How to remove Worm.Allaple.A
THREAT NAME
Worm.Allaple.A
CLEAN INSTRUCTION
1. Go to Start, Run type services.msc and click on OK.
2. Locate the entry called Network Windows Service.
3. Right-click it and select Properties. In the new window you will see a textbox called Path to executable ( e.q. C:\Windows\system32\urdxvc.exe ).
4. Press the Stop button in order to stop the malicious service.
5. Now open Windows Explorer ( Start > All Programs > Accessories ), locate the infected file and delete it.
6. Run a full scan with BullGuard.
SYMPTOMS
1. Increased network traffic.
2. Presence of a service called Network Windows Service.
3. When you open local .html pages, if you have Internet Explorer 7.0 you receive a notification that says "Internet
Explorer has restricted this webpage from running scripts or ActiveX controls".
DESCRIPTION
1. The worm uses a polymorphic encryption in order to make detection harder. There are several decryption layers
that are used in order to get access to the code of the worm.
2. The worm will copy itself in the Windows system directory.
3. It will create a process from the copied file and it will instruct it to create a service in order to run when
the computer starts.
4. The service will create serveral threads that will do the following:
- Look for .htm and .html files. When one is found, it will search for the < HTML > tag
and will add a reference to its CLSID right after it.
- Try to get access to computers from the LAN by various techniques, including a dictionary attack that
uses a predefined lists of passwords.
- It does a Denial Of Service Attack on 3 websites located in Estonia (www.starman.ee, online.if.ee, www.if.ee).
Author:
The BullGuard Team