system32driver32.exe - Dangerous
system32driver32.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
The worm also uses IRC to spread.
The email has the following characteristics:
Subject: This document is interesting
Body: Hi! How are you, i hope all okay. I send you an attachment that you should see.
Attachment: ha ha ha ha.doc.exe
Creates some files in %Windir%\ or a:\ folders.
Adds the value: "Windows Drive Compatibility"="%Windir%\System32Driver32.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Modifies the values: "Hidden"="0" "HideFileExt"="1"
in the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
so that the worm hides file extensions.
Modifies the value: "nofolderoptions"="1"
in the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
so the options menu is hidden from explorer.
Adds the value: "(Default)" = "&supernova-Y2K4"
in the registry key: HKEY_LOCAL_MACHINE\Software\CLASSES\*\shell\open
so the word "supernova-Y2K4" will show up in the Context Menu when you right-click on a file.
Adds the value: "(Default)" = "notepad.exe c:\supernova.txt"
in the registry key: HKEY_LOCAL_MACHINE\Software\CLASSES\*\shell\open\command
so when you choose the word "supernova-Y2K4" from the Context Menu, it will open c:\supernova.txt.
Changes the background image to %Windir%\System32Windos.bmp:
Removal:
Use RegRun Startup Optimizer and manually change values of registry keys described above.