W32/Magold-D

Category: Viruses and Spyware Protection available since:23 Jun 2003 00:00:00 (GMT)
Type: Win32 worm Last Updated:23 Jun 2003 00:00:00 (GMT)
Prevalence: Several Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Aliases

  • I-Worm.Magold.e

Affected Operating Systems

Windows

Recovery Instructions:

Please follow the instructions for removing worms.

Check network security.

Windows XP/2000/2003

Renaming the registry editor

  • Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
  • Rename the copy of Regedit.exe to Regedit.cmd.
Restart the computer in Safe Mode.
  • Go to Start|Shut Down.
  • Select Restart from the drop down list and click OK. Windows will restart.
  • Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows XP/2000/2003, press F8".
  • In the Windows XP/2000/2003 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'.

To remove the worm files, either use SAV32CLI from the Sophos CD or download an emergency copy of SAV32CLI on an uninfected computer, extract it and write it to CD.

At the infected computer, place the CD in the CD drive (D: in this example).

At the command prompt type:

D:

to access the CD drive. If you are using the Sophos CD, type:

CD WIN32\I386\SAV32CLI

if you are using a SAV32CLI download disk, type:

CD SAV32CLI

Then type:

SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

to remove the worm.

You will also need to edit the following registry entries. Please read the warning about editing the registry.

At the command promt type 'Regedit.cmd' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the following HKEY_CLASSES_ROOT entries:

HKCR\exefile\Shell\Open\Command
HKCR\comfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\scrfile\shell\open\command

Typically an unaltered registry entry will be set to:

HKCR\???file\shell\open\command\(default) = "%1" %*

the altered registry entry will be:

HKCR\???file\shell\open\command\(default) = C:\WINDOWS\<filename>.exe /exec:"%1" %*

delete only the text C:\WINDOWS\<filename>.exe /exec: where <filename> is the name of the worm file. Do not delete anything else.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raVe

and delete it if it exists.

Close the registry editor.

Delete the file ravec.txt in the Windows folder.

Check the copy of Autorun.inf in the root folder and delete it if it contains a reference to the worm.

Windows 95/98/Me

Restart the computer in MS-DOS mode.

Note: starting a Command Prompt (a DOS window) is not enough.

  • At the Taskbar, select 'Start' then 'Shut Down'.
  • Choose the option 'Restart the computer in DOS mode'.

At the DOS prompt type:

C:
CD \PROGRA~1\SOPHOS~1
SWEEP *: -REMOVEF

Say 'Yes' when prompted to delete a file (provided it is a W32/Magold-A file). Make a note of its name.

Reboot to Windows.

At a clean computer with the same operating system, copy the following keys:

HKCR\exefile\Shell\Open\Command
HKCR\comfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\scrfile\shell\open\command

as .REG files. Use different names for each file. Import them to the infected computer. See here for instructions on how to do this.

Delete the file ravec.txt in the Windows folder.

Check the copy of Autorun.inf in the root folder and delete it if it contains a reference to the virus.

Windows NT

Please contact technical support.

Other platforms

Please follow the instructions for removing worms.

download Try Sophos products for free
Download now