wstart32.exe - Dangerous
wstart32.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
It attempts to spread to network shares that have weak passwords and allows hackers to access an infected computer through an IRC channel.
The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80
Steals CD keys of Computer games.
Allows unauthorized execution of remote commands. Terminates security software programs.
Listens on randomly calculated ports, ranging from 1000 to 3000 and one from above 10000, and waits for other computers to download the worm.
Copies itself to administrative shares on machines with weak passwords as %System%\wstart32.exe.
And adds the value:
"Windows Loader"="wstart32.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and
"Configuration Loader" = "%System%\wstart32.exe" -service
to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nm
Use RegRun Startup Optimizer to automatically remove it from startup.