WORM_SILLYFDC.CJ

Malware type: Worm

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Medium

Infection Channel 1 : Propagates via removable drives


Infection Channel 2 : Copies itself in all available physical drives


Description: 

A worm is a malware that is designed to propagate and spread across networks. Worms are known to propagate using one or several of different transmission vectors like email, IRC, network shares, instant messengers (IM), and peer-to-peer (P2P) networks.

Worms do not infect files, but may carry one or more payloads, such as computer security compromise and information theft.

Worms typically modify system settings to automatically start. Users may need to terminate worms before they can be deleted. Also, restoring affected systems may require procedures other than scanning with an antivirus program.

For additional information about this threat, see:

Description created: May. 14, 2008 6:20:32 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 69,632 Bytes

Initial samples received on: Nov 13, 2007

Details:

Arrival, Installation, and Autostart Technique

This worm may be installed manually by a user. It may be downloaded unknowingly by a user when visiting malicious Web site(s).

This worm drops the following copies of itself:

  • %System%\msarti.com
  • %Windows%\kernel32.ini
  • %Windows%\smss.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

For Windows XP, it also drops the following files:

  • %Application Data%\Microsoft\CD Burning\autorun.inf
  • %Application Data%\Microsoft\CD Burning\auto.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run
(Default) = "%System%\msarti.com"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
system = "%Windows%\kernel32.ini"

It modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
Shell = "explorer.exe %Windows%\smss.exe"

(Note: The default value data for the said registry entry is explorer.exe.)

Other System Modifications

This worm creates the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer
NoFolderOptions = "00000001"
Run = "00000001"

Propagation via Physical/Removable/Floppy Drives

This worm drops copies of itself in all physical and removable drives. It also drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

The said .INF file contains the following strings:

[AutoRun]
open=auto.exe
shell\explore=Explore
shell\explore\Command=auto.exe
shell\open=Open
shell\open\Command=auto.exe
shell\open\Default=1

Analysis By: Pauline Manalo

Revision History:

First pattern file version: 5.984.09
First pattern file release date: Apr 25, 2009

SOLUTION


Minimum scan engine version needed: 8.300

Pattern file needed: 6.163.00

Pattern release date: Jun 2, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Files

  1. Scan your computer with your Trend Micro antivirus product.
  2. Note the path and file name of all files detected as WORM_SILLYFDC.CJ.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online threat scanner.

Deleting Malware Files using Windows Startup Disk
On Windows 98 and ME systems

This procedure allows the computer to restart by using the Windows Startup Disk.

  1. Click Start>Settings>Control Panel.
  2. In the Control Panel, double-click Add/Remove Programs. Click on the Startup Disk tab.
  3. Insert a working floppy disk and the Windows installation CD, and then click the Create Disk button to create the Startup Disk. Note that this deletes the contents of the floppy disk.
  4. Restart the system with the Startup Disk.
  5. In the command prompt, locate the folder where the malware files are detected.
  6. In the folder, type the following and press Enter:
    del {Malware file name}
  7. Restart the system.

Deleting Malware Files using Recovery Console
On Windows NT, 2000, XP, and Server 2003 systems

This procedure allows the computer to restart by using the Windows installation CD.

  1. Insert your Windows Installation CD in your CD-rom.
  2. Press the restart button of your computer.
  3. When prompted, press any key to boot from the CD.
  4. When prompted on the Main Menu, type r to enter the recovery console.
    (Note: On Windows 2000, after pressing r, type c to choose the Recovery Console in the repair options screen.)
  5. When prompted, type your administrator password to log on.
  6. Once logged in, type the drive that contains Windows in the command prompt that appears, then press Enter.
  7. Type the drive that contains Windows, then press Enter.
  8. Type the following, then press Enter:
    del {Malware path and file name}
  9. Repeat the above procedure for all files detected earlier.
  10. Type exit to restart the system.

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    system = "%Windows%\kernel32.ini"
    (Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>policies>Explorer>Run
  5. In the right panel, locate and delete the entry:
    (Default) = "%System%\msarti.com"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Restoring Modified Entry from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows NT>CurrentVersion>Winlogon
  2. In the right panel, locate the entry:
    Shell = "explorer.exe %Windows%\smss.exe"
  3. Right-click on the value name and choose Modify. Change the value data of this entry to:
    explorer.exe

Removing Other Entries from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>policies>Explorer
  2. In the right panel, locate and delete the following entries:
    • NoFolderOptions = "00000001"
    • Run = "00000001"
  3. Close Registry Editor.

Deleting Malware-created AUTORUN.INF/s

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    AUTORUN.INF
  3. In the Look In drop-down list, select a drive, then press Enter.
  4. Select the file, then open using Notepad.
  5. Check if the following lines are present in the file:
    [AutoRun]
    open=auto.exe
    shell\explore=Explore
    shell\explore\Command=auto.exe
    shell\open=Open
    shell\open\Command=auto.exe
    shell\open\Default=1
  6. If the lines are present, delete the file.
  7. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
  8. Close Search Results.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

Restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_SILLYFDC.CJ. To do this, Trend Micro customers must download the latest virus pattern file and scan their computers. Other Internet users can use HouseCall, the Trend Micro online threat scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.