From:
W32.Ceted Technical Details | Symantec
Discovered: January 9, 2008
Updated: January 9, 2008 7:53:25 PM
Type: Worm
Infection Length: 251,797 bytes; 246,093 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
W32.Ceted is a worm that copies itself to all shared and removable drives.
ProtectionInitial Rapid Release version January 9, 2008 revision 018
Latest Rapid Release version June 28, 2008 revision 022
Initial Daily Certified version January 9, 2008 revision 022
Latest Daily Certified version January 20, 2009 revision 048
Initial Weekly Certified release date January 16, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat AssessmentWildWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
DamageDamage Level: Low
Payload: Closes windows based on strings in the title bar.
DistributionDistribution Level: Low
Shared Drives: Copies itself to shared drives.
When the worm is executed, it creates the following files and gives them system, hidden, and read-only attributes:
%SystemDrive%\ntdetec1\ntdetec1.exe
%SystemDrive%\ntdetec1\cmrss.exe
%SystemDrive%\ntdetec1\run.exe
%SystemDrive%\ntdetec1\shell32.exe
%SystemDrive%\ntdetec1\drivelist.txt
%SystemDrive%\ntdetec1\child\autorun.inf
%SystemDrive%\ntdetec1\child\ntdetec1.exe
It then copies the following file to all shared and removable drives on the compromised computer:
%DriveLetter%\ntdetec1.exe
The worm creates the following registry entry so that it runs when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"winlogon" = "C:\ntdetec1\run.exe"
The worm monitors all new processes created. If the window title of any process contain one of the following strings the worm will close that window:
Window Task Manager
process explorer
The worm attempts to redirect Google searches to customized search results using the following URL:
http://www.google.com/custom?hl=en&client=pub-2141221394801249&channel=7215448870&cof=FORID 3A1 3BGL 3A1 3BLBGC 3A336699 3BLC 3A 230000ff 3BVLC 3A 23663399 3BGFNT 3A 230000ff 3BGIMP 3A 230000ff 3BDIV 3A 23336699 3B&ie=ISO-8859-1&oe=ISO-8859-1&q=[ORIGINAL QUERY]
The worm will restart the computer if the cmrss.exe process is ended.
To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to and delete the following entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"winlogon" = "C:\ntdetec1\run.exe"
Exit the Registry Editor.
Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.
ostwhore2:
