command.pif - Dangerous
%sysdir%\command.pif
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
It is a mass-mailing worm that uses its own SMTP engine for spreading.
1. Adds the value:
"Messenger6"="%System%\command.pif"
"Svchost"="%System%\command.pif"
to the registry Run keys.
2. Sends an HTTP GET request to download the file msvbvm60.dll, to the following folders, and then executes it:
%Windir%\System32
%Windir%\System
3. Creates the following file and execute it if the file, msvbvm60.dll, is downloaded successfully:
%System%\Paula.pif
4. When %System%\Paula.pif is executed, it does the following:
Copies itself as %System%\Svchosl.pif.
Creates the following files:
%Windir%\System32\m.zip
%Windir%\System32\sw.exe
%Windir%\System32\sx.exe
%Windir%\System32\ss.exe
%Windir%\System32\sz.exe
5. Deletes files with extensions:
.asm .asp .bdsproj .bmp .c .cpp .cs .csproj .css .doc .dpr .frm .gif .h .htm .html .iso .jpeg .jpg .mdb .mp3 .nfm .nrg .pas .pcx .pdf .php .ppt .rar .rc .rc2 .reg .resx .rpt .sln .txt .vb .vbp .vbproj .wav .xls
6. Download its updates if computer is connected to Internet.
7. Sends its body by e-mails.
Remove it from startup using RegRun Startup Optimizer.