Faberc - Worm w32.silly, cn911.exe, secpol.exe, fsmgmt.dll, song911, ufo.exe removal instructions

Faberc blog website

Sunday, December 23, 2007

Worm w32.silly, cn911.exe, secpol.exe, fsmgmt.dll, song911, ufo.exe removal instructions

Last week I was infected by a worm via a USB pen (UFO.EXE).

This is a variant of many similar backdoors/worms, these instructions
can be useful to understand how that attacks work.

These are the steps I made to remove the worm and related malwares
loaded from that backdoor.

1) first of all: disconnect the infected PC from any network
and internet connection.

The malware loads viruses and updates from internet sites
during your browsing:
cn911.org, , obutan.com, baidu8.com, 222.122.45.146,
eu.logon.worldofwarcraft.com, us.logon.worldofwarcraft.com
Try to block these sites with your firewall!

2) clean the USB pen

delete UFO.EXE (hidden file)
delete autorun.inf (hidden file that load the ufo.exe worm)
this files are created from infected PCs anytime you boot a USB pen
or removable harddisk
After you need create a fake empty autorun.inf file with READ-ONLY property
to block the loading of ufo.exe from a infected PC

3) removal actions

- Run the "process explorer" of Mark Russinovich (www.sysinternals.com)
and kill the svchost process at root level (It is the process that create
the UFO.EXE/AUTORUN.INF files any time you insert a removable disk)

- with regedit remove just the string ",C:\WINDOWS\system32\secpol.exe"
from the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe,
need to be (don't remove the userinit.exe!):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
C:\WINDOWS\system32\userinit.exe

- delete the secpol.exe file from C:\WINDOWS\system32

- with regedit remove the fsmgmt key from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon\Notify

- delete the fsmgmt.dll file from c:\windows\system32
Note: the product name shows: "Microsoft? Windows? Operating System"

- delete any files from the locations:
C:\Documents and Settings\<user>\Impostazioni locali\Temporary Internet Files
and
C:\Documents and Settings\<user>\Impostazioni locali\Temp

That's all. I removed also some unknown users *S-1-5-21..... from security policies.

Credits : I'd like to sincerely thank the folks at Sysinternals

Personal

12/23/2007 7:09:48 PM (W. Europe Standard Time, UTC+01:00)

Faberc | Disclaimer | Comments [10] |
Related Posts:
XBAP Application : about my family
A bicycle day

1/10/2008 11:49:06 AM (W. Europe Standard Time, UTC+01:00)

Thank You very Very VERY MUCH!!!

P.S. Thank Google too, for finding Your site.

Geart |greatgeartAT NOSPAMinbox dot lv

1/31/2008 11:54:21 PM (W. Europe Standard Time, UTC+01:00)

great, first page that indeed helps to remove this shit!

happy user

3/24/2008 8:54:39 PM (W. Europe Standard Time, UTC+01:00)

I'd like to thank you for your helpful article about how to remove this UFO.exe!! This worm or whatever his type, was going to make me crazy. Thank you so much!

André from France!

André |andre dot parkourAT NOSPAMhotmail dot com

4/11/2008 8:21:24 PM (W. Europe Standard Time, UTC+01:00)

Indeed you're the saviour! No regular anti-virus software could help, nor special malware/spyware removal gadgets I've found in the web.
Finally I removed this crap with your recipe.
Big thanks!
P.S. This "Process explorer" is quite useful, but it wasn't really needed in this case. I was able to kill the right svchost thing with regular task manager. Anyway, without you I woudn't be able to get rid this ufo.exe. Thanks!

WojMan

5/20/2008 12:05:40 PM (W. Europe Standard Time, UTC+01:00)

Thank you so much for writing this. This is the first good solution I found after a lot of Googleing around.

Great tip to make fake autorun-files to prevent another infection!

Joris |joris_livesAT NOSPAMhotmail dot com

5/21/2008 7:19:12 AM (W. Europe Standard Time, UTC+01:00)

Looks impossible to print this, at least from Firefox. Thanks, change blog/template :)

nimd4 |ooydobooraAT NOSPAMgmail dot com

6/6/2008 9:59:03 AM (W. Europe Standard Time, UTC+01:00)

Thanks for this !

But eu.logon.worldofwarcraft, why? And why don't they do nothing about it ? Bliz seems such a nice company I don't see why should they load malware to computers ?

Uldis |wonderlandAT NOSPAMinbox dot lv

7/15/2008 7:47:45 PM (W. Europe Standard Time, UTC+01:00)

Thanks a million. This problem has been nagging me for quite a while. The world would be a great place with more guys like you.

Njuguna |njugunaoscarAT NOSPAMswiftkenya dot com

1/14/2009 10:13:06 PM (W. Europe Standard Time, UTC+01:00)

Thanks, this was really useful. Amazing that while Windows Defender can pick up the dll created by the exe (fsmgmt) it does not find the executable itself (secpol.exe), so every reboot it recreated fsmgmt until we found your blog

Prospector

5/13/2010 7:09:23 PM (W. Europe Standard Time, UTC+01:00)

Whenever I get a security problem at my computer I find the solution online, most likely someone had the same problem before me. So now I want to thank you for sharing the solution to your security problem, this kind of altruism saved me from a lot of trouble.

Double Anti Spy |cragoscaAT NOSPAMyahoo dot com

Name
E-mail
Home page

	Remember Me
Comment (HTML not allowed)
Enter the code shown (prevents robots):

Do Software For Fun

ADMIN

On this page....

Archives

Aggregate Me!

Categories

Personal Links