shared\<rnd>.exe
  4. Удалить файлы:
    5. %Program Files%\Common Files\Microsoft Shared\<rnd>.exe
%Program Files%\Common Files\System\<rnd>.exe
%Program Files%\meex.exe
<X>:\<rnd>.exe
E:\autorun.inf
%Program Files%\Common Files\Microsoft Shared\<rnd>.inf
%Program Files%\Common Files\System\<rnd>.inf
%Program Files%\<rnd>.inf

где X – буква съемного диска.

  1. Удалить папку и все ее содержимое
    2. %WinDir%\Program Files
Источник — «http://www.totalmalwareinfo.com/rus/Worm.Win32.AutoRun.aks»
Язык
Видеокурс
Computer and Internet Security Video Tutorials
© 2011 ООО «Лаборатория дизайн и тест». Все права защищены.