Let me share some solutions here: W32.Temphid is a worm that willpropagate on removable USB drives by creating an autorun.inf file on the root of infected computer. When accessed, W32.Temphid will run and find another drives to infect such as newly inserted media drives.
*Technical Information:* Alias:Troj/Stuxnet-A Damage Level: Medium Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7 Manual Removal of W32.Temphid: 1. Temporarily Disable System Restore (Windows Me/XP). 2. Update the virus definitions. 3. Reboot computer in SafeMode 4. Run a full system scan and clean/delete all infected file(s) 5. Delete/Modify any values added to the registry.Refer below 6. Exit registry editor and restart the computer. *Technical Details and Additional Information:* *Other functionalities of this Trojan:* - Injects a code to some process - It can hide files by overwriting the API’s - Modify Windows registry *Malicious Files Added by W32.Temphid:* %System%\drivers\mrxcls.sys %System%\drivers\mrxnet.sys %DriveLetter%\~WTR[FOUR NUMBERS].tmp %DriveLetter%\~WTR4132.tmp %DriveLetter%\~WTR4141.tmp *Associated Windows Registry Entries:* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\”ImagePath” = “%System%\drivers\mrxcls.sys” HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\”ImagePath” = “%System%\drivers\mrxnet.sys” For more information on this from Symantec, can be found in below url: http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99&tabid=2 Hope this information is helpful... Regards Amardeep T On Sat, Jul 17, 2010 at 2:53 PM, Sandeep Thakur <[email protected]>wrote: > Microsoft Windows is prone to a vulnerability that may allow a file to > automatically run because the software fails to handle 'LNK' files properly. > > An attacker may exploit this issue to execute arbitrary code. The attacker > must entice a victim into viewing a specially crafted shortcut. > > This issue affects Microsoft Windows XP, Windows Vista, Windows 7, Windows > Server 2003, and Windows Server 2008. > > > *Malicious Usage/Exploitation:* > This issue is being exploited in the wild as malware W32.Temphid. > > > *Solution/Fixes:* > Currently there are no vendor-supplied patches for this issue as per > Security Focus. > > > *NOTE:* > Team, please do let us know you if find such malicious files so that we can > do some research and provide with removal or prevention techniques. As this > is latest and yet to be known to others. > > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
