Yesterday I got a new type of “Stupid Worm” hidding in background as xmss.exe. It copied itself on Local disk and Windows Directory (%Windir%). Terminated “Windows Task Manager”, Windows Command Prompt (DOS-Prompt) & crashed System Internal Process Explorer (procxp.exe).

Its not a funny video

According to McAfee, this worm is known as W32/Autorun.worm.g.

It can propagate itself over removable media and network drives and cause execution of malicious code via an autorun.inf file.

XMSS.exe Win32 AutoRun Files

• x:autorun.inf
• x:xmss.exe
• x:Funny UST Scandal.avi.exe
• %Windir%\autorun.inf
• %Windir%\xmss.exe
• %Windir%\Funny UST Scandal.avi.exe

Fixes Win32 AutoRun.* Worm

Here’s a few step to prevent Win32 AutoRun Worm.

1. Disabled System Restore for Temporary - KB 264887
2. Boot Windows in Safe Mode - KB 315222

3. In Windows Safe Mode, Open Windows Registry Editor

   Windows Start > Run > Regedit

4. Browse to the following registry settings ↓

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

5. Replace
   explorer.exe, xmss.exe with exporer.exe
   
6. Delete all the following files
   • C\autorun.inf
   • C\xmss.exe
   • C\Funny UST Scandal.avi.exe
   • X:\autorun.inf
   • X:\xmss.exe
   • X:\Funny UST Scandal.avi.exe
   • %Windir%\autorun.inf
   • %Windir%\xmss.exe
   • %Windir%\Funny UST Scandal.avi.exe

   %Windir% refers to the Windows folder (e.g. C:\Windows, C:\WindowsNT) and X: is drive letters used by a removable or network drive

7. Clean All Windows Temporary Files
8. Restart Windows

XMSS.exe Win32 Autorun Variants

VirusTotal.com - Dec 2007 Results.

External Links

• How to Enable and Disable System Restore
• Safe Mode Boot options in Windows

SinFP by Patrice AUffretGomor, is a full operating system TCP/IP stack fingerprinting. Features both Active (brute) and Passive Methods and support for IPV4 & IPV6. SinFP only send maximum of 3 standards packet to any open TCP port to get the results. It’s damn fast and transparent (send valid SYN & options).

SinFP Online demo is available at gomor.org sinfp demo. You can grab SinFP OS Stack Fingerprinting package at CPAN or Gomor.org (External Links ↓ ).

SinFP package is available for Mac (PPC), Linux (included in BackTrack Linux distro) and Windows Binaries (ActivePerl).

External Links

• Net-SinFP-2.06
• SinFP Fingerprinting Overview at gomor.org
• All package by Gomor at CPAN
• SinFP at SourceForge

I just download google pack with norton and the first scan hook my fav svn tortoise with w32.virut.w .

Excerpt from Symantec

W32.Virut.A is a virus that infects executable files and opens a back door on TCP port 65520 by connecting to a predefined IRC server.

Netstats

netstat -aob > netstat.log

 TCP USER:1028 78.109.19.140.in.hosting.ua:65520 ESTABLISHED 936
 [winlogon.exe]

The free version of Norton Internet Scan Failed to fixed the virus. :(

Norton Logs

Process:
 c:\windows\system32\ctfmon.exe
 c:\program files\tortoisesvn\bin\tsvncache.exe
Infection:
 c:\windows\system32\ctfmon.exe
 c:\program files\tortoisesvn\bin\tsvncache.exe
 c:\windows\system32\spoolsv.exe
 c:\windows\system32\locator.exe
 c:\windows\system32\alg.exe
 c:\windows\system32\sessmgr.exe
 c:\windows\system32\dllhost.exe
 c:\windows\system32\rsvp.exe
 c:\windows\system32\dmadmin.exe
 c:\windows\system32\msdtc.exe
 c:\windows\system32\cisvc.exe
 c:\windows\system32\wbem\wmiapsrv.exe
 c:\windows\system32\ups.exe
 c:\windows\system32\msiexec.exe
 c:\windows\system32\netdde.exe
 c:\windows\system32\vssvc.exe
 c:\windows\system32\mnmsrvc.exe
 c:\windows\system32\mshta.exe
 c:\windows\system32\userinit.exe
 c:\windows\system32\ieudinit.exe
 c:\windows\inf\unregmp2.exe
 c:\windows\system32\ie4uinit.exe
 c:\windows\system32\rundll32.exe
 c:\windows\system32\regsvr32.exe
 c:\windows\system32\ntsd.exe
 c:\program files\wakoopa\wakoopa.exe
 c:\program files\7-zip\7zfm.exe
 c:\program files\acd systems\acdsee\6.0\acdsee6.exe
 c:\program files\adobe\adobe help center\ahc.exe
 c:\program files\netmeeting\conf.exe
 c:\program files\common files\acd systems\en\devdetect.exe
 c:\program files\windows nt\dialer.exe
 c:\program files\acd systems\fotocanvas\3.0\fotocanvas3.exe
 c:\program files\acd systems\fotoslate\3.0\fotoslate3.exe
 c:\windows\pchealth\helpctr\binaries\helpctr.exe
 c:\program files\hp\digital imaging\unload\hpqapkil.exe
 c:\program files\hp\digital imaging\unload\hpqdia.exe
 c:\program files\hp\digital imaging\unload\hpqdias.exe
 c:\program files\hp\digital imaging\unload\hpqphunl.exe
 c:\program files\hp\digital imaging\unload\hpqpsmon.exe
 c:\program files\hp\digital imaging\unload\hpqunset.exe
 c:\program files\hp\digital imaging\bin\hpqvpswp.exe
 c:\program files\windows nt\hypertrm.exe
 c:\program files\internet explorer\connection wizard\icwconn1.exe
 c:\program files\internet explorer\connection wizard\icwconn2.exe
 c:\program files\internet explorer\iexplore.exe
 c:\program files\adobe\adobe photoshop cs2\imageready.exe
 c:\program files\internet explorer\connection wizard\inetwiz.exe
 c:\program files\internet explorer\connection wizard\isignup.exe
 c:\program files\java\jre1.6.0_02\bin\javaws.exe
 c:\windows\system32\usmt\migwiz.exe
 c:\program files\movie maker\moviemk.exe
 c:\program files\windows media player\mplayer2.exe
 c:\program files\combined community codec pack\mpc\mplayerc.exe
 c:\windows\pchealth\helpctr\binaries\msconfig.exe
 c:\program files\outlook express\msimn.exe
 c:\program files\common files\microsoft shared\msinfo\msinfo32.exe
 c:\program files\messenger\msmsgs.exe
 c:\program files\notepad++\notepad++.exe
 c:\windows\system32\mspaint.exe
 c:\program files\adobe\adobe photoshop cs2\photoshop.exe
 c:\program files\quicktime\pictureviewer.exe
 c:\python25\python.exe
 c:\program files\real\realplayer\realplay.exe
 c:\program files\common files\real\update_ob\rnxproc.exe
 c:\windows\soundman.exe
 c:\program files\tortoisesvn\bin\subwcrev.exe
 c:\program files\outlook express\wab.exe
 c:\program files\outlook express\wabmig.exe
 c:\program files\winrar\winrar.exe
 c:\program files\windows media player\wmplayer.exe
 c:\program files\windows nt\accessories\wordpad.exe
 c:\program files\combined community codec pack\zoom player\zplayer.exe
 c:\windows\system32\logon.scr
Service:
 RpcLocator
 ALG
 RDSessMgr
 COMSysApp
 RSVP
 dmadmin
 MSDTC
 CiSvc
 WmiApSrv
 UPS
 SwPrv
 MSIServer
 NetDDE
 VSS
 mnmsrvc
Browser Cache
Registry:
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon->Userinit

had to reinstall my windows XP because there is so many hook. I had send a support email to hosting.ua but still got no replied from theme. need to reboot now.

Nov 17 07 , Update

I got reply back from hosting.ua support. below is part of the email

from	abuse@hosting.ua
to	nospam@gmail.com,
date	Nov 13, 2007 5:00 PM
subject	Reply: trojan 78.109.19.140.in.hosting.ua #48879

hide details Nov 13 (3 days ago)	

Reply

======== CUT HERE =========
Your support request was answered:

Created: 11.11.2007 1:28:38
Last Mod: 12.11.2007 1:41:30

Assigned To:
admin(Hosting.UA)

[11.11.2007 1:28:38]
Q: hi,
This is for your attention. I got a trojan in pc it routed back to one of
your hosting at *78.109.19.140.in.hosting.ua *

I hope you can do something about it.

Thank you
-------------------------------------------------------

[13.11.2007 11:00:08]
A: Fixed!

thx
www.Hosting.UA

-------------------------------------------------------
Hosting.UA Administration

Well there is no explaination about the issue from the support staff.  hope this site will be closed down for good. Google already blocked and place a warning when you search for the infected URI.

The safest way to clean any kind of windows virus is to work in different environment others than its originating operating system. Try virtual Ubuntu (Debian Linux) with Wubi Installer.
Here’s what wubi-installer.org has to says

Wubi is an unofficial Ubuntu installer for Windows users that will bring you into the Linux world with a single click. Wubi allows you to install and uninstall Ubuntu as any other application. If you heard about Linux and Ubuntu, if you wanted to try them but you were afraid, this is for you.

• Wubi is safe - It does not require you to modify the partitions of your PC, or to use a different bootloader.
• Wubi is Simple - Just run the installer, no need to burn a CD.
• Wubi is Discrete - Wubi keeps most of the files in one folder, and If you do not like, you can simply uninstall it.
• Wubi is Free - Wubi (like Ubuntu) is free as in beer and as in freedom. You will get this part later on, the important thing now is that it cost absolutely nothing, it is our gift to you…

Wubi installer.

Wubi wont break your system partition or replaced you windows. You can also installed wubi in any drive and its come with clean Windows uninstaller. You can dowload Wubi at wubi-installer.org or Sourceforge. ~ suggested by ChaosKaizer

A remote code execution vulnerability exists in Cryptographic API Component Object Model (CAPICOM) that allows an attacker who successfully exploits this vulnerability to take complete control of an affected system. CAPICOM can be used as a component of a 3rd party webpage, script or application.

More information for this update can be found at KB 931906