Arrival Details
This file infector may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
Other System Modifications
This file infector adds the following line(s)/entry(ies) in the SYSTEM.INI file:
- [MCIDRV_VER]
- DEVICEMB={random numbers}
It adds the following registry keys:
HKEY_CURRENT_USER\Software\{user name}914
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Tracing\FWCFG
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"
It modifies the following registry entries to disable Security Center functions:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"
It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableRegistryTools = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
system
DisableTaskMgr = "1"
It modifies the following registry entries to hide files with System and Read-only attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"
(Note: The default value data of the said registry entry is 1.)
It creates the following registry entry(ies) to bypass Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name}.exe = "{malware path and file name}.exe:*:Enabled:ipsec"
File Infection
This file infector infects the following file types:
It infects by appending its code to target host files.
It avoids infecting folders containing the following strings:
Propagation
This file infector drops copies of itself in all removable drives.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[AutoRun]
;{random characters}
;{random characters}
sheLl\opeN\cOmmand ={malware file name}.exe
;{random characters}
ShelL\ExploRe\ComManD ={malware file name}.exe
sheLl\oPEn\DefauLt=1
;{random characters}
oPEN = {malware file name}.exe
;{random characters}
sheLl\AUtoplAy\ComMaND ={malware file name}.exe
;{random characters}
HOSTS File Modification
This file infector modifies the affected system's HOSTS files to prevent a user from accessing the following websites:
- 82.165.237.14
- 82.165.250.33
- avp.com
- ca.com
- casablanca.cz
- customer.symantec.com
- d-eu-1f.kaspersky-labs.com
- d-eu-1h.kaspersky-labs.com
- d-eu-2f.kaspersky-labs.com
- d-eu-2h.kaspersky-labs.com
- d-ru-1f.kaspersky-labs.com
- d-ru-1h.kaspersky-labs.com
- d-ru-2f.kaspersky-labs.com
- d-ru-2h.kaspersky-labs.com
- d-us-1f.kaspersky-labs.com
- d-us-1h.kaspersky-labs.com
- d66.myleftnut.info
- dispatch.mcafee.com
- download.mcafee.com
- downloads-us1.kaspersky.com
- downloads1.kaspersky.com
- downloads1.kaspersky.ru
- downloads2.kaspersky.ru
- downloads3.kaspersky.ru
- downloads4.kaspersky.ru
- downloads5.kaspersky.ru
- eset.casablanca.cz
- eset.com
- f-secure.com
- kaspersky-labs.com
- kaspersky.com
- liveupdate.symantec.com
- liveupdate.symantecliveupdate.com
- mast.mcafee.com
- mcafee.com
- metalhead2005.info
- my-etrust.com
- nai.com
- networkassociates.com
- nod32.com
- norton.com
- rads.mcafee.com
- secure.nai.com
- securityresponse.symantec.com
- sophos.com
- symantec.com
- trendmicro.com
- u2.eset.com
- u3.eset.com
- u4.eset.com
- u7.eset.com
- update.symantec.com
- updates-us1.kaspersky.com
- updates.symantec.com
- updates1.kaspersky.com
- updates2.kaspersky.com
- updates3.kaspersky.com
- us.mcafee.com
- viruslist.com
- www.avp.com
- www.ca.com
- www.eset.com
- www.f-secure.com
- www.kaspersky.com
- www.mcafee.com
- www.microsoft.com
- www.my-etrust.com
- www.nai.com
- www.networkassociates.com
- www.nod32.com
- www.norton.com
- www.sophos.com
- www.symantec.com
- www.trendmicro.com
- www.viruslist.com
NOTES:
It creates the following registry entries to disable the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
DoNotAllowExceptions = "0"
It infects executable files listed in the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It drops a copy of itself in the shared folders found on the affected system. It also drops an autorun.inf file on the said folders to enable its automatic execution.
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Restart in Safe Mode
[ Learn More ]
[ back ]
To restart in Safe Mode:
• For Windows 2000 users
- Restart your computer.
- Press F8 when you see the Starting Windows bar at the bottom of the screen.
- Choose the Safe Mode option from the Windows Advanced Options menu then press Enter.
• For Windows XP users
- Restart your computer.
- Press F8 after the Power-On Self Test (POST) routine is done. If the Windows Advanced Options menu does not appear, try restarting then pressing F8 several times when the POST screen appears.
- Choose the Safe Mode option from the Windows Advanced Options menu then press Enter.
• For Windows Server 2003 users
- Restart your computer.
- Press F8 after Windows starts up. If the Windows Advanced Options menu does not appear, try restarting again and pressing F8 several times afterward.
- On the Windows Advanced Option menu, use the arrow keys to select Safe Mode then press Enter.
• For Windows Vista and Windows 7 users
- Restart your computer.
- Press F8 after the Power-On Self Test (POST) routine is done. If the Advanced Boot Options menu does not appear, try restarting and then pressing F8 several times after the POST screen is displayed.
- On the Advanced Boot Options menu, use the arrow keys to select the Safe Mode option, and then press Enter.
Step 3
Restore modified and/or deleted registry value/s using this VBScript
To restore the modified and/or deleted registry value/s:
- Open Notepad.
» For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run. In the Open input box, type notepad then press Enter.
» For Windows Vista and Windows 7 users, click Start, type notepad in the Search input field then press Enter. - Copy and paste the following script:
- Save this file as C:\RESTORE.VBS.
- Run C:\RESTORE.VBS.
» For Windows 2000, XP, and Server 2003 users, click Start>Run. In the Open input box, type C:\RESTORE.VBS then press Enter.
» For Windows Vista and Windows 7 users, click Start, type C:\RESTORE.VBS in the Search input field then press Enter.
Step 4
Delete this registry value
[ Learn More ]
[ back ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- DoNotAllowExceptions = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- {malware path and file name}.exe = "{malware path and file name}.exe:*:Enabled:ipsec"
To delete the registry value this malware/grayware created:
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings - In the right panel, locate and delete the entry:
GlobalUserOffline = "0" - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess>Parameters>FirewallPolicy>StandardProfile - In the right panel, locate and delete the entry:
EnableFirewall = "0" - Again In the right panel, locate and delete the entry:
DoNotAllowExceptions = "0" - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess>Parameters>FirewallPolicy>StandardProfile>AuthorizedApplications>List - In the right panel, locate and delete the entry:
{malware path and file name}.exe = "{malware path and file name}.exe:*:Enabled:ipsec" - Close Registry Editor.
Step 5
Delete this registry key
[ Learn More ]
[ back ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
To delete the registry key this malware/grayware created:
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_CURRENT_USER>Software - Still in the left panel, locate and delete the key:
{user name}914 - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Security Center - Still in the left panel, locate and delete the key:
Svc - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Tracing - Still in the left panel, locate and delete the key:
FWCFG - Close Registry Editor.
Step 6
Restore these modified registry values
[ Learn More ]
[ back ]
Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: AntiVirusDisableNotify = "1"
To: AntiVirusDisableNotify = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: AntiVirusOverride = "1"
To: AntiVirusOverride = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: FirewallDisableNotify = "1"
To: FirewallDisableNotify = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: FirewallOverride = "1"
To: FirewallOverride = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: UacDisableNotify = "1"
To: UacDisableNotify = ""
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- From: UpdatesDisableNotify = "1"
To: UpdatesDisableNotify = ""
To restore registry values this malware/grayware modified:
- Open Registry Editor. To do this:
- On Windows 2000, XP, and Server 2003:
Click Start>Run, type REGEDIT in the text box provided, and then press Enter. - On Windows Vista and 7:
Click the Start button, type REGEDIT in the Search input field then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Security Center - In the right panel, locate the registry value:
AntiVirusDisableNotify = "1" - Right-click on the value name and choose Modify. Change the value data of this entry to:
AntiVirusDisableNotify = "" - Again In the right panel, locate the registry value:
AntiVirusOverride = "1" - Right-click on the value name and choose Modify. Change the value data of this entry to:
AntiVirusOverride = "0" - Again In the right panel, locate the registry value:
FirewallDisableNotify = "1" - Right-click on the value name and choose Modify. Change the value data of this entry to:
FirewallDisableNotify = "" - Again In the right panel, locate the registry value:
FirewallOverride = "1" - Right-click on the value name and choose Modify. Change the value data of this entry to:
FirewallOverride = "" - Again In the right panel, locate the registry value:
UacDisableNotify = "1" - Right-click on the value name and choose Modify. Change the value data of this entry to:
UacDisableNotify = "" - Again In the right panel, locate the registry value:
UpdatesDisableNotify = "1" - Right-click on the value name and choose Modify. Change the value data of this entry to:
UpdatesDisableNotify = "" - Close Registry Editor.
Step 7
Remove these strings added by the malware/grayware/spyware in the HOSTS file
[ Learn More ]
[ back ]
82.165.237.14
82.165.250.33
avp.com
ca.com
casablanca.cz
customer.symantec.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
d66.myleftnut.info
dispatch.mcafee.com
download.mcafee.com
downloads-us1.kaspersky.com
downloads1.kaspersky.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
eset.casablanca.cz
eset.com
f-secure.com
kaspersky-labs.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
metalhead2005.info
my-etrust.com
nai.com
networkassociates.com
nod32.com
norton.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
u2.eset.com
u3.eset.com
u4.eset.com
u7.eset.com
update.symantec.com
updates-us1.kaspersky.com
updates.symantec.com
updates1.kaspersky.com
updates2.kaspersky.com
updates3.kaspersky.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.eset.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.nod32.com
www.norton.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
"
To edit the HOSTS file:
- Open the following file using a text editor such as Notepad:
%System%\drivers\etc\HOSTS
(Note: %System% is the Windows system folder, which is usually C:\WINNT\System32 on Windows 2000, and C:\Windows\System32 on Windows XP and Windows Server 2003.) - Delete the following entry/ies:
82.165.237.14
82.165.250.33
avp.com
ca.com
casablanca.cz
customer.symantec.com
d-eu-1f.kaspersky-labs.com
d-eu-1h.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-eu-2h.kaspersky-labs.com
d-ru-1f.kaspersky-labs.com
d-ru-1h.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-ru-2h.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
d-us-1h.kaspersky-labs.com
d66.myleftnut.info
dispatch.mcafee.com
download.mcafee.com
downloads-us1.kaspersky.com
downloads1.kaspersky.com
downloads1.kaspersky.ru
downloads2.kaspersky.ru
downloads3.kaspersky.ru
downloads4.kaspersky.ru
downloads5.kaspersky.ru
eset.casablanca.cz
eset.com
f-secure.com
kaspersky-labs.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
metalhead2005.info
my-etrust.com
nai.com
networkassociates.com
nod32.com
norton.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
u2.eset.com
u3.eset.com
u4.eset.com
u7.eset.com
update.symantec.com
updates-us1.kaspersky.com
updates.symantec.com
updates1.kaspersky.com
updates2.kaspersky.com
updates3.kaspersky.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.eset.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.nod32.com
www.norton.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
- Save the file and close the text editor.
Step 8
Search and delete AUTORUN.INF files created by PE_SALITY.JER that contain these strings
[ Learn More ]
[ back ]
[AutoRun]
;{random characters}
;{random characters}
sheLl\opeN\cOmmand ={malware file name}.exe
;{random characters}
ShelL\ExploRe\ComManD ={malware file name}.exe
sheLl\oPEn\DefauLt=1
;{random characters}
oPEN = {malware file name}.exe
;{random characters}
sheLl\AUtoplAy\ComMaND ={malware file name}.exe
;{random characters}To identify and delete AUTORUN.INF files created:
- Right-click the Start button then choose Search... or Find..., depending on the version of Windows you are running.
- In the Named input box, type:
AUTORUN.INF - In the Look in: drop-down list, select a drive, then press Enter.
- Select the file, then open using Notepad.
- Check if the following lines are present in the file:
[AutoRun]
;{random characters}
;{random characters}
sheLl\opeN\cOmmand ={malware file name}.exe
;{random characters}
ShelL\ExploRe\ComManD ={malware file name}.exe
sheLl\oPEn\DefauLt=1
;{random characters}
oPEN = {malware file name}.exe
;{random characters}
sheLl\AUtoplAy\ComMaND ={malware file name}.exe
;{random characters} - If the lines are present, delete the file.
- Repeat steps 3 to 6 for the remaining AUTORUN.INF files in other remaining removable drives.
- Close Search Results.
Step 9
Scan your computer with your Trend Micro product to clean files detected as PE_SALITY.JER. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
Remove the following strings that this malware added to SYSTEM.INI:
[MCIDRV_VER]
DEVICEMB={random numbers}
To edit SYSTEM.INI
:
- Open SYSTEM.INI.
» For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run. In the Open input box, type SYSTEM.INI then press Enter.
» For Windows Vista and Windows 7 users, click Start, type SYSTEM.INI in the Search input field then press Enter.
This opens the file in your default text editor (usually Notepad). - Locate and delete the the following lines:
[MCIDRV_VER]
DEVICEMB={random numbers} - Close SYSTEM.INI. Click Yes when prompted to save.
Did this description help? Tell us how we did.