How to Prevent and Remove the Worm.Win32.AutoRun.brzk

1. What is the Worm.Win32.AutoRun.brzk

Worm.Win32.AutoRun.brzk is a network-aware worm that attempts to replicate across the existing network (s). Worm.Win32.AutoRun.brzk can keylog all user keystrokes (including confidential details such username, password, credit card number, etc.). Worm.Win32.AutoRun.brzk can set the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share. Remove Worm.Win32.AutoRun.brzk before it spreads to other computer in the same network.

a. The following files were created in the system:

• Note:
  • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

b. Memory Modifications

• The following module was loaded into the address space of other process(es):

• Notes:
  • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

c. Registry Modifications

• The following Registry Key was created:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN

• The newly created Registry Values are:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
    • urlinfo = "cnjqf.a"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • king_tw = "%System%\twking.exe"
    • king_za = "%System%\zaking.exe"
    
    so that twking.exe runs every time Windows starts
    so that zaking.exe runs every time Windows starts
     

• The following Registry Value was modified:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    • CheckedValue =

d. Other details

• There was registered attempt to establish connection with the remote host. The connection details are:

• The data identified by the following URLs was then requested from the remote web server:

  • http://www.baidulo0.com/1tw/at.rar
  • http://www.baiduw2e.com/1tw/at1.rar

2. How-to's

a. Please update the policy basic knowledge of Sax2  in time, Once  sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Worm.Win32.AutoRun.brzk  Manually?

Step 1 : Remove the registry entries hidden by Worm.Win32.AutoRun.brzk, once you find some programs on your PC run abnormally, you should immediately check the following entries in the Registry, and directly delete the spyware-related registry entries.

• The following Registry Key was created:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN

• The newly created Registry Values are:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\MADOWN]
    • urlinfo = "cnjqf.a"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    • king_tw = "%System%\twking.exe"
    • king_za = "%System%\zaking.exe"

Step 2 : Clean up IE Temporary file folder where the original carrier of PC threats is possibly stored. Meanwhile, the malicious files generated by Worm.Win32.AutoRun.brzk.bho are possibly located in the following Location:
c:\autorun.inf
c:\i6sy11.exe
[file and pathname of the sample #1]
%System%\twking.exe
%System%\twking0.dll
%System%\zaking.exe
%System%\zaking0.dll
%System%\zaking1.dll
 

c. How to Remove these trojans Instantly?

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

3. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm