Content

W32/BootMerlin

Type
Virus
SubType
Win32
Discovery Date
02/19/2007
Length
Varies
Minimum DAT
4966 (02/19/2007)
Updated DAT
4966 (02/19/2007)
Minimum Engine
5.1.00
Description Added
02/20/2007
Description Modified
02/22/2007 6:06 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection covers a worm written in MS VisualBasic that modifies the C:\Boot.ini file to display a Spanish message at boot time.

Upon execution, it can also be displaying a Wizard animation "speaking" in the Spanish language.

W32/BootMerlin can make copies of itself bearing the MS Word icon, in the following location(s):

  • %Windir%\System\csrss.exe
  • %Windir%\System32\dllcache\G-Vulcan-III.exe
  • X:\Recuerda que te quiero.exe
  • X:\LINEAS TELEFONICAS SIJIN VIEJA.exe
  • X:\PODER SALDARRIAGA1.exe
  • X:\SOLICITUD A MI GENERAL.exe
  • X:\SEGURO BTA EQUIPOS.exe
  • X:\CURSO CONSTITUCIONAL.copia.exe

(Where X: are the drive letter(s) used on the infected machine; %Windir% is the Windows folder, e.g. C:\Windows. A legitimate copy of csrss.exe may reside in %Windir%\System32 which is a part of the Windows operating system)

It installs the following registry key(s) to start at Windows boot up:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "WinSound" = "%Windir%\System\csrss.exe"

The C:\Boot.ini should be restored manually to the original settings (see removal section).

 

Symptoms

  • Wizard animation advocating anti-Microsoft messages in Spanish
  • C:\Boot.ini modified
  • Anti-Windows or Anti-Microsoft messages displayed by Windows Boot Manager at boot up time.
  • Presence of the file(s) mentioned.
  • Presence of the registry key(s) mentioned.

 

 

Method of Infection

W32/BootMerlin is a worm that can make copies of itself over mounted network drives. It may infected other systems using the same network drives.

 

Removal

This virus can C:\boot.ini to display anti-MS Windows messages in Spanish. These messages can be removed using a text editor, for example:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="AUN Usas Windows..?"/fastdetect

edit it to become:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="{your original operating system name}" /fastdetect {your original boot up options where applicable}

Do not modify any other parts of the C:\boot.ini file. Also check under My Computer->Properties->Advanced->Startup and Recovery Settings that It is pointing to the default operating system that was originally configured for.

Variants

Variants

    N/A

All Information

Overview -

This detection covers a virus written in MS VisualBasic that modifies the C:\Boot.ini file to display a message at boot time.

 

 

Characteristics

Characteristics -

This detection covers a worm written in MS VisualBasic that modifies the C:\Boot.ini file to display a Spanish message at boot time.

Upon execution, it can also be displaying a Wizard animation "speaking" in the Spanish language.

W32/BootMerlin can make copies of itself bearing the MS Word icon, in the following location(s):

  • %Windir%\System\csrss.exe
  • %Windir%\System32\dllcache\G-Vulcan-III.exe
  • X:\Recuerda que te quiero.exe
  • X:\LINEAS TELEFONICAS SIJIN VIEJA.exe
  • X:\PODER SALDARRIAGA1.exe
  • X:\SOLICITUD A MI GENERAL.exe
  • X:\SEGURO BTA EQUIPOS.exe
  • X:\CURSO CONSTITUCIONAL.copia.exe

(Where X: are the drive letter(s) used on the infected machine; %Windir% is the Windows folder, e.g. C:\Windows. A legitimate copy of csrss.exe may reside in %Windir%\System32 which is a part of the Windows operating system)

It installs the following registry key(s) to start at Windows boot up:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "WinSound" = "%Windir%\System\csrss.exe"

The C:\Boot.ini should be restored manually to the original settings (see removal section).

 

Symptoms

Symptoms -

  • Wizard animation advocating anti-Microsoft messages in Spanish
  • C:\Boot.ini modified
  • Anti-Windows or Anti-Microsoft messages displayed by Windows Boot Manager at boot up time.
  • Presence of the file(s) mentioned.
  • Presence of the registry key(s) mentioned.

 

 

Method of Infection

Method of Infection -

W32/BootMerlin is a worm that can make copies of itself over mounted network drives. It may infected other systems using the same network drives.

 

Removal -

Removal -

This virus can C:\boot.ini to display anti-MS Windows messages in Spanish. These messages can be removed using a text editor, for example:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="AUN Usas Windows..?"/fastdetect

edit it to become:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="{your original operating system name}" /fastdetect {your original boot up options where applicable}

Do not modify any other parts of the C:\boot.ini file. Also check under My Computer->Properties->Advanced->Startup and Recovery Settings that It is pointing to the default operating system that was originally configured for.

Variants

Variants -

    N/A