Content

W32/Deletemp3.worm

Type
Virus
SubType
Worm
Discovery Date
08/01/2007
Length
380,416 bytes
Minimum DAT
5088 (08/01/2007)
Updated DAT
5088 (08/01/2007)
Minimum Engine
5.1.00
Description Added
08/01/2007
Description Modified
08/01/2007 6:01 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

 -- Update August 1, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/31/delete_music_worm/

--

W32/Deletemp3.worm is written using Borland Delphi and its payload is to delete any mp3 files found on the infected computer.

Upon execution it creates copies of itself in the following folders:

C:\WINDOWS\system32\config\csrss.exe
C:\WINDOWS\media\arena.exe

Creates the following files as part of its installation routine:

C:\WINDOWS\system32\logon.bat
C:\WINDOWS\system32\config\àutorun.inf

These files are used to auto start the worm on bootup.

Note: The directory names are hard coded in the body of the worm. Since it does not check the environment for the current location of the windows directory, it will fail to execute properly on Win2000 machines.

It also modifies the registry so that it executes whenever Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"Worms" = "C:\WINDOWS\system32\logon.bat"

Symptoms

Disables launching of the task manager and viewing folder options in explorer by modifying the following registry keys.

HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr" = "1"

HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoFolderOptions" = "1"

W32/Deletemp3.worm attempts to delete all .mp3 files on the infected computer.

Method of Infection

W32/Deletemp3.worm copies the following files to drives labeled from [E:-O:] on the infected machine.

\csrss.exe
\autorun.inf

The autorun.inf is a configuration file that is dropped by the worm onto removable devices such as USB thumb disks. Infection occurs when the drive is accessed and autorun.inf is automatically invoked.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Deletemp3.worm is written using Borland Delphi and its payload is to delete any mp3 files found on the infected computer.

Aliases

  • Trj/Autorun.J (Panda)
  • Virus.Win32.AutoRun.ah (Kaspersky)
  • W32.Deletemusic (Symantec)
  • Win32/AutoRun.AH (ESET)
  • WORM_DELF.HXZ (Trend Micro)

Characteristics

Characteristics -

 -- Update August 1, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/07/31/delete_music_worm/

--

W32/Deletemp3.worm is written using Borland Delphi and its payload is to delete any mp3 files found on the infected computer.

Upon execution it creates copies of itself in the following folders:

C:\WINDOWS\system32\config\csrss.exe
C:\WINDOWS\media\arena.exe

Creates the following files as part of its installation routine:

C:\WINDOWS\system32\logon.bat
C:\WINDOWS\system32\config\àutorun.inf

These files are used to auto start the worm on bootup.

Note: The directory names are hard coded in the body of the worm. Since it does not check the environment for the current location of the windows directory, it will fail to execute properly on Win2000 machines.

It also modifies the registry so that it executes whenever Windows starts.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"Worms" = "C:\WINDOWS\system32\logon.bat"

Symptoms

Symptoms -

Disables launching of the task manager and viewing folder options in explorer by modifying the following registry keys.

HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"DisableTaskMgr" = "1"

HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoFolderOptions" = "1"

W32/Deletemp3.worm attempts to delete all .mp3 files on the infected computer.

Method of Infection

Method of Infection -

W32/Deletemp3.worm copies the following files to drives labeled from [E:-O:] on the infected machine.

\csrss.exe
\autorun.inf

The autorun.inf is a configuration file that is dropped by the worm onto removable devices such as USB thumb disks. Infection occurs when the drive is accessed and autorun.inf is automatically invoked.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A