W32/Pesin-D

Please follow the instructions for removing worms.

W32/Pesin-D is a worm for the Windows platform, the worm attempts to spread by copying itself onto the A:\ drive as SEXXX.exe

When executed the worm will make copies of itself in the following locations:

%Windows system%\SvHost.exe
C:\My Documents\Ini Virus.exe
C:\Program Files\Accessories\Clean.exe

W32/Pesin-D will move msconfig.exe to quend.exe, regedit.exe to blink.exe and explorer.exe to bimm.exe, replacing them with itself.

The worm will set the following registry entries in order that it may be run on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Load Service = C:\WINDOWS\System32\SvHost.exe /run

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Performance = C:\Windows\MyHeart.exe /run

The following registry entries will also be created:

HKCU\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Start Page = "www.jn01.cjb.net"

HKLM\SOFTWARE\Microsoft\MediaPlayer
Count

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CDFS\0000\Control
ActiveService = "Cdfs"

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CDFS\0000\Control
ActiveService = "Cdfs"

and the following changed:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = dword:00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt = dword:00000001

HKCR\exefile
@ = "Microsoft Word Document"

HKCR\exefile\shell\open
@ = "&Open"

W32/Pesin-D will add the text "BootWarn=0" and "BootKeys=0" to the system file C:\msdos.sys and will create the file C:\~Temp.doc which it will then open.

The worm will remain dormant monitoring the registry changes it has made.

The worm may delete all files in the C:\Program Files\ folder.