Friday, November 30, 2007

Removing jaymyka worm

Today is Gat Andres Bonifacio’s day. No work, no pressure, so I took the advantage of going to my aunt’s workplace to remove the so-called Jaymyka worm. All the computers were infected.


Worm: Jaymyka
Threat Level: Low
Target Victims: Users viewing adult sites (Geez! Who did that in the office?)


Description:


It creates an autorun.inf file per drive with the following contents,



[autorun]
open=jay.exe
;shell\open=Open(&O)
shell\open\Command=jay.exe
shell\open\Default=1
;shell\explore=Manager(&X)
shell\explore\Command=jay.exe

The autorun.inf file is paired with jay.exe. The jay.exe file handles the annoying duplication of files and some resource-hogging tasks leading to DoS attack. If this worm is able to infect the target device successfully, it attaches a file named mveo.exe at startup. This mveo.exe is responsible for the worm’s capability of regeneration.


[Diagnosis]


1. Kill mveo.exe and jay.exe



TASKKILL /F /IM mveo.exe /IM jay.exe

2. Delete all files named jay.exe and mveo.exe
3. Remove mveo.exe in msconfig’s startup tab
4. Clean the registry of entries containing jay.exe, jaymyka, mveo.exe
5. Reboot


Christmas is near! It’s been a while since I blogged. Nothing special.

No comments: