WORM_RIXOBOT.A

Malware type: Worm

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Infection Channel 1 : Propagates via instant messaging applications


Infection Channel 2 : Propagates via removable drives


Description: 

This worm may be downloaded from remote sites by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites. It arrives via removable drives.

It drops copies of itself. It sets the attributes of its dropped files. It injects codes in certain process(es).

It creates registry entries to enable its automatic execution at every system startup.

It disables Automatic Windows Update. As a result, once updates are released, affected users are unable to get Windows updates automatically. It disables Security Center functions. It creates registry key(s)/entry(ies) as part of its installation routine. It adds key(s) as part of its installation routine. It deletes registry key(s).

It sends messages to target recipients using certain instant messaging applications.

It creates folder(s) in all removable drives. It drops a copy(ies) of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

It connects to IRC servers. It joins IRC channels. It executes commands from a remote malicious user, effectively compromising the affected system.

It terminates certain services if found on the system. It terminates certain processes, if found running in memory. It closes application windows that contain certain strings.

It modifies the system's HOSTS files to prevent users from accessing certain Web sites.

It downloads an updated copy of itself from certain Web sites.

It creates mutex(es) to ensure that only one instance of itself is running in memory. It terminates antivirus-related processes.

For additional information about this threat, see:

Description created: Jul. 27, 2010 6:38:02 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 162,311 Bytes

Initial samples received on: Jul 21, 2010

Payload 1: Disables services

Payload 2: Modifies HOSTS file

Payload 3: Compromises system security

Details:

Arrival Details

This worm may be downloaded from remote site(s) by other malware.

It may be downloaded unknowingly by a user when visiting malicious Web site(s).

It arrives via removable drives.

Installation

This worm drops the following copy(ies) of itself:

  • %System%\MsCjClient.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. )

It sets the attributes of its dropped file(s) to the following:

  • Hidden
  • Read-Only
  • System

It injects codes into the following process(es):

  • Explorer.exe

Autostart Techniques

This worm creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
conime.exe
Debugger = "MsCjClient.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
conime.exe = "conime.exe"

Other System Modifications

This worm modifies the following registry entry(ies) to disable Automatic Windows Update:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"

(Note: The default value data for the said registry entry is 2.)

It modifies the following registry entry(ies) to disable Security Center functions:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

(Note: The default value data for the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

(Note: The default value data for the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

(Note: The default value data for the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

(Note: The default value data for the said registry entry is 0.)

It creates the following registry entry to automatically exclude itself from DEP (data execution prevention):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
{malware path and filename} = "DisableNXShowUI"

It creates the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

It creates the following registry entry to disable Microsoft Windows Malicious Software Removal Tool:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\MRT
DontReportInfectionInformation = "1"

It creates the following registry entries to include itself in the trusted applications list of Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
{malware path and filename} = "{malware path and filename}:*:Enabled:LAN Router"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and filename} = "{malware path and filename}:*:Enabled:LAN Router"

It creates the following registry entry to disable Sytem Restore:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = "1"

It adds the following key(s) as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
conime.exe

It deletes the following registry key(s) to disable Safe Booting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network

Propagation via Instant Messaging (IM) Applications

This worm sends messages to target recipients using the following instant messaging application(s):

  • Skype
  • Yahoo! Messenger

Propagation via Physical/Removable/Floppy Drives

This worm creates the following folder(s) in all removable drives:

  • ~temp

It drops the following copy(ies) of itself in all removable drives:

  • ~temp\63643.exe

It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

The said .INF file contains the following strings:

[Autorun]
open=~temp\63643.exe
icon=%windir%\system32\SHELL32.dll,8
action=Open folder to view files using Windows Explorer
shell\open=Open
shell\open\command=~temp\63643.exe
shell\open\default=1
shell\explore=Explore
shell\explore\command=~temp\63643.exe
shell\search=Search...
shell\search\command=~temp\63643.exe
useautoplay=1

Backdoor Capabilities

This worm connects to any of the following IRC server(s):

  • ns58.{BLOCKED}port4you.net

It joins any of the following IRC channel(s):

  • ##net
  • #te3pe3

It executes the following command(s) from a remote malicious user:

  • Connect to other IRC servers
  • Download and execute files
  • Remove itself
  • Start/Stop spreading in Instant Messeging Applications

Process Termination

This worm terminates the following service(s), if found on the system:

  • acssrv
  • AntiVirService
  • avast! Antivirus
  • avg8wd
  • avg9wd
  • cmdAgent
  • CSIScanner
  • ekrn
  • K7RTscan
  • K7TSMngr
  • KPF4
  • McShield
  • MsMpSvc
  • NOD32krn
  • OutpostFirewall
  • PASRV
  • SAVAdminService
  • SAVService
  • SbPF.Launcher
  • SmcService
  • Sophos AutoUpdate Service
  • Sophos Client Firewall
  • Sophos Client Firewall Manager
  • SPF4
  • TmPfw
  • vsmon
  • VSSERV

It terminates the following process(es), if found running in memory:

  • 123.COM
  • 123.EXE
  • A2HIJACKFREESETUP.EXE
  • APM.EXE
  • APORTS.EXE
  • APT.EXE
  • ASVIEWER.EXE
  • ATF-CLEANER.EXE
  • AUTORUNS.EXE
  • AVENGER.EXE
  • AVG_AVWT_STB_EN_9_40_FREE.EXE
  • AVGARKT.EXE
  • AVINSTALL.EXE
  • AVIRA_ANTIVIR_PERSONAL_EN.EXE
  • AVZ.EXE
  • BC5CA6A.EXE
  • BITDEFENDER_ANTIVIRUS.EXE
  • BOOTSAFE.EXE
  • BUSCAREG.EXE
  • CATCHME.EXE
  • CF9409.EXE
  • COMBO-FIX.EXE
  • COMBOFIX.BAT
  • COMBOFIX.COM
  • COMBOFIX.EXE
  • COMBOFIX.SCR
  • COMPAQ_PROPIETARIO.EXE
  • CPF.EXE
  • CPORTS.EXE
  • CPROCESS.EXE
  • CUREIT.EXE
  • DARKSPY105.EXE
  • DELAYDELFILE.EXE
  • DLLCOMPARE.EXE
  • DLLHOSTS.EXE
  • DRWEB-600-WIN-PRO-X86.EXE
  • DUBATOOL_AV_KILLER.EXE
  • EAV_NT32_ENU.MSI
  • EAV_NT64_ENU.MSI
  • ELISTA.EXE
  • ESCW_90_SA_SFX.EXE
  • EULALYZERSETUP.EXE
  • FILEALYZ.EXE
  • FILEFIND.EXE
  • FIXBAGLE.EXE
  • FIXPATH.EXE
  • FOLDERCURE.EXE
  • FPORT.EXE
  • FSB.EXE
  • FSBL.EXE
  • GMER.EXE
  • GUARD.EXE
  • GUARDXKICKOFF.EXE
  • GUARDXSERVICE.EXE
  • HACKMON.EXE
  • HELIOS.EXE
  • HIJACK-THIS.EXE
  • HIJACKTHIS.EXE
  • HIJACKTHIS_SFX.EXE
  • HIJACKTHIS_V2.EXE
  • HJ.EXE
  • HJTINSTALL.EXE
  • HJTSETUP.EXE
  • HOOKANLZ.EXE
  • HOSTSFILEREADER.EXE
  • ICESWORD.EXE
  • IEFIX.EXE
  • INSTALLWATCHPRO25.EXE
  • ISSDM_EN_32.EXE
  • JAJA.EXE
  • K7TS_SETUP.EXE
  • KAKASETUPV6.EXE
  • KILLAUTOPLUS.EXE
  • KILLBOX.EXE
  • LISTO.EXE
  • LORDPE.EXE
  • MBAM-SETUP.EXE
  • MBAM.EXE
  • MBR.EXE
  • MRT.EXE
  • MRTSTUB.EXE
  • MSASCUI.EXE
  • MSMPENG.EXE
  • MSNCLEANER.EXE
  • MSNFIX.EXE
  • MYPHOTOKILLER.EXE
  • NAV-TW-30-17-1-0-19TBEN.EXE
  • NETALYZ.EXE
  • NETSTAT.EXE
  • NS360S300EN
  • NTVDM.EXE
  • OBJMONSETUP.EXE
  • OLLYDBG.EXE
  • OTL.EXE
  • OTM.EXE
  • OTMOVEIT.EXEMBAM-SETUP.EXE
  • P08PROMO.EXE
  • PAVARK.EXE
  • PENCLEAN.EXE
  • PG2.EXE
  • PGSETUP.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • PREVX.EXE
  • PREVXCSIFREE.EXE
  • PROCDUMP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXP.EXE
  • PROCMON.EXE
  • PROJECTWHOISINSTALLER.EXE
  • PSKILL.EXE
  • RAVP.EXE
  • REANIMATOR.EXE
  • REG.EXE
  • REGALYZ.EXE
  • REGCOOL.EXE
  • REGEDIT.COM
  • REGEDIT.SCR
  • REGISTRAR_LITE.EXE
  • REGMON.EXE
  • REGSCANNER.EXE
  • REGSHOT.EXE
  • REGUNLOCKER.EXE
  • REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE
  • REGX2.EXE
  • RKD.EXE
  • ROOTALYZER.EXE
  • ROOTKIT_DETECTIVE.EXE
  • ROOTKITBUSTER.EXE
  • ROOTKITNO.EXE
  • ROOTKITREVEALER.EXE
  • ROOTREPEAL.EXE
  • SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE
  • SDFIX.EXE
  • SECCENTER.EXE
  • SEEM.EXE
  • SETUP_AV_FREE.EXE
  • SPF.EXE
  • SPYBOTSD.EXE
  • SPYBOTSD160.EXE
  • SRENGLDR.EXE
  • SRENGPS.EXE
  • SRESTORE.EXE
  • STARTDRECK.EXE
  • SUPERANTISPYWARE.EXE
  • SUPERKILLER.EXE
  • SYSANALYZER_SETUP.EXE
  • TASKKILL.EXE
  • TASKLIST.EXE
  • TASKMAN.EXE
  • TASKMON.EXE
  • TCPVIEW.EXE
  • TEATIMER.EXE
  • TrendMicro_TISPro_16.1_1063_x32.EXE
  • UNHACKME.EXE
  • UNIEXTRACT.EXE
  • UNLOCKER.EXE
  • UNLOCKER1.8.7.EXE
  • UNLOCKERASSISTANT.EXE
  • USBGUARD.EXE
  • VBA32-PERSONAL-LATEST-ENGLISH.EXE
  • VIPRE.EXE
  • VIRUS.EXE
  • VIRUSUTILITIES.EXE
  • WINDOWS-KB890930-V2.2.EXE
  • WINDOWSDEFENDER.MSI
  • WIRESHARK.EXE
  • WITSETUP.EXE
  • ZLCLIENT.EXE

It closes application windows that contain the following string(s):

  • avast!Free Antivirus
  • avast!Free Antivirus Setup
  • AVG 9.0 build 730 (1/7/2010)
  • AVG Anti-Virus
  • AVG Download Manager
  • Avira AntiVir Personal - Free Antivirus
  • AVP.AlertDialog
  • AVP.ScanProgressWindow
  • AVZ Antiviral Toolkit
  • BitDefender Antivirus 2010 Setup
  • BitDefender Antivirus Scanner
  • BitDefender Security Center
  • BitDefender Setup
  • Computer Scan - ESET NOD32 Antivirus
  • Custom Scan
  • ESET NOD32 Antivirus
  • ESET NOD32 Antivirus Setup
  • Full System Scan
  • HijackThis
  • Kaspersky Anti-Virus 2010
  • Kaspersky Anti-Virus 2010 Setup
  • Luke Filewalker
  • MalwareBtyes AntiMalware
  • Malwarebytes' AntiMalware
  • Microsoft Security Essentials
  • Norton 360
  • Norton Antivirus
  • Norton Antivirus 2010
  • Norton QuickScan
  • Prevx
  • PrevxWindowClass
  • Regshot 1.8.2
  • SAVScanDlgs
  • Scan
  • Sophos Endpoint Security and Control
  • Sophos Endpoint Security and Control installation wizard
  • Sophos Endpoint Security and Control standalone installer
  • Sophos.SAV.ScanDlg
  • Symantec Endpoint Protection
  • TCPViewClass
  • The Avenger
  • The Avenger,(c) by Swandog46
  • The Wireshark Network Analyzer
  • ThunderRT6Main
  • TWizardForm
  • Updater
  • Windows Defender

Modification

This worm modifies the system's HOSTS files to prevent users from accessing the following Web site(s):

  • 13iii.com
  • acs.pandasoftware.com
  • ad-aware-se.uptodown.com
  • ad.harrenmedianetwork.com
  • ad13.geekstogo.com
  • aknow.prevx.com
  • alerta-antivirus.inteco.es
  • alerta-antivirus.red.es
  • alfrasha.maktoob.com
  • andymanchesta.com
  • anggiawan.web.id
  • angui123.cn
  • answers.yahoo.com
  • anti-virus-software-review.toptenreviews.com
  • antitrick.com
  • antonbi.web.id
  • ar.answers.yahoo.com
  • ariefew.com
  • artsoftdesign.com
  • atazita.blogspot.com
  • avast-home.uptodown.com
  • avg.vo.llnwd.net
  • ba-k.com
  • baike.360.cn
  • baike.360.com
  • banes-pages.blogspot.com
  • bb1.th3kings.net
  • bbs.360safe.cn
  • bbs.360safe.com
  • bbs.cfan.com.cn
  • bbs.duba.net
  • bbs.ikaka.com
  • bbs.kafan.cn
  • bbs.kafan.com
  • bbs.kaspersky.com.cn
  • bbs.kpfans.com
  • bbs.s-sos.net
  • bbs.taisha.org
  • bbs.winzheng.com
  • beniono.wordpress.com
  • beta.eset.com
  • bisnismudahsaja.blogspot.com
  • blog.hispasec.com
  • blog.rnsafe.com
  • blog.threatfire.com
  • blogs.icerocket.com
  • blokvesti.net
  • board.protecus.de
  • board.softpedia.com
  • boardreader.com
  • bokwer.com
  • bub.th3kings.net
  • ca.answers.yahoo.com
  • cairopt.net
  • cert.inteco.es
  • changelog.fr
  • cit.kookmin.ac.kr
  • club.myce.com
  • cmmings.cn
  • codehard.wordpress.com
  • cofradia.org
  • community.mcafee.com
  • community.norton.com
  • community.thaiware.com
  • comprolive.com
  • comprolive.vox.com
  • computadoras.migold.com
  • comunidad.wilkinsonpc.com.co
  • customer.symantec.com
  • danielorza.net
  • darkzone.in.th
  • debates.motos.net
  • deckard.geekstogo.com
  • destavision-forum.com
  • devbuilds.kaspersky-labs.com
  • devirusare.com
  • diamondcs.com.au
  • discussions.virtualdr.com
  • dl.360safe.com
  • dl2.agnitum.com
  • dlpe.antivir.com
  • dnl-eu8.kaspersky-labs.com
  • down.360safe.cn
  • down.360safe.com
  • down.www.kingsoft.com
  • download.bleepingcomputer.com
  • download.eset.com
  • download.f-secure.com
  • download.mcafee.com
  • download.microsoft.com
  • download.nai.com
  • download.sysinternals.com
  • download.zonealarm.com
  • downloads.andymanchesta.com
  • downloads.malwarebytes.org
  • downloads.novirusthanks.org
  • downloads.sophos.com
  • dr-web-cureit.softonic.com
  • egavisa.blogspot.com
  • es.answers.yahoo.com
  • es.kioskea.net
  • es.mcafee.com
  • es.trendmicro-europe.com
  • es.wasalive.com
  • esetnod32antivirus.blogspot.com
  • espanol.answers.yahoo.com
  • espanol.dir.groups.yahoo.com
  • espanol.groups.yahoo.com
  • fgp.e2doo.com
  • fgsite.com
  • file.ikaka.cn
  • file.ikaka.com
  • files.filefont.com
  • fineartschance.com
  • fixmyim.com
  • foro.el-hacker.com
  • foro.elhacker.net
  • foro.ethek.com
  • foro.infiernohacker.com
  • foro.msgpluslive.es
  • foro.noticias3d.com
  • foro.portalhacker.net
  • foros.3dgames.com.ar
  • foros.abcdatos.com
  • foros.mcanime.net
  • foros.softonic.com
  • foros.toxico-pc.com
  • foros.zonavirus.com
  • forospyware.com
  • forum.aiutamici.com
  • forum.antivir-pe.de
  • forum.antivirus365.net
  • forum.avast.com
  • forum.avira.com
  • forum.avira.de
  • forum.bullguard.com
  • forum.burek.com
  • forum.chip.de
  • forum.clubedohardware.com.br
  • forum.dobreprogramy.pl
  • forum.drweb.com
  • forum.gsmhosting.com
  • forum.hardware.fr
  • forum.hijackthis.de
  • forum.hocit.com
  • forum.kaspersky.com
  • forum.kasperskyclub.com
  • forum.lowyat.net
  • forum.lrytas.lt
  • forum.malekal.com
  • forum.p30world.com
  • forum.piriform.com
  • forum.programosy.pl
  • forum.romeonet.ro
  • forum.securitycadets.com
  • forum.skype.com
  • forum.smadav.net
  • forum.softpedia.com
  • forum.swzone.it
  • forum.sysinternals.com
  • forum.telecharger.01net.com
  • forum.torrents.ro
  • forum.tweaks.com
  • forum.zazana.com
  • forum.zebulon.fr
  • forums.afterdawn.com
  • forums.avg.com
  • forums.cnet.com
  • forums.comodo.com
  • forums.devshed.com
  • forums.eternion-wow.com
  • forums.maddoktor2.com
  • forums.malwarebytes.org
  • forums.overclockzone.com
  • forums.techguy.org
  • forums.whatthetech.com
  • forums.zonealarm.com
  • free.antivirus.com
  • free.avg.com
  • front.prevx.com
  • ftp.drweb.com
  • ftp.f-secure.com
  • ftp.pcpitstop.com
  • ftp01net.telechargement.fr
  • golpe.dyndns.org
  • gotoknow.org
  • greatis.com
  • gulaley.blogspot.com
  • guru.avg.com
  • guru0.grisoft.cz
  • guru1.grisoft.cz
  • guru2.grisoft.cz
  • guru3.grisoft.cz
  • guru4.grisoft.cz
  • guru5.grisoft.cz
  • hana-ahmad.blogspot.com
  • harrenmedianetwork.com
  • heavenward.ru
  • hi.baidu.com
  • hijackthis.download3000.com
  • hjt-data.trend-braintree.com
  • hjt.networktechs.com
  • housecall.trendmicro.com
  • housecall65.trendmicro.com
  • images.malwareremoval.com
  • in.answers.yahoo.com
  • info.prevx.com
  • inspiresoft.blogspot.com
  • irc.ekizmedia.com
  • irc.evoporn.com
  • irc.snahosting.net
  • it.answers.yahoo.com
  • justfane.blogspot.com
  • k2r.th3kings.net
  • kaba.360.cn
  • kaba.360.com
  • kaspersky.com
  • kb.eset.com
  • kr.ahnlab.com
  • ladooscuro.es
  • lexikon.ikarus.at
  • linhadefensiva.uol.com.br
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • lurker.clamav.net
  • mailcenter.rising.com
  • mailcenter.rising.com.cn
  • majorgeeks.com
  • malekal.com
  • malwarebytes-anti-malware.softonic.com
  • malwarebytes.org
  • mast.mcafee.com
  • melcy.wordpress.com
  • mks.com.pl
  • modelayu.com
  • msncleaner.softonic.com
  • msnfix.changelog.fr
  • msntubers.freehostia.com
  • mustlovewine.com
  • mvps.org
  • mx.answers.yahoo.com
  • myantispyware.com
  • new.taringa.net
  • news.support.veritas.com
  • nitroamd.spaces.live.com
  • nod32-antivirus.en.softonic.co
  • ntfaq.co.kr
  • oldtimer.geekstogo.com
  • onecare.live.com
  • oolbar.cyberdefender.com
  • ot-indo.blogspot.com
  • p3dev.taringa.net
  • pastebin.com
  • pcvids.wordpress.com
  • pogonyuto.forospanish.com
  • poolcoversite.com
  • positiveroot.wordpress.com
  • psychoski.blogspot.com
  • quickscan.bitdefender.com
  • rareartonline.com
  • regfixerror.pctools.revenuewire.net
  • research.pandasecurity.com
  • research.sunbelt-software.com
  • rootrepeal.googlepages.com
  • rootrepeal.psikotick.com
  • sabithpocker.blogspot.com
  • safecomputing.umn.edu
  • samroeng.hi5.com
  • sapcupgrades.com
  • scanner.virus.org
  • search.mcafee.com
  • secubox.aldria.com
  • secunia.com
  • secure.sophos.com
  • security.symantec.com
  • securityresponse.symantec.com
  • securitywonks.net
  • service1.symantec.com
  • sf.tapuz.co.il
  • share.skype.com
  • shield.prevx.com
  • shitit.net
  • shop.symantecstore.com
  • shv4.ath.cx
  • simplyrudz.blogspot.com
  • sip4.voipkosovasite.com
  • sis-admin.blogspot.com
  • smadaver.com
  • sniff.runescapetube.com
  • social.answers.microsoft.com
  • social.microsoft.com
  • software-files.download.com
  • softwaresecuritysolutions.com
  • solit.us
  • somostuyyounnuevodiaoficial.obolog.com
  • sophos.com
  • sopiansantosa.blogspot.com
  • sosvirus.changelog.fr
  • spywarefiles.prevx.com
  • spywarehammer.com
  • static.commentcamarche.net
  • stdio-labs.blogspot.com
  • store.norton.com
  • story.dnsentrymx.com
  • subs.geekstogo.com
  • support.emsisoft.com
  • support.f-secure.com
  • support.kaspersky.com
  • swandog46.geekstogo.com
  • tech.pantip.com
  • thaicert.nectec.or.th
  • thailand.itmylike.com
  • thedudesemo.blogspot.com
  • thejokerx.blogspot.com
  • topsy.com
  • trbotnet.sytes.net
  • trialware.norton.com
  • uk.answers.yahoo.com
  • universomanualidades.foroactivo.com
  • update.360safe.cn
  • update.360safe.com
  • update.symantec.com
  • updatem.360safe.cn
  • updatem.360safe.com
  • upload.changelog.fr
  • us.mcafee.com
  • us3.download.comodo.com
  • us4.download.comodo.com
  • usa.kaspersky.com
  • v.dreamwiz.com
  • vaksin.com
  • vil.nai.com
  • vil.nail.com
  • virscan.org
  • virusinfo.info
  • virusinfo.prevx.com
  • wakoopa.com
  • wap.elakiri.com
  • wasteland-bg.com
  • wenwen.soso.com
  • whois.domaintools.com
  • www.2-spyware.com
  • www.247fixes.com
  • www.360.cn
  • www.360.com
  • www.360safe.cn
  • www.360safe.com
  • www.365groups.com
  • www.4-gsmteam.com
  • www.51nb.com
  • www.abgenis.net
  • www.alabamawomen.org
  • www.analysis.seclab.tuwien.ac.at
  • www.antirootkit.com
  • www.antivir.es
  • www.antivirus.about.com
  • www.antivirus.comodo.com
  • www.arenajunkies.com
  • www.arswp.com
  • www.askmehelpdesk.com
  • www.auditmypc.com
  • www.avast.com
  • www.avg-antivirus.net
  • www.avira.com
  • www.avp.com
  • www.avpclub.ddns.info
  • www.avsoft.ru
  • www.babooforum.com.br
  • www.bakunos.com
  • www.betterantivirus.com
  • www.bitdefender.com
  • www.bitdefender.es
  • www.bleedingthreats.net
  • www.bleepingcomputer.com
  • www.blindedbytech.com
  • www.blogschapines.com
  • www.bloodzone.net
  • www.box.net
  • www.ca.com
  • www.carigold.com
  • www.castlecops.com
  • www.castlecrops.com
  • www.cddchiangmai.net
  • www.cfan.com.cn
  • www.changedetection.com
  • www.chkrootkit.org
  • www.cisrt.org
  • www.clamav.net
  • www.clamwin.com
  • www.clubic.com
  • www.codelain.com
  • www.com-th.net
  • www.commentcamarche.net
  • www.computerforum.com
  • www.computerhilfen.de
  • www.computing.net
  • www.configurarequipos.com
  • www.corozilla.net
  • www.cwsandbox.org
  • www.cyberdefender.com
  • www.cybertechhelp.com
  • www.daboweb.com
  • www.daniweb.com
  • www.darkclockers.com
  • www.dazhizhu.cn
  • www.decido.de
  • www.devirusare.com
  • www.dicasweb.com.br
  • www.dl4all.com
  • www.dougknox.com
  • www.downtr.net
  • www.drweb.com.es
  • www.duba.net
  • www.eeload.com
  • www.el-hacker.com
  • www.elakiri.com
  • www.elektroda.pl
  • www.elguruinformatico.com
  • www.elhacker.org
  • www.elitepvpers.de
  • www.eliters.com
  • www.emsisoft.com
  • www.emsisoft.de
  • www.eradicatespyware.net
  • www.eset-la.com
  • www.eset.com
  • www.eset.eu
  • www.eudict.com
  • www.ewido.net
  • www.experts-exchange.com
  • www.f-prot.com
  • www.f-secure.com
  • www.faravirusi.com
  • www.feedage.com
  • www.file.net
  • www.fileresearchcenter.com
  • www.final4ever.com
  • www.firewallguide.com
  • www.fixya.com
  • www.forofantasiasmiguel.com
  • www.forospanish.com
  • www.forospyware.com
  • www.forospyware.es
  • www.fortiguardcenter.com
  • www.fortinet.com
  • www.forum.kaspersky.com
  • www.forums.majorgeeks.com
  • www.free-av.com
  • www.free.avg.com
  • www.free.grisoft.com
  • www.freedrweb.com
  • www.freefixer.com
  • www.freespywareremoval.info
  • www.freshwap.net
  • www.ftw.ro
  • www.funkytoad.com
  • www.futurenow.bitdefender.com
  • www.gamexeon.com
  • www.geekpolice.net
  • www.geekstogo.com
  • www.gmer.net
  • www.greatis.com
  • www.grisoft.com
  • www.groupwhere.org
  • www.gsmph.com
  • www.gsmph.net
  • www.guiadohardware.net
  • www.gyakorikerdesek.hu
  • www.hijackthis.de
  • www.hotshare.net
  • www.housecall.trendmicro.com
  • www.huaifai.go.th
  • www.hvaonline.net
  • www.identi.es
  • www.ikaka.cn
  • www.ikaka.com
  • www.ikarus.net
  • www.incodesolutions.com
  • www.indowebster.web.id
  • www.infos-du-net.com
  • www.infosecpodcast.com
  • www.infospyware.com
  • www.ipaddresser.com
  • www.ixtorrent.com
  • www.jackbloodforum.com
  • www.javacoolsoftware.com
  • www.javacoolsoftware.net
  • www.jbtalks.cc
  • www.jiwang.org
  • www.judj.com
  • www.jvme.com
  • www.k7computing.com
  • www.kaldata.com
  • www.kaskus.us
  • www.kaspersky-labs.com
  • www.kaspersky.com
  • www.kaspersky.es
  • www.killtrojan.net
  • www.kosandpol.elakiri.com
  • www.krupunmai.com
  • www.kztechs.com
  • www.laneros.com
  • www.latest-virus.com
  • www.lavasoft.com
  • www.leforo.com
  • www.linhadefensiva.org
  • www.linkmania.ro
  • www.looktr.com
  • www.malekal.com
  • www.malwarebytes.org
  • www.malwarecrypt.com
  • www.malwareremoval.com
  • www.manuelruvalcaba.com
  • www.mcafee.com
  • www.mcanime.net
  • www.Merijn.org
  • www.messengeradictos.com
  • www.misec.net
  • www.mostz.com
  • www.mozilla-hispano.org
  • www.msnvirusremoval.com
  • www.mvps.org
  • www.mxttchina.com
  • www.mycity.rs
  • www.mypcsafe.com
  • www.nabble.com
  • www.net-security.org
  • www.networkworld.com
  • www.nhatnghe.com
  • www.norman.com
  • www.offensivecomputing.net
  • www.onlinescan.avast.com
  • www.oprekpc.com
  • www.ozzu.com
  • www.pandasecurity.com
  • www.pantip.com
  • www.pc1news.com
  • www.pcentraide.com
  • www.pcguide.com
  • www.pchell.com
  • www.pchelpforum.com
  • www.pcsupportadvisor.com
  • www.pctools.com
  • www.pcwelt.de
  • www.pcworld.com
  • www.personal.psu.edu
  • www.personalfirewall.comodo.com
  • www.pinoyden.com
  • www.pinoyhackers.com
  • www.pinoytambaygroup.com
  • www.precisesecurity.com
  • www.prevx.com
  • www.protecus.de
  • www.psicofxp.com
  • www.quickheal.co.in
  • www.raymond.cc
  • www.regrun.com
  • www.resplendence.com
  • www.rising.com
  • www.rising.com.cn
  • www.rolandovera.com
  • www.rootkit.com
  • www.rootkit.nl
  • www.rss-verzeichnis.de
  • www.runscanner.net
  • www.safer-networking.org
  • www.sandboxie.com
  • www.securitynewsportal.com
  • www.securitystronghold.com
  • www.securitywonks.net
  • www.sergiwa.com
  • www.shitit.net
  • www.siteadvisor.com
  • www.smokey-services.eu
  • www.soccersuck.com
  • www.softonic.com
  • www.sophos.com
  • www.spamhaus.org
  • www.spyany.com
  • www.spybot.info
  • www.spybotupdates.com
  • www.spychecker.com
  • www.spywarecease.com
  • www.spywaredb.com
  • www.spywaredemon.com
  • www.spywarefri.dk
  • www.spywareinfo.com
  • www.spywareremovalblog.com
  • www.spywareterminator.com
  • www.sunbeltsecurity.com
  • www.sunbeltsoftware.com
  • www.superadblocker.com
  • www.superantispyware.com
  • www.superdicas.com.br
  • www.superuser.co.kr
  • www.symantec.com
  • www.sysinternals.com
  • www.sz-pet.com
  • www.tallemu.com
  • www.tanya-it.com
  • www.taringa.net
  • www.techimo.com
  • www.techspot.com
  • www.techsupportforum.com
  • www.tecno-soft.com
  • www.thaicert.org
  • www.thailandsusu.com
  • www.thaivisa.com
  • www.thecomputerpitstop.com
  • www.thehelper.net
  • www.thetechguide.com
  • www.thinkpad.cn
  • www.threatexpert.com
  • www.tongjimba.com
  • www.tpu.ro
  • www.trendmicro.com
  • www.trendsecure.com
  • www.trojaner-board.de
  • www.trucoswindows.es
  • www.trucoswindows.net
  • www.tweaksforgeeks.com
  • www.ulop.net
  • www.unhackme.com
  • www.usbcleaner.cn
  • www.utilidades-utiles.com
  • www.velocidadmaxima.com
  • www.vietcaravan.us
  • www.viprasys.org
  • www.virscan.org
  • www.virus-com.com
  • www.viruschief.com
  • www.virusdoctor.jp
  • www.viruslist.com
  • www.virusspy.com
  • www.virustotal.com
  • www.vivalared.com
  • www.vsantivirus.com
  • www.vupen.com
  • www.webimmune.net
  • www.webphand.com
  • www.webroot.com
  • www.whatthetech.com
  • www.wikio.es
  • www.wilderssecurity.com
  • www.winbots.es
  • www.windowexe.com
  • www.worton.com
  • www.xmarks.com
  • www.yoreparo.com
  • www.ziggamza.net
  • www.zonavirus.com
  • www.zone-it.com
  • www.zonealarm.com
  • www.zyzoom.org
  • www2.gmer.net
  • www3.malekal.com
  • wwww.experts-exchange.com
  • wwww.mcafee.com
  • x.360safe.com
  • yourartmuseum.com
  • z-oleg.com
  • zastita.com
  • zenovy.com
  • zhidao.baidu.com
  • zhidao.ikaka.com
  • zone.arminboutique.com

Download Routine

This worm downloads an updated copy of itself from the following Web site(s):

  • http://{BLOCKED}3xme1fucan.com/net/debug2.zip
  • http://{BLOCKED}.s3xme1fucan.com/net/debug2.zip

Other Details

This worm creates the following mutex(es) to ensure that only one instance of itself is running in memory:

  • muipcdraotse
  • V8x

It connects to the following URL(s) to send and receive commands from a remote malicious user:

  • http://{BLOCKED}.{BLOCKED}.74.40/net/debug2.txt

It modifies the following registry entry(ies) to hide files with Hidden attributes:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\SuperHidden
CheckedValue = "1"

(Note: The default value data for the said registry entry is 0.)

It terminates antivirus-related processes.

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.


Analysis By: Karl Dominguez

Revision History:

First pattern file version: 7.736.04
First pattern file release date: Dec 29, 2010

SOLUTION


Minimum scan engine version needed: 8.900

Pattern file needed: 7.769.00

Pattern release date: Jan 14, 2011


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Step 1: Identify and delete files detected as WORM_RIXOBOT.A using Recovery Console   [learn how]

 Step 2:  Delete these registry values  [learn how]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows NT\CurrentVersion\AppCompatFlags\
    Layers
    • {malware path and filename} = "DisableNXShowUI"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows NT\CurrentVersion\Image File Execution Options\
    conime.exe
    • Debugger = "MsCjClient.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows NT\CurrentVersion\SystemRestore
    • DisableSR = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Explorer\
    Advanced
    • Hidden = "2"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run
    • conime.exe = "conime.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
    Microsoft\MRT
    • DontReportInfectionInformation = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
    Microsoft\Windows NT\SystemRestore
    • DisableConfig = "1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\SharedAccess\Parameters\
    FirewallPolicy\DomainProfile\AuthorizedApplications\
    List
    • {malware path and filename} = "{malware path and filename}:*:Enabled:LAN Router"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\
    List
    • {malware path and filename} = "{malware path and filename}:*:Enabled:LAN Router"

 Step 3:  Delete this registry key  [learn how]

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows NT\CurrentVersion\Image File Execution Options
    • conime.exe

 Step 4:  Restore this modified registry value  [learn how]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Explorer\
    Advanced\Folder\SuperHidden
    • From: CheckedValue = "1"
      To: CheckedValue = "0"
  • In HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>wscsvc
    • From: Start = "4"
      To: Start = "2"

 Step 5: Remove these strings added by the malware/grayware/spyware in the HOSTS file  [learn how]

  • 13iii.com
  • acs.pandasoftware.com
  • ad-aware-se.uptodown.com
  • ad.harrenmedianetwork.com
  • ad13.geekstogo.com
  • aknow.prevx.com
  • alerta-antivirus.inteco.es
  • alerta-antivirus.red.es
  • alfrasha.maktoob.com
  • andymanchesta.com
  • anggiawan.web.id
  • angui123.cn
  • answers.yahoo.com
  • anti-virus-software-review.toptenreviews.com
  • antitrick.com
  • antonbi.web.id
  • ar.answers.yahoo.com
  • ariefew.com
  • artsoftdesign.com
  • atazita.blogspot.com
  • avast-home.uptodown.com
  • avg.vo.llnwd.net
  • ba-k.com
  • baike.360.cn
  • baike.360.com
  • banes-pages.blogspot.com
  • bb1.th3kings.net
  • bbs.360safe.cn
  • bbs.360safe.com
  • bbs.cfan.com.cn
  • bbs.duba.net
  • bbs.ikaka.com
  • bbs.kafan.cn
  • bbs.kafan.com
  • bbs.kaspersky.com.cn
  • bbs.kpfans.com
  • bbs.s-sos.net
  • bbs.taisha.org
  • bbs.winzheng.com
  • beniono.wordpress.com
  • beta.eset.com
  • bisnismudahsaja.blogspot.com
  • blog.hispasec.com
  • blog.rnsafe.com
  • blog.threatfire.com
  • blogs.icerocket.com
  • blokvesti.net
  • board.protecus.de
  • board.softpedia.com
  • boardreader.com
  • bokwer.com
  • bub.th3kings.net
  • ca.answers.yahoo.com
  • cairopt.net
  • cert.inteco.es
  • changelog.fr
  • cit.kookmin.ac.kr
  • club.myce.com
  • cmmings.cn
  • codehard.wordpress.com
  • cofradia.org
  • community.mcafee.com
  • community.norton.com
  • community.thaiware.com
  • comprolive.com
  • comprolive.vox.com
  • computadoras.migold.com
  • comunidad.wilkinsonpc.com.co
  • customer.symantec.com
  • danielorza.net
  • darkzone.in.th
  • debates.motos.net
  • deckard.geekstogo.com
  • destavision-forum.com
  • devbuilds.kaspersky-labs.com
  • devirusare.com
  • diamondcs.com.au
  • discussions.virtualdr.com
  • dl.360safe.com
  • dl2.agnitum.com
  • dlpe.antivir.com
  • dnl-eu8.kaspersky-labs.com
  • down.360safe.cn
  • down.360safe.com
  • down.www.kingsoft.com
  • download.bleepingcomputer.com
  • download.eset.com
  • download.f-secure.com
  • download.mcafee.com
  • download.microsoft.com
  • download.nai.com
  • download.sysinternals.com
  • download.zonealarm.com
  • downloads.andymanchesta.com
  • downloads.malwarebytes.org
  • downloads.novirusthanks.org
  • downloads.sophos.com
  • dr-web-cureit.softonic.com
  • egavisa.blogspot.com
  • es.answers.yahoo.com
  • es.kioskea.net
  • es.mcafee.com
  • es.trendmicro-europe.com
  • es.wasalive.com
  • esetnod32antivirus.blogspot.com
  • espanol.answers.yahoo.com
  • espanol.dir.groups.yahoo.com
  • espanol.groups.yahoo.com
  • fgp.e2doo.com
  • fgsite.com
  • file.ikaka.cn
  • file.ikaka.com
  • files.filefont.com
  • fineartschance.com
  • fixmyim.com
  • foro.el-hacker.com
  • foro.elhacker.net
  • foro.ethek.com
  • foro.infiernohacker.com
  • foro.msgpluslive.es
  • foro.noticias3d.com
  • foro.portalhacker.net
  • foros.3dgames.com.ar
  • foros.abcdatos.com
  • foros.mcanime.net
  • foros.softonic.com
  • foros.toxico-pc.com
  • foros.zonavirus.com
  • forospyware.com
  • forum.aiutamici.com
  • forum.antivir-pe.de
  • forum.antivirus365.net
  • forum.avast.com
  • forum.avira.com
  • forum.avira.de
  • forum.bullguard.com
  • forum.burek.com
  • forum.chip.de
  • forum.clubedohardware.com.br
  • forum.dobreprogramy.pl
  • forum.drweb.com
  • forum.gsmhosting.com
  • forum.hardware.fr
  • forum.hijackthis.de
  • forum.hocit.com
  • forum.kaspersky.com
  • forum.kasperskyclub.com
  • forum.lowyat.net
  • forum.lrytas.lt
  • forum.malekal.com
  • forum.p30world.com
  • forum.piriform.com
  • forum.programosy.pl
  • forum.romeonet.ro
  • forum.securitycadets.com
  • forum.skype.com
  • forum.smadav.net
  • forum.softpedia.com
  • forum.swzone.it
  • forum.sysinternals.com
  • forum.telecharger.01net.com
  • forum.torrents.ro
  • forum.tweaks.com
  • forum.zazana.com
  • forum.zebulon.fr
  • forums.afterdawn.com
  • forums.avg.com
  • forums.cnet.com
  • forums.comodo.com
  • forums.devshed.com
  • forums.eternion-wow.com
  • forums.maddoktor2.com
  • forums.malwarebytes.org
  • forums.overclockzone.com
  • forums.techguy.org
  • forums.whatthetech.com
  • forums.zonealarm.com
  • free.antivirus.com
  • free.avg.com
  • front.prevx.com
  • ftp.drweb.com
  • ftp.f-secure.com
  • ftp.pcpitstop.com
  • ftp01net.telechargement.fr
  • golpe.dyndns.org
  • gotoknow.org
  • greatis.com
  • gulaley.blogspot.com
  • guru.avg.com
  • guru0.grisoft.cz
  • guru1.grisoft.cz
  • guru2.grisoft.cz
  • guru3.grisoft.cz
  • guru4.grisoft.cz
  • guru5.grisoft.cz
  • hana-ahmad.blogspot.com
  • harrenmedianetwork.com
  • heavenward.ru
  • hi.baidu.com
  • hijackthis.download3000.com
  • hjt-data.trend-braintree.com
  • hjt.networktechs.com
  • housecall.trendmicro.com
  • housecall65.trendmicro.com
  • images.malwareremoval.com
  • in.answers.yahoo.com
  • info.prevx.com
  • inspiresoft.blogspot.com
  • irc.ekizmedia.com
  • irc.evoporn.com
  • irc.snahosting.net
  • it.answers.yahoo.com
  • justfane.blogspot.com
  • k2r.th3kings.net
  • kaba.360.cn
  • kaba.360.com
  • kaspersky.com
  • kb.eset.com
  • kr.ahnlab.com
  • ladooscuro.es
  • lexikon.ikarus.at
  • linhadefensiva.uol.com.br
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • lurker.clamav.net
  • mailcenter.rising.com
  • mailcenter.rising.com.cn
  • majorgeeks.com
  • malekal.com
  • malwarebytes-anti-malware.softonic.com
  • malwarebytes.org
  • mast.mcafee.com
  • melcy.wordpress.com
  • mks.com.pl
  • modelayu.com
  • msncleaner.softonic.com
  • msnfix.changelog.fr
  • msntubers.freehostia.com
  • mustlovewine.com
  • mvps.org
  • mx.answers.yahoo.com
  • myantispyware.com
  • new.taringa.net
  • news.support.veritas.com
  • nitroamd.spaces.live.com
  • nod32-antivirus.en.softonic.co
  • ntfaq.co.kr
  • oldtimer.geekstogo.com
  • onecare.live.com
  • oolbar.cyberdefender.com
  • ot-indo.blogspot.com
  • p3dev.taringa.net
  • pastebin.com
  • pcvids.wordpress.com
  • pogonyuto.forospanish.com
  • poolcoversite.com
  • positiveroot.wordpress.com
  • psychoski.blogspot.com
  • quickscan.bitdefender.com
  • rareartonline.com
  • regfixerror.pctools.revenuewire.net
  • research.pandasecurity.com
  • research.sunbelt-software.com
  • rootrepeal.googlepages.com
  • rootrepeal.psikotick.com
  • sabithpocker.blogspot.com
  • safecomputing.umn.edu
  • samroeng.hi5.com
  • sapcupgrades.com
  • scanner.virus.org
  • search.mcafee.com
  • secubox.aldria.com
  • secunia.com
  • secure.sophos.com
  • security.symantec.com
  • securityresponse.symantec.com
  • securitywonks.net
  • service1.symantec.com
  • sf.tapuz.co.il
  • share.skype.com
  • shield.prevx.com
  • shitit.net
  • shop.symantecstore.com
  • shv4.ath.cx
  • simplyrudz.blogspot.com
  • sip4.voipkosovasite.com
  • sis-admin.blogspot.com
  • smadaver.com
  • sniff.runescapetube.com
  • social.answers.microsoft.com
  • social.microsoft.com
  • software-files.download.com
  • softwaresecuritysolutions.com
  • solit.us
  • somostuyyounnuevodiaoficial.obolog.com
  • sophos.com
  • sopiansantosa.blogspot.com
  • sosvirus.changelog.fr
  • spywarefiles.prevx.com
  • spywarehammer.com
  • static.commentcamarche.net
  • stdio-labs.blogspot.com
  • store.norton.com
  • story.dnsentrymx.com
  • subs.geekstogo.com
  • support.emsisoft.com
  • support.f-secure.com
  • support.kaspersky.com
  • swandog46.geekstogo.com
  • tech.pantip.com
  • thaicert.nectec.or.th
  • thailand.itmylike.com
  • thedudesemo.blogspot.com
  • thejokerx.blogspot.com
  • topsy.com
  • trbotnet.sytes.net
  • trialware.norton.com
  • uk.answers.yahoo.com
  • universomanualidades.foroactivo.com
  • update.360safe.cn
  • update.360safe.com
  • update.symantec.com
  • updatem.360safe.cn
  • updatem.360safe.com
  • upload.changelog.fr
  • us.mcafee.com
  • us3.download.comodo.com
  • us4.download.comodo.com
  • usa.kaspersky.com
  • v.dreamwiz.com
  • vaksin.com
  • vil.nai.com
  • vil.nail.com
  • virscan.org
  • virusinfo.info
  • virusinfo.prevx.com
  • wakoopa.com
  • wap.elakiri.com
  • wasteland-bg.com
  • wenwen.soso.com
  • whois.domaintools.com
  • www.2-spyware.com
  • www.247fixes.com
  • www.360.cn
  • www.360.com
  • www.360safe.cn
  • www.360safe.com
  • www.365groups.com
  • www.4-gsmteam.com
  • www.51nb.com
  • www.abgenis.net
  • www.alabamawomen.org
  • www.analysis.seclab.tuwien.ac.at
  • www.antirootkit.com
  • www.antivir.es
  • www.antivirus.about.com
  • www.antivirus.comodo.com
  • www.arenajunkies.com
  • www.arswp.com
  • www.askmehelpdesk.com
  • www.auditmypc.com
  • www.avast.com
  • www.avg-antivirus.net
  • www.avira.com
  • www.avp.com
  • www.avpclub.ddns.info
  • www.avsoft.ru
  • www.babooforum.com.br
  • www.bakunos.com
  • www.betterantivirus.com
  • www.bitdefender.com
  • www.bitdefender.es
  • www.bleedingthreats.net
  • www.bleepingcomputer.com
  • www.blindedbytech.com
  • www.blogschapines.com
  • www.bloodzone.net
  • www.box.net
  • www.ca.com
  • www.carigold.com
  • www.castlecops.com
  • www.castlecrops.com
  • www.cddchiangmai.net
  • www.cfan.com.cn
  • www.changedetection.com
  • www.chkrootkit.org
  • www.cisrt.org
  • www.clamav.net
  • www.clamwin.com
  • www.clubic.com
  • www.codelain.com
  • www.com-th.net
  • www.commentcamarche.net
  • www.computerforum.com
  • www.computerhilfen.de
  • www.computing.net
  • www.configurarequipos.com
  • www.corozilla.net
  • www.cwsandbox.org
  • www.cyberdefender.com
  • www.cybertechhelp.com
  • www.daboweb.com
  • www.daniweb.com
  • www.darkclockers.com
  • www.dazhizhu.cn
  • www.decido.de
  • www.devirusare.com
  • www.dicasweb.com.br
  • www.dl4all.com
  • www.dougknox.com
  • www.downtr.net
  • www.drweb.com.es
  • www.duba.net
  • www.eeload.com
  • www.el-hacker.com
  • www.elakiri.com
  • www.elektroda.pl
  • www.elguruinformatico.com
  • www.elhacker.org
  • www.elitepvpers.de
  • www.eliters.com
  • www.emsisoft.com
  • www.emsisoft.de
  • www.eradicatespyware.net
  • www.eset-la.com
  • www.eset.com
  • www.eset.eu
  • www.eudict.com
  • www.ewido.net
  • www.experts-exchange.com
  • www.f-prot.com
  • www.f-secure.com
  • www.faravirusi.com
  • www.feedage.com
  • www.file.net
  • www.fileresearchcenter.com
  • www.final4ever.com
  • www.firewallguide.com
  • www.fixya.com
  • www.forofantasiasmiguel.com
  • www.forospanish.com
  • www.forospyware.com
  • www.forospyware.es
  • www.fortiguardcenter.com
  • www.fortinet.com
  • www.forum.kaspersky.com
  • www.forums.majorgeeks.com
  • www.free-av.com
  • www.free.avg.com
  • www.free.grisoft.com
  • www.freedrweb.com
  • www.freefixer.com
  • www.freespywareremoval.info
  • www.freshwap.net
  • www.ftw.ro
  • www.funkytoad.com
  • www.futurenow.bitdefender.com
  • www.gamexeon.com
  • www.geekpolice.net
  • www.geekstogo.com
  • www.gmer.net
  • www.greatis.com
  • www.grisoft.com
  • www.groupwhere.org
  • www.gsmph.com
  • www.gsmph.net
  • www.guiadohardware.net
  • www.gyakorikerdesek.hu
  • www.hijackthis.de
  • www.hotshare.net
  • www.housecall.trendmicro.com
  • www.huaifai.go.th
  • www.hvaonline.net
  • www.identi.es
  • www.ikaka.cn
  • www.ikaka.com
  • www.ikarus.net
  • www.incodesolutions.com
  • www.indowebster.web.id
  • www.infos-du-net.com
  • www.infosecpodcast.com
  • www.infospyware.com
  • www.ipaddresser.com
  • www.ixtorrent.com
  • www.jackbloodforum.com
  • www.javacoolsoftware.com
  • www.javacoolsoftware.net
  • www.jbtalks.cc
  • www.jiwang.org
  • www.judj.com
  • www.jvme.com
  • www.k7computing.com
  • www.kaldata.com
  • www.kaskus.us
  • www.kaspersky-labs.com
  • www.kaspersky.com
  • www.kaspersky.es
  • www.killtrojan.net
  • www.kosandpol.elakiri.com
  • www.krupunmai.com
  • www.kztechs.com
  • www.laneros.com
  • www.latest-virus.com
  • www.lavasoft.com
  • www.leforo.com
  • www.linhadefensiva.org
  • www.linkmania.ro
  • www.looktr.com
  • www.malekal.com
  • www.malwarebytes.org
  • www.malwarecrypt.com
  • www.malwareremoval.com
  • www.manuelruvalcaba.com
  • www.mcafee.com
  • www.mcanime.net
  • www.Merijn.org
  • www.messengeradictos.com
  • www.misec.net
  • www.mostz.com
  • www.mozilla-hispano.org
  • www.msnvirusremoval.com
  • www.mvps.org
  • www.mxttchina.com
  • www.mycity.rs
  • www.mypcsafe.com
  • www.nabble.com
  • www.net-security.org
  • www.networkworld.com
  • www.nhatnghe.com
  • www.norman.com
  • www.offensivecomputing.net
  • www.onlinescan.avast.com
  • www.oprekpc.com
  • www.ozzu.com
  • www.pandasecurity.com
  • www.pantip.com
  • www.pc1news.com
  • www.pcentraide.com
  • www.pcguide.com
  • www.pchell.com
  • www.pchelpforum.com
  • www.pcsupportadvisor.com
  • www.pctools.com
  • www.pcwelt.de
  • www.pcworld.com
  • www.personal.psu.edu
  • www.personalfirewall.comodo.com
  • www.pinoyden.com
  • www.pinoyhackers.com
  • www.pinoytambaygroup.com
  • www.precisesecurity.com
  • www.prevx.com
  • www.protecus.de
  • www.psicofxp.com
  • www.quickheal.co.in
  • www.raymond.cc
  • www.regrun.com
  • www.resplendence.com
  • www.rising.com
  • www.rising.com.cn
  • www.rolandovera.com
  • www.rootkit.com
  • www.rootkit.nl
  • www.rss-verzeichnis.de
  • www.runscanner.net
  • www.safer-networking.org
  • www.sandboxie.com
  • www.securitynewsportal.com
  • www.securitystronghold.com
  • www.securitywonks.net
  • www.sergiwa.com
  • www.shitit.net
  • www.siteadvisor.com
  • www.smokey-services.eu
  • www.soccersuck.com
  • www.softonic.com
  • www.sophos.com
  • www.spamhaus.org
  • www.spyany.com
  • www.spybot.info
  • www.spybotupdates.com
  • www.spychecker.com
  • www.spywarecease.com
  • www.spywaredb.com
  • www.spywaredemon.com
  • www.spywarefri.dk
  • www.spywareinfo.com
  • www.spywareremovalblog.com
  • www.spywareterminator.com
  • www.sunbeltsecurity.com
  • www.sunbeltsoftware.com
  • www.superadblocker.com
  • www.superantispyware.com
  • www.superdicas.com.br
  • www.superuser.co.kr
  • www.symantec.com
  • www.sysinternals.com
  • www.sz-pet.com
  • www.tallemu.com
  • www.tanya-it.com
  • www.taringa.net
  • www.techimo.com
  • www.techspot.com
  • www.techsupportforum.com
  • www.tecno-soft.com
  • www.thaicert.org
  • www.thailandsusu.com
  • www.thaivisa.com
  • www.thecomputerpitstop.com
  • www.thehelper.net
  • www.thetechguide.com
  • www.thinkpad.cn
  • www.threatexpert.com
  • www.tongjimba.com
  • www.tpu.ro
  • www.trendmicro.com
  • www.trendsecure.com
  • www.trojaner-board.de
  • www.trucoswindows.es
  • www.trucoswindows.net
  • www.tweaksforgeeks.com
  • www.ulop.net
  • www.unhackme.com
  • www.usbcleaner.cn
  • www.utilidades-utiles.com
  • www.velocidadmaxima.com
  • www.vietcaravan.us
  • www.viprasys.org
  • www.virscan.org
  • www.virus-com.com
  • www.viruschief.com
  • www.virusdoctor.jp
  • www.viruslist.com
  • www.virusspy.com
  • www.virustotal.com
  • www.vivalared.com
  • www.vsantivirus.com
  • www.vupen.com
  • www.webimmune.net
  • www.webphand.com
  • www.webroot.com
  • www.whatthetech.com
  • www.wikio.es
  • www.wilderssecurity.com
  • www.winbots.es
  • www.windowexe.com
  • www.worton.com
  • www.xmarks.com
  • www.yoreparo.com
  • www.ziggamza.net
  • www.zonavirus.com
  • www.zone-it.com
  • www.zonealarm.com
  • www.zyzoom.org
  • www2.gmer.net
  • www3.malekal.com
  • wwww.experts-exchange.com
  • wwww.mcafee.com
  • x.360safe.com
  • yourartmuseum.com
  • z-oleg.com
  • zastita.com
  • zenovy.com
  • zhidao.baidu.com
  • zhidao.ikaka.com
  • zone.arminboutique.com

 Step 6: Search and delete AUTORUN.INF files created by WORM_RIXOBOT.A that contain these strings  [learn how]

    [Autorun]
    open=~temp\63643.exe
    icon=%windir%\system32\SHELL32.dll,8
    action=Open folder to view files using Windows Explorer
    shell\open=Open
    shell\open\command=~temp\63643.exe
    shell\open\default=1
    shell\explore=Explore
    shell\explore\command=~temp\63643.exe
    shell\search=Search...
    shell\search\command=~temp\63643.exe
    useautoplay=1

 Step 7: Scan your computer with your Trend Micro product to delete files detected as WORM_RIXOBOT.A  

*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

 Step 8: Restore this registry value from backup  

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Control\SafeBoot\Minimal

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Control\SafeBoot\Network




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.