Announcement

Collapse
No announcement yet.

System is infected with worm but no process shown in the memory

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • System is infected with worm but no process shown in the memory

    Hi,

    My system is infected with Worm.Silly.g and I clean the system also. BUt the behavior of this malware is very different.

    Description of the Malware

    After Execution of the Malware it creates a directory by the name Recycler\DSK on C Drive and drop HDAV.EXE file in DSK directory. This HDAV.EXE opens the Handle in Explorer.exe so that nobody can delete or copy this file. Whenever I plugin USB this file comes in the process and drops the same folder structure along with autorun.inf in the root of the USB and terminates it's process itself.

    Nobody can find it's running process or any other dll.

    I would like to know how this HDAV.EXE can load it's code in explorer.exe and open it's handle?

  • #2
    Re: System is infected with worm but no process shown in the memory

    W32/Silly-G is a worm for the windows platform.

    W32/Silly-G tries to spread by copying itself on usb drives and floppy disks.

    When first run W32/Silly-G it copies itself to <Windows>\DelAutorun.bat and creates the file <Windows>DelAutorun.ini.

    W32/Silly-G also creates the folder C:\Autorun.inf.

    W32/Silly-G sets itself to run at startup by creating the following registry entry:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    DelAutorun
    <Windows>DelAutorun.bat
    Ref: http://www.sophos.com/security/analy...w32sillyg.html

    Try to remove it by following the removing instructions in there or maybe delete the Registry key and Directories and files mentioned manually.

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: System is infected with worm but no process shown in the memory

      Originally posted by nitin.sawade View Post
      I would like to know how this HDAV.EXE can load it's code in explorer.exe and open it's handle?
      Was there a hidden "autorun.inf" (or autorun.exe) on the USB-drive before plugin?

      \Rems

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment

      Working...
      X