2 viruses that destroy data

The following 2 computer worms belong to cyclic, dispersal operations on a fixed day every month. They are extremely dangerous because when the data is destroyed by these two viruses, it cannot be recovered.

They worm the W32.Chir computer

W32.Chir.B@mm is a computer worm that spreads via e-mail. It often uses the SMTP tool to send e-mail to the email addresses it finds from .wab, ​​.adc, .db, .doc and .xls files.

Emails attached to infected files often contain the following content:

From: @ yahoo.com or imissyou@btamail.net.cn

Subject: is coming!

Attachments: PP.exe

When the device is infected with W32.Chir.B@mm it finds all the internal data drives and attacks the files with the tml, .exe, and .scr files. Its extremely dangerous feature is that on the 1st of every month it automatically overwrites 4460 bytes of files with extensions such as adc, .doc, and .xls that make it impossible to read anything in Word files or That Excel and all the victim's office data will not be open at all.

Detailed description:

When the computer worm works, it copies itself into a file named Runouce.exe to the C: windowssystem32 directory (with WinXP) or C: winntsytem32 (with Win2k)

At the same time, W32.Chir worm also added 1 key in the Registry

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

Runonce = WindowsSystemRunouce.exe

Therefore, the active version of the computer worm always starts up with Windows.

How to kill

- Turn off system restore mode

- Restart running in safe mode to scan all drives

- Modify the registry by going to Start -> Run typing regedit then find the following key to delete: " Runonce = WindowsSystemRunouce.exe " according to the path in the Registry is:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

- Restart the computer to complete the process.

They deep Worm / Generic computer
( According to AVG's naming method )

Worm / Generic.FX! CME-24 is a computer worm that spreads via email with attachments and spreads even on peer-to-peer (P2P network) networks. On the 3rd of every month it will overwrite files with extension doc, xls, mdb, mde, ppt, pps, zip, rar, pdf, psd and dmp.

When the computer worm works, it copies itself into files named: Scanregw.exe , Net.exe , At.exe , Rundll16.exe to the Windows system directory under the path:

C: windowssystem32 (with WinXP) and C: winntsytem32 (with Win2k)

And register the scanregw.exe file as a key scanRegistry regedit

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

Perform its infection via collectable email addresses, files containing email information with extensions like: HTM, DBX, EML, MSG, OFT, NWS, VCF, MBX, IMH, TXT and MSF. The content of the message is in the form of a sender address that is fake (possibly a bogus address). The title and content of the email were randomly generated by the virus. The attachment has a changed name but the extension is usually * .pif or * .scr, sometimes this extension is hidden.

How to kill
- Turn off system restore mode

- Restart running in safe mode to scan all drives

- Modify the registry by going to Start -> Run typing regedit then find the key with the following keywords removed: Scanregw.exe , Net.exe , At.exe , Rundll16.exe follow the path in the Registry are: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

- Restart the computer to complete.

Tip : You can also change the system date to the 4th day of the month after being on the last day of the current month, it is also possible to avoid the activation of the above 2 computer worms.