Autorun

MicrosoftPowerPoint.
exe/H icon logo

taskbar/ monitor/~DF450D.tmp.exe
The Kaspersky Latest Update do not detect this virus yet on 8 Nov, 2007. And i did it b4
as i promised . . .
This is the new version of the old “orkut virus” if u remember … Mu hu ha ha ha ….. but
it doesnt do anything like that now… : )
And i have got the website of the programmer who developed this virus… It’s
http://sapn4.tripod.com/
But PLZ i request, do not go to that site, or else ur comp will be seriously affected.
The virus automatically starts d’loading.
There’s nothing on the site but a few google ads.
Its quite old virus now. But still Kaspersky doesn’t detect it. Probably no one reported..
he he
VIRUS FILES
File Name: MicrosoftPowerPoint.exe

Icon: Folder with a small “my comp” icon within it
Type: Applicaion
Description: MicrosoftPowerPoint
Size: 261 KB (268,082 bytes)
Size on disk: 272 KB (278,528 bytes)
Modified: Tuesday, June 26, 2007, 1:06:24 PM
Attributes: Read-only, Hidden+System, Archive
File Name: Winlogons.exe

Icon: Folder
Type: Winlogons
Description: MicrosoftPowerPoint
Size: 261 KB (268,082 bytes)
Size on disk: 272 KB (278,528 bytes)
Modified: Wednesday, October 31, 2007, 10:20:00 PM
Attributes: Read-only, Hidden+System, Archive
File Name: MsUpdate.exe

Icon: ‘H’ in green color
Type: Application
Description: AutoHotKey
Size: 230 KB (235,520 bytes)
Modified: Wednesday, June 20, 2007, 10:38:52 PM
Attributes: Archive
File version: 1.0.46.17
Internal Name: AutoHotKey
PARTIALLY DETECTED BY KASPERSKY
Trojan-Downloader.Win32.AutoIt.t -> monitor 2.6 KB
SYMPTOMS
These two hidden system files automatically copies to ur removable drives:

MicrosoftPowerPoint.exe
autorun.inf
Double Clicking of the removable drives doesn’t work
Tools>Folder Options is disabled
YOu are unable to see your hidden files
BEHIND THE SCREEN
DeleteDir C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\
CreateFile
C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP
CreateFile C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\MsUpdate~1
CreateFile C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\MsUpdate.exe
CreateFile C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\monitor
CreateRegValue
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\we
xtract_cleanup0
runs the file

C:\Documents and Settings\Piyush Chandra\Local
Settings\Temp\IXP000.TMP\MsUpdate.exe
CreateRegValue
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\expl
orer\Run\Explorer
Creates a value:
Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
explorer\Run
Value: Explorer
New data(Unicode null-terminated string):Winlogons
Deletes the value:

Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnc
e
Value: wextract_cleanup0
Data(Unicode null-terminated string):
rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32
“C:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\IXP000.TMP\”
THE VIRUS PROGRAM
<the script is of type Trojan-Downloader.Win32.AutoIt.t>
The virus has been written in AutoHotKey 1.0.46.17
xxxxxx Deleted by PiyushLabs for security reasons xxxxxx
SOLUTION
End Task Open Run and paste the following codes one by one.TASKKILL /f /t /fi
“IMAGENAME eq svchost.exe” /fi “USERNAME ne NT AUTHORITY\*”
TASKKILL /f /t /fi “IMAGENAME eq MsUpdate.exe”
TASKKILL /f /t /fi “IMAGENAME eq Winlogons.exe” Enable CMD Open Run and paste
the following codes.reg add
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCmd /t
REG_DWORD /d 0 /freg add
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableCmd /t
REG_DWORD /d 0 /f
Delete Open Run>CMD and paste the following codes one by one.
del “%userprofile%\LOCAL SETTINGS\TEMP\MSDATA\” /f /a

del “%userprofile%\Local Settings\Temp\IXP000.TMP\” /f /a
del “%temp%\~DF450D.tmp.exe” /f /a
del “%windir%\system32\Winlogons.exe” /f /a
Delete the virus from the pen drives if u use any. (**** replace K with ur the drive
name.. )
del K:\autorun.inf /a /f
del K:\MicrosoftPowerPoint.exe /a /f
Registry Open Run>CMD and paste the following codes one by one.
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /va
reg delete
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v
Shell /t REG_SZ /d Explorer.exe
PRECAUTIONS
Never double click your pen-drives. It spreads through removable drives. Always use
folder view for navigation. And enable the view to see system files n hidden files. And
delete the files in the pendrives.

Autorun

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Autorun

Uploaded by

Copyright:

Available Formats

MicrosoftPowerPoint.

exe/H icon logo

There’s nothing on the site but a few google ads.

File Name: MicrosoftPowerPoint.exe

File Name: Winlogons.exe

File Name: MsUpdate.exe

Trojan-Downloader.Win32.AutoIt.t -> monitor 2.6 KB

These two hidden system files automatically copies to ur removable drives:

BEHIND THE SCREEN

runs the file

Deletes the value:

<the script is of type Trojan-Downloader.Win32.AutoIt.t>

The virus has been written in AutoHotKey 1.0.46.17

xxxxxx Deleted by PiyushLabs for security reasons xxxxxx

del “%userprofile%\LOCAL SETTINGS\TEMP\MSDATA\” /f /a

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /va

You might also like