I came across a worm by name winf.exe. Most of you may know this worm it changes the drive icon to a nasty looking image and label to weird looking charachters. Even if you want to change the label or the icon you wont be able to do it. This worm mostly comes through the USB devices. When You double click on it this virus copies a autorun.inf file and a thb.ico file to all your drives and there you go all icons,labels changed!! Not only that it copies file win.exe and avgs.exe to your system32 folder and it will be added to a particular place in registry for launching it during startup.
You might have a question what this to program files do? Well you might have experienced this "when you type orkut or youtube " in your browser a message box pops up and tells orkut and youtube infected by virus not only that it closes your browser also, Great rite. Some time it may play a laughing sound also.
Well what exactly this so called virus is???
Its not a virus. Surprised??? its a script written using autohotkey software. You can get this software here www.autohotkey.com/download. This software was actually created to automate repetitive task and improve windows user interface but some people are using it to create nasty programs and trouble others.
This worm consists of a set of file including source code for the same !! and packed into a SFX archive using winrar, so that it can be extracted to required location when user double click on USB device. The icon of SFX archive is removed so that it is not easily seen since only file name is visible.
How to bring back the drive icon and label back to normal?
Manual
- launch task manager
- find processes win.exe and avgs.exe runnig under your user name
- Terminate these processes.
- now launch command prompt and type following commands
C:\Documents and Settings\VASUDEV>cd\
C:\>del \ah /F [/A: H] autorun.inf thb.ico
repeat this process in each drive. If you have some PC maintaining software check the startup program list if win.exe or avgs.exe remove those entries and do a restart. Now the drive should return to normal. Now scan the system using antivirus software. I suggest using avast's boot time scan on C drive, it will delete all infected files.
This is method i used to remove the virus from my system.
To avoid getting infected by this nasty worm and other similar worms- "Do not double click on your pendrive on any day try to use address bar to access pendrive".
Also use this small but very effective software USB Disk securtiy, mere 1MB software but detects any autorun program including winf.exe as soon as you insert USB device. Home page for this software is http://www.zbshareware.com/
.
0 comments:
Post a Comment