As this is the worm that auto-executes and comes from different means we may need to be cautious while clicking on any link on the internet and in instant messaging.
Removal Steps:
Removal Steps:
- Disable System Restore
- Use process explorer to find the files loaded by WORM_SOHAND.MY that are running as processes kill their processes.
- Enable registry Editor, Task Manager, and Folder options
- Delete the registry value
- HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
- HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Explorer>WorkgroupCrawler> Shares shared = "\New Folder.exe"
- HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Schedule AtTaskMaxHours = "0"
- Restore the registry value to
- From: Shell = "Explorer.exe gphone.exe"
- To: Shell = "Explorer.exe"
Locate the file AutoRun.INF in all the drives, open it with notepad and if you find the lines
- [AutoRun]
- Open=gphone.exe
- Shellexecute=gphone.exe
- Shell\Open\command=gphone.exe
- Shell=Open
Also delete the files
- %User Temp%\log_{time stamp}.txt
- {install path}\setting.ini
- {install path}\setting.ini.old
Select My computer from the drop down list and shift delete them to delete permanently.
Delete the scheduled task
- System%\{malware file name}.exe