Worm.Win32.Agent.i

The worm searches for files with the following extensions:

.rar
.pdf
.rtf
.mdb
.txt
.xls
.ppt
.doc

on all hard disk partitions: When the worm finds files with the extensions listed aboive, it will copy them to %System%\ace\temp. It then extracts a utility for archiving files from its body:

%System%\NtApi.exe

It uses the utility to archive the contents of the following folder:

%System%\ace\temp

The archives are saved to the following folder:

%System%\ace\udis

Archived files will have a .uda extension, and the names will co-incide with the name of the folder where the files with the extensions above were originally located.

Propagation

The worm copies its executable file as "Netsvcs.exe" to the root directories of all logical disks, ascribing "Hidden" and "System" attributes to this file. The worm also creates a file called "autorun.inf" in the root directory of all hard disk partitions. When the partition is opened using Windows Explorer, the worm's executable file will be launched. The worm also creates a file called "thumbs.db" in the same folder as "autorun.inf", and writes its configuration to this file.

The worm creates a folder called "System Volume Information" on removable disks

System Volume Information

and copies the contents of the folder below to this folder:

%System%\ace\udis

i.e. the archives containing documents found on the victim machine.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the worm process (it may be called "Netsvcs.exe").
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry).

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   ShowSuperHidden = 0

   Revert the system registry key value to:

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Shell = Explorer.exe

   Delete the following file from the worm's working directory:

   WinTask.exe

   Delete the following folder:

   %System%\ace
4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

This malicious program is a worm. It is a Windows PE EXE file. It is 71 168 bytes in size. It is packed using UPX. The unpacked file is approximately 240KB in size.

Installation

When launched, the worm creates the following folder:

%System%\ace

When launched, the worm extracts the following file from itself to its working directory:

WinTask.exe

- this file is 65,586 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan.Win32.Enfal.d

The file is then launched for execution.

In order to ensure that the worm is launched automatically when the system is rebooted, it registers its executable file in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = "<path and name to executable worm file> "

The worm also creates the following registry key values:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
ShowSuperHidden = 0

Payload