command.pif - Dangerous
%sysdir%\command.pif
Manual removal instructions:
Antivirus Report of %sysdir%\command.pif:
%sysdir%\command.pif
Worm W32.Inzae.B@mm
It is a mass-mailing worm that uses its own SMTP engine for spreading.
1. Adds the value:
"Messenger6"="%System%\command.pif"
"Svchost"="%System%\command.pif"
to the registry Run keys.
2. Sends an HTTP GET request to download the file msvbvm60.dll, to the following folders, and then executes it:
%Windir%\System32
%Windir%\System
3. Creates the following file and execute it if the file, msvbvm60.dll, is downloaded successfully:
%System%\Paula.pif
4. When %System%\Paula.pif is executed, it does the following:
Copies itself as %System%\Svchosl.pif.
Creates the following files:
%Windir%\System32\m.zip
%Windir%\System32\sw.exe
%Windir%\System32\sx.exe
%Windir%\System32\ss.exe
%Windir%\System32\sz.exe
5. Deletes files with extensions:
.asm .asp .bdsproj .bmp .c .cpp .cs .csproj .css .doc .dpr .frm .gif .h .htm .html .iso .jpeg .jpg .mdb .mp3 .nfm .nrg .pas .pcx .pdf .php .ppt .rar .rc .rc2 .reg .resx .rpt .sln .txt .vb .vbp .vbproj .wav .xls
6. Download its updates if computer is connected to Internet.
7. Sends its body by e-mails.
Remove it from startup using RegRun Startup Optimizer.
| %sysdir%\command.pif | Malware |
| %sysdir%\command.pif | Dangerous |
| %sysdir%\command.pif | High Risk |
It is a mass-mailing worm that uses its own SMTP engine for spreading.
1. Adds the value:
"Messenger6"="%System%\command.pif"
"Svchost"="%System%\command.pif"
to the registry Run keys.
2. Sends an HTTP GET request to download the file msvbvm60.dll, to the following folders, and then executes it:
%Windir%\System32
%Windir%\System
3. Creates the following file and execute it if the file, msvbvm60.dll, is downloaded successfully:
%System%\Paula.pif
4. When %System%\Paula.pif is executed, it does the following:
Copies itself as %System%\Svchosl.pif.
Creates the following files:
%Windir%\System32\m.zip
%Windir%\System32\sw.exe
%Windir%\System32\sx.exe
%Windir%\System32\ss.exe
%Windir%\System32\sz.exe
5. Deletes files with extensions:
.asm .asp .bdsproj .bmp .c .cpp .cs .csproj .css .doc .dpr .frm .gif .h .htm .html .iso .jpeg .jpg .mdb .mp3 .nfm .nrg .pas .pcx .pdf .php .ppt .rar .rc .rc2 .reg .resx .rpt .sln .txt .vb .vbp .vbproj .wav .xls
6. Download its updates if computer is connected to Internet.
7. Sends its body by e-mails.
Remove it from startup using RegRun Startup Optimizer.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.