Worm doing the rounds

Recently one of the graphic designers at my work brought his laptop in and asked me to have a look at it for him. The symptoms were simple. When it booted up whether to safe mode or normally it would just boot into a blank screen with a mouse pointer(active) showing.

A bit of googling revealed that a worm has been going around which causes the above symptoms. It installs a file in C:Windows and adds a registry value into HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32 named midi9 with a fairly random looking value that from memory was along the lines of C:windowssystem32..vqfasf.tmp wqerkjla. As you notice the .. actually puts the file back into C:windows so a bit of subterfuge there in hiding the file.

The one site I found that talked about how to fix it advised copying the registry file from C:windowssystem32config and loading the hive in another computer to remove the registry entry.

Rather than doing this I found it was easier to delete the file using NibleX instead and then booted without any issues and removed the entry from the registry.

The original article I saw the information in regarding the worm and removal method can be found here(google translated since its in Korean): http://translate.google.com/translate?hl=en&sl=ko&tl=en&u=http%3A%2F%2Fcore.ahnlab.com%2F58

Some quick instructions:

I used SARDU with NimbleX and NT Passwd to make the changes

1. First boot up with NT Passwd to use the registry editor to retrieve the filename

  1. Select the windows volume and choose Option 2(Recovery Console option)
  2. use cd to navigate to the registry key (MicrosoftWindows NTCurrentVersionDrivers32
  3. use ls to list registry values and type to display the setting of a value(eg type midi9)

2. Take note of the filename that you need to delete, reboot into NimbleX CLI mode( or GUI if you prefer)

3. Run mount -t ntfs-3g -o force /dev/sda1 /mnt/sda1 ( The force is required as the volume is most likely dirty from being improperly shutdown)

4. Browse to and deleted the file then rebooted into windows

5. Remove the registry entry you navigated to earlier

An update to this post:

I found out a little later that the worm spreads through USB after the Graphic Designer got reinfected so after removing worm make sure before you put any other USB drives into your system you follow the instructions at http://www.sizlopedia.com/2008/03/18/disable-usb-autorun-to-save-pc-from-usb-viruses/.

SARDU and NimbleX as mentioned in the post can be found at http://www.sarducd.it/index.html with a video tutorial available by clicking ‘Tutorial’ on the left hand side menu.