January 18, 2011

Removal of WORM_SOHAND.MY

As this is the worm that auto-executes and comes from different means we may need to be cautious while clicking on any link on the internet and in instant messaging.


Removal Steps: 
  • Disable System Restore
  • Use process explorer to find the files loaded by WORM_SOHAND.MY that are running as processes kill their processes.
  • Enable registry Editor, Task Manager, and Folder options 
  • Delete the registry value
  • HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run 
                Yahoo Messengger = "C:\windows\gphone.exe" or "Users\Desktop" in Vista
  • HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Explorer>WorkgroupCrawler> Shares    shared = "\New Folder.exe"
  • HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Schedule          AtTaskMaxHours = "0"
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • From: Shell = "Explorer.exe gphone.exe"
  • To: Shell = "Explorer.exe" 
Locate the file AutoRun.INF in all the drives, open it with notepad and if you find the lines 
  • [AutoRun]
  • Open=gphone.exe
  • Shellexecute=gphone.exe
  • Shell\Open\command=gphone.exe
  • Shell=Open 
Delete the file from all the folders.
Also delete the files   
  • %User Temp%\log_{time stamp}.txt
  • {install path}\setting.ini 
  • {install path}\setting.ini.old 
Select My computer from the drop down list and shift delete them to delete permanently. 
Delete the scheduled task
  • System%\{malware file name}.exe

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More