How to remove XMSS.exe Win32 AutoRun worm

Nick B — Sat, 16 Feb 2008 11:58:21 +0000

Yesterday I got a new type of “Stupid Worm” hidding in background as xmss.exe. It copied itself on Local disk and Windows Directory (%Windir%). Terminated “Windows Task Manager”, Windows Command Prompt (DOS-Prompt) & crashed System Internal Process Explorer (procxp.exe).

Its not a funny video

According to McAfee, this worm is known as W32/Autorun.worm.g.

It can propagate itself over removable media and network drives and cause execution of malicious code via an autorun.inf file.

XMSS.exe Win32 AutoRun Files

x:autorun.inf
x:xmss.exe
x:Funny UST Scandal.avi.exe
%Windir%\autorun.inf
%Windir%\xmss.exe
%Windir%\Funny UST Scandal.avi.exe

Fixes Win32 AutoRun.* Worm

Here’s a few step to prevent Win32 AutoRun Worm.

Disabled System Restore for Temporary - KB 264887
Boot Windows in Safe Mode - KB 315222
In Windows Safe Mode, Open Windows Registry Editor

Windows Start > Run > Regedit
Browse to the following registry settings ↓

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Replace
explorer.exe, xmss.exe with exporer.exe
Delete all the following files
- C\autorun.inf
- C\xmss.exe
- C\Funny UST Scandal.avi.exe
- X:\autorun.inf
- X:\xmss.exe
- X:\Funny UST Scandal.avi.exe
- %Windir%\autorun.inf
- %Windir%\xmss.exe
- %Windir%\Funny UST Scandal.avi.exe
%Windir% refers to the Windows folder (e.g. C:\Windows, C:\WindowsNT) and X: is drive letters used by a removable or network drive
Clean All Windows Temporary Files
Restart Windows

XMSS.exe Win32 Autorun Variants

VirusTotal.com - Dec 2007 Results.

Antivirus	Version	Last Update	Result
AhnLab-V3	-	-	-
AntiVir	-	-	-
Authentium	-	-	-
Avast	-	-	-
AVG	-	-	-
BitDefender	-	-	-
CAT-QuickHeal	-	-	Worm.AutoRun.abt
ClamAV	-	-	Trojan.Autoit-6
DrWeb	-	-	-
eSafe	-	-	suspicious Trojan/Worm
eTrust-Vet	-	-	-
Ewido	-	-	-
FileAdvisor	-	-	-
Fortinet	-	-	W32/Autoit.BG!tr
F-Prot	-	-	W32/Trojan!c4a4
F-Secure	-	-	Trojan.Win32.Autoit.bg
Ikarus	-	-	Virus.Win32.AutoRun.pc
Kaspersky	-	-	Trojan.Win32.Autoit.bg
McAfee	-	-	-
Microsoft	-	-	-
NOD32v2	-	-	Win32/HackAV.P
Norman	-	-	-
Panda	-	-	Suspicious file
Prevx1	-	-	Trojan.DoS.Win32.Opdos
Rising	-	-	Worm.Win32.Autorun.jax
Sophos	-	-	-
Sunbelt	-	-	-
Symantec	-	-	-
TheHacker	-	-	Trojan/Autoit.bg
VBA32	-	-	Virus.Win32.AutoRun.pc
VirusBuster	-	-	Trojan.AutoIt.BB
Webwasher-Gateway	-	-	Riskware.HackAV

External Links

win32.virut Bad day for web developer

Nick B — Sun, 11 Nov 2007 23:20:31 +0000

Just after my previous cleanup, now i got much worse virus on my PC its called Worm.Win32.Mefir [a-z] by both Norton Antivirus (Symantec) & Avast (Alwil Software) NOD32 identified it as Win32/Virut.NAT

At the time being It infected *.html & *.php files and probably all text/html types. There is no cure yet. I hated this worms I’d lost few project because of this. Try archive (LZMA) all your web projects before hand. Its spreading like wild fire.

I havent try cleaning the infected files with Trend HouseCall Online Scans. Just hope there is cure for this worm. damn damn