W32/Dedmir-A

Please follow the instructions for removing worms.

W32/Dedmir-A is a worm for the Windows platform.

W32/Dedmir-A spreads to other network computers through network shares, web downloads and P2P shares.

When first run W32/Dedmir-A copies itself to:

C:\WINDOWS\Winload.exe
C:\WINDOWS\system32\WinCab.exe

The following registry entries are created to run Winload.exe and WinCab.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32Usr
<System>\WinCab.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update
<Windows>\Winload.exe

W32/Dedmir-A may create copies of itself under one or more of the following filenames:

- 3D Studio Max 6 3dsmax.exe
- ACDSee 10.exe
- Adobe Photoshop 10 crack.exe
- Adobe Photoshop 10 full.exe
- Adobe Premiere 10.exe
- Ahead Nero 8.exe
- Altkins Diet.doc.exe
- American Idol.doc.exe
- Arnold Best Matrix Screensaver new.scr
- Britney sex xxx.jpg.exe
- Britney Spears and Eminem porn.jpg.exe
- Britney Spears blowjob.jpg.exe
- Britney Spears cumshot.jpg.exe
- Britney Spears fuck.jpg.exe
- Britney Spears full album.mp3.exe
- Britney Spears porn.jpg.exe
- Britney Spears Sexy archive.doc.exe
- Britney Spears Song text archive.doc.exe
- Britney Spears.jpg.exe
- Britney Spears.mp3.exe
- Clone DVD 6.exe
- Cloning.doc.exe
- Cracks & Warez Archiv.exe
- Dark Angels new.pif
- Dictionary English 2004 - France.doc.exe
- DivX 8.0 final.exe
- Doom 3 release 2.exe
- E-Book Archive2.rtf.exe
- Eminem blowjob.jpg.exe
- Eminem full album.mp3.exe
- Eminem Poster.jpg.exe
- Eminem sex xxx.jpg.exe
- Eminem Sexy archive.doc.exe
- Eminem Song text archive.doc.exe
- Eminem Spears porn.jpg.exe
- Eminem.mp3.exe
- Full album all.mp3.pif
- Gimp 1.8 Full with Key.exe
- Harry Potter 1-6 book.txt.exe
- Harry Potter 5.mpg.exe
- Harry Potter all e.book.doc.exe
- Harry Potter e book.doc.exe
- Harry Potter game.exe
- Harry Potter.doc.exe
- How to hack new.doc.exe
- Internet Explorer 9 setup.exe
- Kazaa Lite 4.0 new.exe
- Kazaa new.exe
- Keygen 4 all new.exe
- Learn Programming 2004.doc.exe
- Lightwave 9 Update.exe
- Magix Video Deluxe 5 beta.exe
- Matrix.mpg.exe
- Microsoft Office 2003 Crack best.exe
- Microsoft WinXP Crack full.exe
- MS Service Pack 6.exe
- netsky source code.scr
- Norton Antivirus 2005 beta.exe
- Opera 11.exe
- Partitionsmagic 10 beta.exe
- Porno Screensaver britney.scr
- RFC compilation.doc.exe
- Ringtones.doc.exe
- Ringtones.mp3.exe
- Saddam Hussein.jpg.exe
- Screensaver2.scr
- Serials edition.txt.exe
- Smashing the stack full.rtf.exe
- Star Office 9.exe
- Teen Porn 15.jpg.pif
- The Sims 4 beta.exe
- Ulead Keygen 2004.exe
- Visual Studio Net Crack all.exe
- Win Longhorn re.exe
- WinAmp 13 full.exe
- Windows 2000 Sourcecode.doc.exe
- Windows 2003 crack.exe
- Windows XP crack.exe
- WinXP eBook newest.doc.exe
- XXX hardcore pics.jpg.exe

W32/Dedmir-A will copy itself to folders which have names containing the following strings:

- ear
- Favorites
- My Shared Folder
- onkey
- ownload
- ftp
- htdocs
- http
- icq
- kazaa
- lime
- morpheus
- mule
- my shared folderhar
- hared files
- pload
- usic
- syste
- orn
- oject
- uck
- shian
- etup
- nst
- ele
- ebu
- cume
- Shared

W32/Dedmir-A may create the files:

C:\Update.zip
D:\New.zip
E:\Winamp2007.zip
F:\TutorialSex.zip
I:\Office2007.zip
J:\InternetExplorer7.zip

These files are the W32/Dedmir-A worm archived as a Microsoft cabinet file.

W32/Dedmir-A when executed terminates Anti-virus and sytem monitoring applications currently running.

W32/Dedmir-A sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N