How it infects the system
When you insert an infected media (which is often a USB drive or something similar)...
- Runs when autoplay is executed -- almost always when you double click the drive's icon
- Writes to the system registry -- so that it starts automatically every time Windows starts
- Drops the executable file (autoregistry.exe) in Windows folder.
How it infects another removable media
- Drops the file autorun.inf -- this file is used by Windows when performing an autorun
- Drops the file autoregistry.exe -- the executable file (the little bugger)
Simplest line of defence
These practices can easily keep your system safe from the little bugger
- Disable the Autoplay feature
- Don't double click a media, use right click instead, then Explore..., an infected media will have Auto in the context menu as its default action, click this and.. well your system will be infected.
- Install and always update your anti-virus - may not be as effective as the first two, especially when they're not updated
Removing from removable media/USB drives
Removal requires some understanding of the system and some command line skills.
1. Terminate running autoregistry.exe process
- Press Ctrl-Alt-Delete to bring up the Task Manager
- Go to the Processes tab and sort the list of processes by Image Name
- Look for autoregistry.exe (if it's not listed, it means that it's not running, just proceed to (2))
- Select the process autoregistry.exe, right click on it, the choose End Process Tree -- this terminates the little bugger and any processes that it had spawned.
- Click Start, then Run...
- Type cmd, the click OK
- this starts the command prompt
- From Windows explorer, identify the drive letter of the removable drive, let's say the removable drive is F:, then, at the command prompt, type F:
- this sets the current drive to the removable drive (in this sample it's F:)
- Type attrib -s -h autorun.inf
- this removes the (S)ystem and (H)idden attribute of the file
- Type del autorun.inf
- this deletes the autorun.inf file
- Type attrib -s -h autoregistry.exe
- this removes the (S)ystem and (H)idden attribute of the file
- Type del autoregistry.exe
- this deletes the autoregistry.exe file
- Type exit
- this closes the command prompt
- Proceed to removal of the infection from the System/PC
Removal requires some understanding of the system and some command line skills.
1. Terminate running autoregistry.exe process
- Press Ctrl-Alt-Delete to bring up the Task Manager
- Go to the Processes tab and sort the list of processes by Image Name
- Look for autoregistry.exe (if it's not listed, it means that it's not running, just proceed to (2))
- Select the process autoregistry.exe, right click on it, the choose End Process Tree -- this terminates the little bugger and any processes that it had spawned.
- Click Start, then Run...
- Type cmd, then click OK
- this starts the command prompt
- Type cd\, then press Enter
- this takes you to the root of the drive (in this case it should be C:\>)
- Type cd Windows, then press Enter
- this takes you to the Windows folder
- Type attrib -s -h autoregistry.exe , then press Enter
- this removes the (S)ystem and (H)idden attributes of the file
- Type del autoregistry.exe , then press Enter
- this deletes the file autoregistry.exe
- Click Start, then Run...
- Type regedit, then click OK
- this starts the Registry Editor
- From the menu, select Edit, then Find...
- Type autoregistry.exe in the Find What text area, then click Find Next
- this searches for the occurrences of the name autoregistry in the registry
- Once found, delete the value by pressing the Del key on your keyboard
- Press F3 to repeat the search for the next occurrence of the the value in the registry
- Keep on searching for the value and deleting the found values until the search has reached the end of the registry
- Detach any removable media
- Be careful, these removable media may have been infected! You clear them first of the infection.
- Restart the computer
No comments:
Post a Comment