( aka Adware/Spywad, Adware.Spywad, SpySheriff, Trojan.Renos, W32/Renos )
[Description]
When it is run it will copy itself in the C:\Windows directory under the name xpupdate.exe
It will add a key in:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows update loader so it can run at startup
It will check if the file MalwareAlarm from the C:\Program Files\MalwareAlarm directory exists
It will create a thread and it will search for dialog windows so it ca answer automatically to
Windows Firewall queries in order to get access to internet
It will download the MalwareAlarm program.
It will create the MalwareAlarm.lic file
It will change the background, it will remove icons, shortcuts and other items from the desktop
It will disable the options to modify the wallpaper, so the user interface will be like the one for Windows NT 4.0
It will show messages that the system is infected with spyware/adware
It will create/modify the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows update loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoAddingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoEditingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoDeletingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperStyle
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\TileWallpaper
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperFileTime
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperLocalFileTime
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ComponentsPositioned
[Clean]
Open Task Manager and end/terminate the xpupdate.exe process
Delete the C:\Windows\xpupdate.exe file
Delete the registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows update loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
No comments:
Post a Comment