W32.Netsky.AN@mm

Printer Friendly Page

Discovered: September 26, 2005
Updated: February 13, 2007 12:44:45 PM
Also Known As: WORM_NETSKY.AL [Trend]
Type: Worm
Systems Affected: Windows


W32.Netsky.AN@mm is a mass-mailing worm which also spreads through shared network folders.

Antivirus Protection Dates

  • Initial Rapid Release version September 26, 2005
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version September 26, 2005
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date September 28, 2005

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Masaki Suenaga

Discovered: September 26, 2005
Updated: February 13, 2007 12:44:45 PM
Also Known As: WORM_NETSKY.AL [Trend]
Type: Worm
Systems Affected: Windows


When W32.Netsky.AN@mm is executed, it performs the following actions:

  1. Copies itself as the following file:

    %Windir%\McAffeAv.exe

    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Creates the following mutex so that only one instance of the worm runs on the compromised computer:

    -=VXBRASIL=-SAMPA-2005!

  3. Adds the value:

    "McAfee" = "%Windir%\McAffeAv.exe -AntViru"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  4. Deletes the following registry values to prevent other risks or threats from running on the compromised computer:

    HEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Taskmon"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Taskmon"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Explorer"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Explorer"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"KasperskyAv"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"KasperskyAv"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"system."
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"system."
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"msgsvr32"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"DELETE ME"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"d3dupdate.exe"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"au.exe"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Service"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"OLE"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Sentry"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Run\"Windows Services Host"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Run\"Windows Services Host"

  5. Deletes the following registry subkeys to prevent other risks or threats from running on the compromised computer:

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch

  6. Searches drives from C to Y and copies itself as the following file names to folders on these drives containing the string "shar" in the folder name:

    • 1000 Sex and more.rtf.exe
    • 3D Studio Max 3dsmax.exe
    • ACDSee 9.exe
    • Adobe Photoshop 9 full.exe
    • Adobe Premiere 9.exe
    • Ahead Nero 7.exe
    • Best Matrix Screensaver.scr
    • Clone DVD 5.exe
    • Cracks & Warez Archive.exe
    • Dark Angels.pif
    • Dictionary English - France.doc.exe
    • DivX 7.0 final.exe
    • Doom 3 Beta.exe
    • E-Book Archive.rtf.exe
    • Full album.mp3.pif
    • Gimp 1.5 Full with Key.exe
    • How to hack.doc.exe
    • IE58.1 full setup.exe
    • Keygen 4 all appz.exe
    • Learn Programming.doc.exe
    • Lightwave SE Update.exe
    • Magix Video Deluxe 4.exe
    • Microsoft Office 2003 Crack.exe
    • Microsoft WinXP Crack.exe
    • MS Service Pack 5.exe
    • Norton Antivirus 2004.exe
    • Opera.exe
    • Partitionsmagic 9.0.exe
    • Porno Screensaver.scr
    • RFC Basics Full Edition.doc.exe
    • Screensaver.scr
    • Serials.txt.exe
    • Smashing the stack.rtf.exe
    • Star Office 8.exe
    • Teen Porn 16.jpg.pif
    • The Sims 3 crack.exe
    • Ulead Keygen.exe
    • Virii Sourcecode.scr
    • Visual Studio Net Crack.exe
    • Win Longhorn Beta.exe
    • WinAmp 12 full.exe
    • Windows Sourcecode.doc.exe
    • WinXP eBook.doc.exe
    • XXX hardcore pic.jpg.exe

  7. Gathers email addresses from files with the following extensions, found on drives from C though Y, excluding CD-ROM drives:

    • .adb
    • .asp
    • .cgi
    • .dbx
    • .dhtm
    • .doc
    • .eml
    • .htm
    • .html
    • .msg
    • .oft
    • .php
    • .pl
    • .rtf
    • .sht
    • .shtm
    • .tbb
    • .txt
    • .uin
    • .vbs
    • .wab

  8. Queries the local DNS server or any of the DNS servers below for yahoo.com. When the worm finds a match for yahoo.com, it will use that domain as an SMTP server:

    • 62.155.255.16
    • 145.253.2.171
    • 151.189.13.35
    • 193.141.40.42
    • 193.189.244.205
    • 193.193.144.12
    • 193.193.158.10
    • 194.25.2.129
    • 194.25.2.130
    • 194.25.2.131
    • 194.25.2.132
    • 194.25.2.133
    • 194.25.2.134
    • 195.185.185.195
    • 195.20.224.234
    • 212.7.128.162
    • 212.7.128.165
    • 212.44.160.8
    • 212.185.252.136
    • 212.185.252.73
    • 212.185.253.70
    • 213.191.74.19
    • 217.5.97.137

  9. Sends a copy of itself as an email attachment to the email addresses gathered. The email has the following characteristics:

    From: Spoofed

    Title:
    One of the following:

    • [Deliver Error]
    • [Message Error]
    • [Server Error]
    • what means that?
    • help attached
    • [...]
    • ok...
    • [Attachment from Poland]
    • that is interesting...
    • i wait for your comment about it.
    • such as yours?
    • read the details.
    • gonna?
    • here is the document.
    • *lol*
    • read it immediately!
    • i found that about you!
    • your hero in the picture?
    • yours?
    • here is it.
    • illegal st. of you?
    • is that true?
    • account?
    • is that your name?
    • picture?
    • message?
    • is that your account?
    • pwd?
    • I wait for an answer!
    • abuse?
    • is that yours?
    • you are a bad writer
    • I don't know your document!
    • [Mail failed]
    • I have your password!
    • you won the rk!
    • something about you!
    • classroom test of you?
    • kill the writer of this document!
    • old photos about you?
    • i hope thats not true!
    • your name is wrong!
    • does it match?
    • i found this document about you.
    • time to fear?
    • really?
    • do you know this????
    • i know your document!
    • did you sent it to me?
    • this file is bad!
    • why should I?
    • pages?
    • her.
    • another pic, have fun! ... :->
    • test it
    • child porn?
    • greetings
    • xxx ?
    • stuff about you?
    • your document is not good
    • something is going wrong!
    • your photo is poor
    • information about you?
    • the information is wrong!
    • doc about me?
    • kill him on the picture!
    • from the chatter (my photo!)
    • from your lover ;-)
    • love letter?
    • here, the serials
    • are you a teacherin the picture?
    • here, the introduction
    • is that criminal?
    • here, the cheats
    • i like your doc!
    • what do you think about it?
    • that's a funny text.
    • that's not the truth?
    • do you have?
    • instruct me about this!
    • i lost that
    • i am speachless about your document!
    • is that the reality?
    • reply
    • msg
    • your design is not good!
    • important?
    • your TAN number?
    • take it easy!
    • why?
    • you are naked in this document!
    • thats wrong!
    • your icq number?
    • i am desperate
    • modifications?
    • your personal record?
    • yes.
    • misc. and so on. see you!
    • your attachment? verify it.
    • you earn money, see the attachment!
    • is that your attachment?
    • is that your website?
    • you feel the same.
    • meaning of that?
    • possible?
    • you have tried to steal!
    • did you ask me for that?
    • you are bad
    • your job? (I found that!)
    • is that possible?
    • something is going ...
    • something is not ok
    • did you know from this document?
    • wrong calculation! (see the attachment!"..
    • never!
    • poor quality!
    • good work!
    • excellent!
    • great!
    • i don't think so.
    • pretty pic about you?
    • pics?
    • schoolfriend?
    • [Warning from the Government]
    • [09580985869gj]
    • [?]
    • i want more...
    • here is the next one!
    • attachi#
    • did you see her already?
    • is that your wife?
    • is that your creditcard?
    • is that your photo?
    • do you think so?
    • do you have the bug also?
    • already?
    • forgotten?
    • drugs? ...
    • does it matter?
    • i have received this.
    • best?
    • the truth?
    • your body?
    • your eyes?
    • your face?
    • File is self-decryting.
    • File is damaged.
    • File is bad.
    • i saw you last week!
    • xxx service
    • your account is expired!
    • you cannot hide yourself! (see photo)
    • copyright?
    • what still?
    • who?
    • how?
    • [bad gateway]
    • only encrypted!
    • personal message!
    • my advice....
    • i've found it about you
    • [Failure]
    • <Attached Msg>
    • <scanned by norton antivirus>
    • great xxx!
    • man or women?
    • child or adult?
    • here is yours!
    • a crazy doc about you
    • xxx about you?
    • i don't want your xxx pics!
    • <Failed message available>
    • <Automailer>
    • doc?
    • trial?
    • what?
    • ;-)
    • i need you!
    • correct it!
    • see this!
    • it's a secret!
    • this is nothing for kids!
    • it's so similar as yours!
    • do not give up!
    • great job!
    • here is the $%%454$
    • you are sexy in this doc!
    • incest?
    • let it!
    • you look like an ape!
    • you look like an rat?
    • be mad?
    • are you cranky?
    • bob the builder
    • did you know that?
    • money?
    • is that your car?
    • is this information about you?
    • is that your privacy?
    • is that your TAN?
    • is that your message?
    • is that your cd?
    • is that your finger?
    • your are naked?
    • is that your porn pic?
    • is that your work?
    • is that your family?
    • is that your beast?
    • is that your account?
    • is that your slip?
    • is that your domain?
    • are you the naked one?
    • are you the naked person!
    • are you the one?
    • does it belong to you?
    • do you have sex in the picture?
    • you have a sexy body in the pic!
    • your lie is going around the world!
    • <Transfer complete>
    • <Antispam complete>
    • lets talk about it!
    • do you know the thief?
    • are you a photographer?
    • you have done a mistake in the document"..
    • its private from me
    • do not show this anyone!
    • new patch is available!
    • this is an attachment message!
    • in your mind?
    • Microsoft
    • fast food...
    • Your bill.
    • try this patch!
    • do you have an orgasm in the picture?
    • <Click the attachment to decrypt>
    • <Attachment Signature 34933920>
    • Transaction failed. Show the doc!
    • I 've found your bill!
    • see your name!
    • You are infected. Read the details!
    • here is my advice.
    • here is my photo!
    • here is the <censored>
    • feel free to use it.
    • does it belong to you?
    • Login required! Read the attachment!
    • your document is silly!
    • is the pic a fake?
    • Antispam is turned off. See file!
    • Authentification required. Read the att"..
    • solve the problem!
    • <null>
    • do not use my document!
    • do not use this creditcard!
    • presente de nata abra agora
    • nao saia de casa sem guarda chuva! Te a"..
    • explique
    • Diga sobre o que voce que isso!!!
    • Virus CIH1003 encontrado !!!!!!
    • Varroa Pugao!!!.
    • BancoItauConta!
    • Planos
    • Virus!
    • email786
    • cadeados
    • gay
    • BancoDoBrasil
    • Rescisao Contratual!
    • 23
    • Me Conhece??
    • Sim
    • Mercados!
    • Vigia
    • cris
    • Vidas -=-=-
    • fazno
    • Cuidado
    • Moto
    • Que pega??
    • calo
    • Re: Santander!!
    • Humm olha!
    • Fax!!!
    • Retorno!
    • boa vida ta!
    • traficante
    • error
    • take it
    • re:
    • Re: Re: Re: Re:
    • you?
    • something for you
    • exception
    • Re: hey
    • excuse me
    • Re: hi
    • Me Conhece??
    • Re: important
    • Re: hello
    • believe me
    • Question
    • denied!
    • notification
    • Re: <5664ddff?$??o2>
    • lol
    • last chance!
    • I'm back!
    • its me
    • notice!

      Message Body: 
      One of the following:

    • <Deliver Error>
    • <Message Error>
    • <Server Error>
    • what means that?
    • help attached
    • <...>
    • ok...
    • <Attachment from Poland>
    • that is interesting...
    • i wait for your comment about it.
    • such as yours?
    • read the details.
    • gonna?
    • here is the document.
    • *lol*
    • read it immediately!
    • i found that about you!
    • your hero in the picture?
    • yours?
    • here is it.
    • illegal st. of you?
    • is that true?
    • account?
    • is that your name?
    • picture?
    • message?
    • is that your account?
    • pwd?
    • I wait for an answer!
    • abuse?
    • is that yours?
    • you are a bad writer
    • I don't know your document!
    • <Mail failed>
    • I have your password!
    • you won the rk!
    • something about you!
    • classroom test of you?
    • kill the writer of this document!
    • old photos about you?
    • i hope thats not true!
    • your name is wrong!
    • does it match?
    • i found this document about you.
    • time to fear?
    • really?
    • do you know this????
    • i know your document!
    • did you sent it to me?
    • this file is bad!
    • why should I?
    • pages?
    • her.
    • another pic, have fun! ... :->
    • test it
    • child porn?
    • greetings
    • xxx ?
    • stuff about you?
    • your document is not good
    • something is going wrong!
    • your photo is poor
    • information about you?
    • the information is wrong!
    • doc about me?
    • kill him on the picture!
    • from the chatter (my photo!)
    • from your lover ;-)
    • love letter?
    • here, the serials
    • are you a teacherin the picture?
    • here, the introduction
    • is that criminal?
    • here, the cheats
    • i like your doc!
    • what do you think about it?
    • that's a funny text.
    • that's not the truth?
    • do you have?
    • instruct me about this!
    • i lost that
    • i am speachless about your document!
    • is that the reality?
    • reply
    • msg
    • your design is not good!
    • important?
    • your TAN number?
    • take it easy!
    • why?
    • you are naked in this document!
    • thats wrong!
    • your icq number?
    • i am desperate
    • modifications?
    • your personal record?
    • yes.
    • misc. and so on. see you!
    • your attachment? verify it.
    • you earn money, see the attachment!
    • is that your attachment?
    • is that your website?
    • you feel the same.
    • meaning of that?
    • possible?
    • you have tried to steal!
    • did you ask me for that?
    • you are bad
    • your job? (I found that!)
    • is that possible?
    • something is going ...
    • something is not ok
    • did you know from this document?
    • wrong calculation! (see the attachment!"..
    • never!
    • poor quality!
    • good work!
    • excellent!
    • great!
    • i don't think so.
    • pretty pic about you?
    • docs?
    • schoolfriend?
    • <Warning from the Government>
    • <09580985869gj>
    • <?}
    • i want more...
    • here is the next one!
    • attachi#
    • did you see her already?
    • is that your wife?
    • is that your creditcard?
    • is that your photo?
    • do you think so?
    • do you have the bug also?
    • already?
    • forgotten?
    • drugs? ...
    • does it matter?
    • i have received this.
    • best?
    • the truth?
    • your body?
    • your eyes?
    • your face?
    • File is self-decryting.
    • File is damaged.
    • File is bad.
    • i saw you last week!
    • xxx service
    • your account is expired!
    • you cannot hide yourself! (see photo)
    • copyright?
    • what still?
    • who?
    • how?
    • <bad gateway>
    • only encrypted!
    • personal message!
    • my advice....
    • i've found it about you
    • <<<Failure>>>
    • <Attached Msg>
    • <scanned by norton antivirus>
    • great xxx!
    • man or women?
    • child or adult?
    • here is yours!
    • a crazy doc about you
    • xxx about you?
    • i don't want your xxx pics!
    • <Failed message available>
    • <Automailer>
    • doc?
    • trial?
    • what?
    • ;-)
    • i need you!
    • correct it!
    • see this!
    • it's a secret!
    • this is nothing for kids!
    • it's so similar as yours!
    • is that your car?
    • do not give up!
    • great job!
    • here is the $%%454$
    • you are sexy in this doc!
    • incest?
    • let it!
    • you look like an ape!
    • you look like an rat?
    • be mad?
    • are you cranky?
    • bob the builder
    • did you know that?
    • money?
    • is that your car?
    • is this information about you?
    • is that your privacy?
    • is that your TAN?
    • is that your message?
    • is that your cd?
    • is that your finger?
    • your are naked?
    • is that your porn pic?
    • is that your work?
    • is that your family?
    • is that your beast?
    • is that your slip?
    • is that your domain?
    • are you the naked one?
    • are you the naked person!
    • are you the one?
    • does it belong to you?
    • do you have sex in the picture?
    • you have a sexy body in the pic!
    • your lie is going around the world!
    • <Transfer complete>
    • <Antispam complete>
    • lets talk about it!
    • do you know the thief?
    • are you a photographer?
    • you have done a mistake in the document"..
    • its private from me
    • do not show this anyone!
    • new patch is available!
    • this is an attachment message!
    • in your mind?
    • Microsoft
    • fast food...
    • Your bill.
    • try this patch!
    • do you have an orgasm in the picture?
    • <Click the attachment to decrypt>
    • <Attachment Signature 34933920>
    • Transaction failed. Show the doc!
    • I 've found your bill!
    • see your name!
    • You are infected. Read the details!
    • here is my advice.
    • here is my photo!
    • here is the <censored>
    • feel free to use it.
    • does it belong to you?
    • Login required! Read the attachment!
    • your document is silly!
    • is the pic a fake?
    • Antispam is turned off. See file!
    • Authentification required. Read the att"..
    • solve the problem!
    • <null>
    • do not use my document!
    • do not use this creditcard!
    • presente de nata abra agora
    • nao saia de casa sem guarda chuva! Te a"..
    • explique
    • Diga sobre o que voce que isso!!!
    • Virus CIH1003 encontrado !!!!!!
    • Varroa Pugao!!!

      Attachment:
      One of the following:

      [FILE NAME 1].[EXTENSION 2]
      [FILE NAME 1].[EXTENSION 1].[EXTENSION 2]
      [FILE NAME 1]_[FILE NAME 2].[EXTENSION 1]
      [FILE NAME 1]_[FILE NAME 2].[EXTENSION 2]

      where EXTENSION 1 is one of the following:

    • txt
    • rtf
    • doc
    • htm

      and EXTENSION 2 is one of the following:

    • exe
    • scr
    • com
    • pif

      FILE NAME 1 and FILE NAME 2 are selected from the following list:

    • Padaria!
    • variados
    • msg
    • vagas
    • AIV
    • ruim
    • fale
    • final
    • acredite
    • creditcard
    • configurado
    • loto100
    • detalhes
    • vai
    • 23
    • 98721
    • oras
    • -==-
    • negras
    • posicao
    • gratifico
    • formulas
    • Greenpeac
    • SuaNota
    • sexy
    • Premiado_32
    • 603s
    • 4096
    • ImortalRiot!
    • agua
    • Delta!
    • JerusalemBug
    • LeandroKelly
    • aura
    • Alevirus__
    • ping-pong
    • =)
    • Mercados!
    • avatar
    • stoned
    • CIH 1003
    • vagas
    • Denzuke
    • Brain
    • care.
    • simpl
    • flora
    • trampo
    • doces
    • cartas
    • amor
    • grana..
    • barcos.
    • trems
    • fogos.
    • meufone
    • piada
    • videogz
    • Coisas_zip
    • lazanha.
    • Eletrons.
    • confs
    • sulemi
    • radiose
    • zueira
    • numero
    • "Empregos olhar
    • notas.
    • galaxia
    • gritos
    • credito
    • mailB
    • planos.
    • PTB_A
    • eml1
    • disco
    • pacote
    • ovos
    • aviso
    • meteoro.
    • curr
    • gerado.
    • galeria.
    • acionar
    • vasos
    • boletos...
    • extravio
    • forma.
    • ManuaisTecni
    • planilha.
    • sadios
    • frutas
    • vivo
    • dolar
    • ficais
    • =$
    • devedor
    • planilha
    • notas
    • contas

      The attachment can also be a zip file, in which case the last file extension will be ".zip".

  10. May cause the compromised computer to beep randomly, if the system time is from 06:00 to 08:00 on February 26, 2004.


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Masaki Suenaga

Discovered: September 26, 2005
Updated: February 13, 2007 12:44:45 PM
Also Known As: WORM_NETSKY.AL [Trend]
Type: Worm
Systems Affected: Windows


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan and delete all the files detected.
  4. Delete any values added to the registry.
For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
Note:
When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to Virus Definitions (Intelligent Updater).

    The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.


3. To scan for and delete the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected, click Delete.

Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode . Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.


4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
  1. Click Start > Run.
  2. Type regedit
  3. Click OK.

    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

  4. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  5. In the right pane, delete the value:

    "McAfee" = "%Windir%\McAffeAv.exe -AntViru"

  6. Exit the Registry Editor.


Writeup By: Masaki Suenaga