Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, October 21, 2008

win32.USBworm Heap41a

Source
Whenever they try to open firefox, a message pops up:

"USE INTERNET EXPLORER YOU DOPE" "I DNT HATE MOZILLA BUT USE IE OR ELSE...".
When they try to access Orkut.com, this the message that pops up:
"Orkut is banned you fool. The administrators didnt write this program guess who did?? MUHAHAHA!!"
When they try to access Youtube.com, this the message that pops up:
"Youtube is banned you fool,The administrators didnt write this program guess who did?? MUHAHAHA!!"

This worm is called Heap41a / win32.USBworm. It usually spreads via USB drives.
It runs a exe file which is name MicrosoftPowerpoint.exe
which is located in the USB disk. The autorun.inf runs this file when
double clicked. Once this program is run you are infected. It hides all
your hidden folders, runs the process in the memory, makes the worm to
start with windows and pops those annoying messages. This worm doesn’t
destroy any system files. It just infects other USB drives and spreads
to new hosts.

A brilliant techie named Sarath Lakshman from Kerala have developed a solution for this worm.
This is a virus removal tool. You can find more info on virus removal in that webpage.
After cleaning the worm in your PC, dont forget to format your USB drive, otherwise your PC will get reinfected.
Other method to clean the Spyware.

(Its better that you take a printout or write these down in a paper)
Step.1: Download and install necessary tools
Step.2: Inactivate the Process.
Step.3: Clean the Card.
Step.4: Clean the PC.


Step.1: Download and install necessary tools
You have already downloaded and installed the AnVir Task Manager.
Now You need to download two more tools.
1. Download this Flash Disinfector for the USB Drive.

Save that file at an easily accessible place. No need to install it, you can run it later from that file itself.
2. Download, install and fully update SpyBot S&D

And don't forget to restart your PC after cleaning the virus.
At the time of installation, it
will ask whether you want to backup your registry. DONT BACKUP YOUR
REGISTRY as your registry is already infected. Select No when you see
that. After installation Update it. and close it. We will scan later.
We need these tools in Step 3 & 4

Step.2: Inactivate the Process.
Phase.A
Open the same "AnVir Task Manager"
Click on the startup"
Select the entry "OfcpfwSvcs.exe"
Uncheck(remove the tick mark) the box next to it.
Then a message box will open up asking you,
"Disable OfcpfwSvcs.exe?"
Check(Add tick mark) both the boxes below it and press "Ok"

Phase.B
Go to Windows XP safe Mode.
Windows XP safe mode is a special mode in which only the selected system applications will run at startup.
That means the Spyware wont autorun in safe mode.
To go to safe mode,
* If the computer is running, shut down Windows, and then turn off the power.
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu
appears. If you begin tapping the F8 key too soon, some computers
display a "keyboard error" message. To resolve this, restart the
computer and try again.
* Ensure that the Safe Mode option is selected.
* Press Enter. The computer then begins to start in Safe mode.
*
Sign In on your usual account if you have enabled one.
Now after your Windows XP starts in safe mode, it will look blurred, dont worry, its how safe mode looks.
While we are in safe mode, we will go to Step.3 & Step.4.

Step.3: Clean the Card(in safe mode).
Now go to that Flash Disinfector exe file which we saved in Step.1.
* Plug the USB drive in you card reader.
* Click on that Flash Disinfector file.
* After the disinfection is done, Go to "My Computer", Right Click on the USB drive icon and select "Format"
* That will clean the USB drive.


Step.4: Clean the PC(in safe mode).
* Now launch the SpyBot Search & Destroy.
* Run a scan of your PC.
* Remove all possible threats.

Restart your PC in normal mode,
Open the Windows task Manager by Pressing Ctrl+Alt+Delete and see
whether that OfcpfwSvcs.exe process is still there. If its not there
your PC is clean.

No comments: