Tuesday, April 7, 2009

jwgkvsq.vmx - Conficker virus manual removal

Intro
Well this is one of the new emerging popular virus. It has spread rapidly, and most of your computers are infected. Conficker spreads via the USB pendrive along with the autorun.inf
or via network by exploiting bugs in the Network Stack on Windows systems.
Skip to Manual Removal steps.

Spreading via USB Drives
Conficker spreads on USB Drives by creating an autorun.inf,
A folder structure

RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\

with
jwgkvsq.vmx


The file is a DLL file, which is executed by the obfuscated autorun.inf.
The DLL file is loaded with RunDLL

[AUTorUN
icon=%syStEmrOot%\sySTEM32\sHELL32.Dll,4
shelLExECUte=RuNdLl32.EXE.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
useAuTopLAY=1


The presence of conficker can be detected by looking at the ICON of the USB Pen drive. If it is a folder icon, then its almost sure that the drive is infected with "conficker".

Manual Detection and Removal

Conficker disables the Background Intelligent Transfer Service (BITS) and Windows Automatic Updates. So If you find these services disabled, be alert. (To checkout what services are running and their statuses Run > services.msc.

Follow these steps to detect and remove Conficker virus:

  • Run regedit.exe registry editor
    Goto HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SvcHost\netsvcs
    Double click the key to see if there is a random value at its end.





    Note the "zbtthjd" at the end, this is the virus. A list of valid entries in the field (from Microsoft) is given below to help you find the random string. (Usually at the end).
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    EventSystem
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    Rasman
    Remoteaccess
    Sacsvr
    Schedule
    Seclogon
    SENS
    Sharedaccess
    Themes
    TrkWks
    TrkSvr
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wuauserv
    BITS
    ShellHWDetection
    uploadmgr
    WmdmPmSN
    xmlprov
    AeLookupSvc
    helpsvc

  • Note the random string. (in this case "zbtthjd")

  • Now goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zbtthjd\Parameters, note the ServiceDLL Parameter, It would be something like c:\windows\system32\<randomstring>.dll

  • Take a Command prompt and run
    svchost -k netsvcs
    . This should stop the netsvcs and the virus.

  • Try deleting the DLL file or else rename the DLL file to something else

  • Restart the System.

  • Renable Services Automatic Updates and BITS.



Note if you find these methods not applicable in your case, the virus must have morphed to some other form.
Hope it works :)