||||
Symantec.com > Security Response > Threats and Risks > Trojan.W32.VirtualAve
PRINT THIS PAGE

Trojan.W32.VirtualAve - Removal

Risk Level 1: Very Low

Printer Friendly Page

Discovered: February 22, 2001
Updated: February 13, 2007 11:35:23 AM
Also Known As: Trojan.Win32.VirtualAve
Type: Trojan Horse


To remove this Trojan, copy Regedit.exe as Regedit.com, and using the copy, edit the registry and remove the string that was added by the Trojan. Then restart the computer, and delete the Trojan's files.

To copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that.
  1. Do one of the following, depending on which operating system you are running:
    • Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt.
    • Windows Me users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
    • Windows NT/2000/XP users:
      1. Click Start, and click Run.
      2. Type the following and then press Enter:

        command

        A DOS window opens.
      3. Type the following and then press Enter:

        cd \winnt
      4. Go on to the next step.
  2. Type the following and then press Enter:

    copy regedit.exe regedit.com
  3. Type the following and then press Enter:

    start regedit.com
1. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps.

NOTE: This will open the Registry Editor in front of the DOS window. After you finish editing the registry and have closed Registry Editor, close the DOS window.


To edit the registry:
  1. Click Start, and then click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to and open the following key:

    HKEY_CLASSES_ROOT\exefile\shell\open\command

    CAUTION: The HKEY_CLASSES_ROOT key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with a .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.

    Do not     modify the HKEY_CLASSES_ROOT\.exe key.
    Do modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey that is shown in the following figure.

    <<=== NOTE: This is the key that you need to modify.

  4. Double-click the (Default) value in the right pane. The Edit String dialog box appears.
  5. In the Value data box, remove the string shell32. Only the string "%1" %* should remain:


  6. Close the Registry Editor, and restart the computer.

To delete the Trojan files:
  1. Start Windows Explorer.
  2. Browse to the Windows System folder. By default, this is C:\Windows\System.
  3. Delete the following files:

    CAUTION: Make sure that you delete only the files specified. There are legitimate Windows files in this location with similar names such as Shell32.dll.
    • Shell32.exe
    • Systray32s.exe
  4. Close Windows Explorer.



Writeup By: Cary Ng
Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS