W32/Atax-A

Please follow the instructions for removing worms.

W32/Atax-A is a worm for the Windows platform.

When first run, the worm copies itself to the following locations:

<Current folder>\100% user.exe
<Root>\VenoM.666\Explorer.exe
<User>\SendTo\Disco extraible.pif
<User>\SendTo\Documendos borrados de user.exe
<User>\SendTo\Documentos compartidos.scr
<User>\SendTo\Mis documetos.exe
<User>\SendTo\Papelera de reciclaje compartida.ex
<System>\winlogon.exe
<System>\windows.exe

W32/Atax-A also creates the following files:

<Temp>\bt<random numbers>.bat (detected as W32/Atax-A)
<User>\SendTo\Game Over 2323.txt (can be deleted)
<User>\VenoM.txt (can be deleted)
<User>\autorun.inf (detected as W32/Atax-A)
<User>\desktop.inf (can be deleted)
<Root>\autorun.inf (detected as W32/Atax-A)

The worm attempts to print out VenoM.txt. It's an ascii file that says the following:

"El juego a terminado. Tu has sido derrotado por VenoM (email address deleted)"

Which translates roughly to "The game is over. You have been defeated by VenoM."

W32/Atax-A sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CFTMON.EXE
<System>\winlogon.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\_VenoM_Software_<random numbers>\Virus
estas
infectado

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HiddenFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0