Heads UP *** WORM_AINJO.E *******

**NullDevice** · July 25th, 2003, 09:18 AM

Trend Micro's Details here...
http://www.trendmicro.com/vinfo/viru...e=WORM_AINJO.E

Details

Virus type: Worm

Destructive: No

Aliases: W32.HLLW.Indor.E@mm, W32/Pkasa, Win32/Indowing.A, I-Worm.Ainjo.e, Win32.HLLM.Generic.132

Overall risk rating: Low
Reported infections: Low
Damage Potential: High
Distribution Potential: High

Description

This worm propagates via Internet Relay Chat (IRC), peer-to-peer file-sharing networks such as Kazaa, and through email using Microsoft Outlook.

The attachment is a compressed ZIP file containing a single copy of this worm.

Subject and Message Body

Subject: (Any of the following)

• Re: Web Site Report
• Thank You!
• Free MP3, OGG/VORBIS Hit Songs !!
• Download DVD Movie Now !! Its Free..!
• You are Losing Income

Message Body: (Any of the following)

• The Mastercard Stored Value Card is good anywhere in the world that Mastercard is accepted! APPLY NOW AND GET $20 FREE!! Download it Now And Get free Bonus!

• Have I peaked your curiosity?
This is something that I think that anyone who is serious about marketing and being on the internet should check out. Save it Now !

• ATTENTION: THIS PROGRAM IS EXPLODING WORLDWIDE. THOUSANDS OF PEOPLE ARE SIGNING UP EVERY DAY CREATING ONE OF THE LARGEST MEMBERSHIP BASES IN THE WORLD!

• Hello!

Need a quick $100 today?
Need a quick $500 this week?
Need to QUICKLY build a $5,000 monthly income?
Download the attachment now !

Attachment: (any of the following)
SaveNow.zip
Report.zip
FFA.zip
FreeJoin.zip

Solutions

Solution:

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_AINJO.E. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Kernelw="%Windows%\Kernelw32.exe"
Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WinNT.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Removing Autostart Entries from System Files

A malware modifies system files so that it automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely.

Open the SYSTEM.INI file. To do this, click Start>Run, type SYSTEM.INI, then press Enter. This should open the file in your default text editor (usually Notepad).
Under the [boot] section, locate the line that begins with:
Shell=Explorer.exe
From the same line, delete the malware path and file name:
SCRNSAVE.EXE=%Windows%\Blank.scr
Locate and delete the following lines:
[WORM]
Name=I-WORM>PERKASA
Author=Iwing/Indovirus
Close the SYSTEM.INI file and click Yes when prompted to save.
Open the WIN.INI file using your default text editor. Click Start>Run, type WIN.INI, then press Enter.
Under the [windows] section, locate the line(s) that begin with:
load =

From the same line(s), delete the malware path and filename:
%Windows%\Kernelw32.exe
Close the WIN.INI file and click Yes when prompted to save.

Thread: Heads UP * WORM_AINJO.E *****

Thread Tools

Display

Threaded View