W32/Donk-C

Please follow the instructions for removing worms.

Delete the file r.bat in your temporary folder if it exists.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loaded = "wupdated.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loaded = "wupdated.exe"

and delete them if they exist.

Close the registry editor.

W32/Donk-C is a worm which copies itself around your network. The worm also includes backdoor functionality which allows unauthorised outsiders to control your computer through IRC channels.

When W32/Donk-C runs, it creates a copy of itself called scchost.exe in your Windows System folder. It also sets the following entries in the registry so it runs automatically every time you start up your computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration Loaded = "wupdated.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration Loaded = "wupdated.exe"

W32/Donk-C includes a backdoor Trojan which can be used to install and execute programs on your computer, as well as to flood other computers with network packets from your PC.

W32/Donk-C creates the file r.bat in your temporary folder. This file is not malicious by itself and can simply be deleted.