SCF Portal Stats

Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 43036
  • Total Topics: 16219
  • Online Today: 5658
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

« previous next »
Pages: [1]

Author Topic: W32/USBCasv  (Read 5540 times)

0 Members and 1 Guest are viewing this topic.

Amker

  • SCF Global Moderator
  • *****
  • Posts: 1076
  • KARMA: 22
  • Gender: Male
    • SCforum.info
W32/USBCasv
« on: 16. June 2007., 15:19:33 »
This detection is for a worm that spreads by copying ittself to removable media.  It is also capable of send system information form the victim's machine to a remote email address.
Characteristics -


When W32/USBCasv is executed it copies itself to the following folder locations:
%Temp%\s.exe
%SysDir%\odbcasvc.exe

 

The worm isntalls itself as a Service named 'ODBC Administration Service'  by creating the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc "DisplayName" = ODBC Administration Service
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc "ImagePath" = C:%SysDir%\odbcasvc.EXE

 

The worm contains it's own SMTP engine and therefore is capable of mailing out information about the infected system or user details without the need of a email client such as MS Outlook.
Symptoms -

Presence of the file and registry keys created as mentioned in the characteristics.
Method of Infection -

The worm spreads by copying itself  as INFO.EXE in a created folder called Recycled on to all removable drives :

A corresponding file AUTORUN.INF is dropped onto the victim's system and contains the following:

[autorun]
open=.\recycled\info.exe
shell\1=äŻŔŔ
shell\1\Command=.\recycled\info.exe
shellexecute=.\recycled\info.exe
Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

McAfee
Logged
# Online Anti-Malware Scanners: http://scforum.info/index.php/topic,734.0.html

Samker's Computer Forum - SCforum.info

W32/USBCasv
« on: 16. June 2007., 15:19:33 »

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: W32/USBCasv
« Reply #1 on: 24. July 2007., 19:09:15 »
- Comon Removal method:

1. Check your AntiVirus (which one is, is it updated and did you make full scan of your PC (after update).

2. If you can't clean worm with this way, reinstal your AV and download & instal one off this AV: McAfee or Kaspersky (here at SCForum.info we provide you link to latest downloads, just check right section) and go again at step 1.

3. Don't forget to turn off System Restore at your PC.


***If you, after this all steps still have problem with this Malware go and post Your problem in Our HELP section, direct link is in my Signature (right belowe this post).***
Logged

Samker's Computer Forum - SCforum.info

Re: W32/USBCasv
« Reply #1 on: 24. July 2007., 19:09:15 »
Pages: [1]
« previous next »
 

+ Quick Reply

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising