How to Prevent and Remove the Worm.Win32.AutoRun.xxn

Bookmark and Share

 

1. What is the Worm.Win32.AutoRun.xxn

Worm.Win32.AutoRun.xxn is determined by a malicoius network-aware worm that attempts to replicate across the existing network. Worm.Win32.AutoRun.xxn adware program designed to deliver various advertisements to the users’ systems. Worm.Win32.AutoRun.xxn has created startup item in the registry entry so when your computer started, Worm.Win32.AutoRun.xxn will start automatically. After Autorun worm has sneaked inside the system it will activate corrupt exe.dll files and download further viruses.


Alias: Downloader.Generic [PCTools],Downloader [Symantec],W32/Autorun.worm.t [McAfee],Mal/SillyFDC-A [Sophos],Worm:Win32/Autorun.QF [Microsoft],Worm.Win32.AutoRun [Ikarus],Win-Trojan/Downloader.10240.LD [AhnLab] 

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 %Temp%\personalizationink.exe 24,576 bytes
2 %System%\icondrv.exe
[file and pathname of the sample #1] 		10,240 bytes
  • Notes:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
  • The following directory was created:
    • %Temp%\-= The Porn Collection =-

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
icondrv.exe %System%\icondrv.exe 24,576 bytes

c.  Registry Modifications

  • The following Registry Value was modified:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
      • Userinit =

d. Other details

  • The following ports were open in the system:

Port Protocol Process
1055 TCP icondrv.exe (%System%\icondrv.exe)

  • There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host Port Number
82.98.86.164 80

  • The data identified by the following URLs was then requested from the remote web server:

    • http://brbg.ru/test/1.php
    • http://brbg.ru/test/arhc.exe

 

3. How-to's

a. How to prevent the  Worm.Win32.AutoRun.xxn ?

Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

b. How to Remove the Worm.Win32.AutoRun.xxn Manually?

Step 1 : Use Windows Task Manager to Remove Worm.Win32.AutoRun.xxn Processes

icondrv.exe

Step 2 : Use Registry Editor to Remove Worm.Win32.AutoRun.xxn Registry Values

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Userinit =
 

Step3: Detect and Delete Other Worm.Win32.AutoRun.xxn Files

%Temp%\personalizationink.exe
%System%\icondrv.exe
[file and pathname of the sample #1]
 

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

 

4. Appendix

For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm