Worm Win32 Pifio a
1. Summary:
Pifio.a is a 19kB long worm. It spreads using removable media.
It may download other possibly harmfull applications from the Internet. It terminates running security related processes as firewalls and antiviruses.
Aliases:
Symantec: W32.Pifio
2. Detailed description:
At the time of it's first execution, the Pifio.a creates two files in the system directory:
%COMMONPROGRAMFILES%\Services\svchost.exe
%SYSTEM%\DirectX9.dll
%COMMONPROGRAMFILES% stands for the 'Common Files' directory in the program files menu. The location of the directory can vary, but usually it can be found in C:\Program Files\Common Files
Worm Pifio.a creates entries in the 'run' keys. This way it is executed at the system boot up.
[HKLM\Software\Microsoft\Active Setup\Installed Components\{2bf41073-b2b1-21c1-b5c1-0701f4155588}]
"StubPath" = "C:\Program Files\Common Files\Services\svchost.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Default" = "C:\Program Files\Common Files\Services\svchost.exe"
Worm Pifio.a terminates following security related applications:
Norton Antivirus Auto Protect Service
mcshield
System Restore Service
Windows Firewall/Internet Connection Sharing (ICS)
It also checks the owners of running processes and terminates any of them if their owner application is one of the following:
360safe.exe
360tray.exe
eghost.exe
iparmor.exe
kavpfw.exe
mailmon.exe
msconfig.exe
regedit.exe
RogueCleaner.exe
taskgmr.exe
TForm1
Windows Security Center
WoptiClean.exe
Worm Pifio.a is capable of downloading other code from the Internet. This way it is also capable of updating itself. It tries to connect to the following domain name:
591down.com
3. Infection by removable media:
Worm Pifio.a copies itself into the root (/) directory of all the attached removable media under the name:
IO.pif
It also creates an autorun.inf file to run the IO.pif file after the media gets attached the next time.
5. Cleaning:
- Reboot the PC into the safe mode.
- Delete following files from the local drives:
%COMMONPROGRAMFILES%\Services\svchost.exe
%SYSTEM%\DirectX9.dll
- Delete following files from the root of all removable media attached:
autorun.inf
io.pif
- Delete the entry 'StubPath' from the registry key:
[HKLM\Software\Microsoft\Active Setup\Installed Components\{2bf41073-b2b1-21c1-b5c1-0701f4155588}]
"StubPath" = "C:\Program Files\Common Files\Services\svchost.exe"
- Delete the 'Default' entry from the keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Default" = "C:\Program Files\Common Files\Services\svchost.exe"
- Reboot the PC back into the normal mode.
0 writebacks [10/17/2007 00:42]
[]
permanent link
|
