New Email Worm Making Rounds, offers up fake links

There are a lot of things in life that we know for a fact are going to happen. We’re going to live, we’re going to die, and we’re going to be taxed. Anything between all this is uncertain. However, if you use a computer, one thing is for sure, that if you prod the dark side of the web, it will infect you. And that’s where today’s post comes in, as there is a new email worm circulating the Internet right now. And when I say new, I mean somewhere in August is when it first started and it just recently broke into the news. This worm is very simple to notice, and is named ‘Here You Are’, after the subject line in the email. Effectively, the way it tricks you to infect you, is to appear to link to a PDF, but in reality, is a executable file. Once infected, the worm then sends itself on via contacts found in your email contact lists.

And the worst part is, despite how simple it is and how simple it is to avoid, it is marked as rather active for a worm. Especially seeing as most geeks should be able to avoid it with ease. Yesterday, a person using an Iraq Resistance revealed himself as the creator of the worm, which has keylogging software as well as a backdoor in it as well.

So now that you know about it, no doubt you’d like to know how to remove it. Especially seeing as I know a friend’s desktop got infected with the worm and has been mass spamming me since then. I’d just like to issue a major thank you to Ant, one of our forum members for showing the manual way to remove it, no doubt there will be some scanners that will remove it automatically soon. What you have to do is kill the following processes if running, then delete them:

%windows%\system\updates.exe
%windows%\csrss.exe
%windows%\ff.exe
%windows%\gc.exe
%windows%\hst.iq
%windows%\ie.exe
%windows%\im.exe
%windows%\op.exe
%windows%\pspv.exe
%windows%\rd.exe
%windows%\re.exe
%windows%\re.iq
%windows%\tryme1.exe
%windows%\vb.vbs
%system%\SendEmail.dll

then manually delete the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options0hoeav.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optionsw.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.bat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6fnlpetp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6×8be16.cmd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BIOSREad.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BdSurvey.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CaVCmd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CavaUd.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cavapp.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2cmd.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2free.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2upd.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtIaRP.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtS.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aPVxdWIN.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aVCONSOL.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aVENGINE.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aVP32.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aVPCC.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aVPM.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\abk.bat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adobe Gamma Loader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\angry.bat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antihost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apu-0607g.xml
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apu.stt
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arSwp.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaiSv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashPopWz.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPcc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswBoot.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRegSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoRun.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoRunKiller.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.bin
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.ini
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.reg
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.txt
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.wsh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorunsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avMonitor.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastSS.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avciman.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgamsvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgas.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avginet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscan.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscanx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgupsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avltd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avzkrnl.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bad1.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bad2.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bad3.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdsubwiz.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackice.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caiss.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caissdt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\catcache.dat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cauninst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavasm.ExE

And restore the following registry keys back to their defaults, which are included below.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA=dword:00000000 to EnableLUA=dword:00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell= Explorer.exe %windows%\csrss.exe to Shell=Explorer.exe

Overall, it is a lot of manual work, and if I can find the spare time and right documentation, I’ll certainly make a batch file to automatically delete and restore these files to what they should be. If anyone would like to have a shot at it, go right ahead, and I’ll post it up here, giving you full credit in making it.