Tuesday, May 20, 2014

Autorun.aa Worm Attacks Computer and Will Not Be Removed By Anti-virus Program

Autorun.aa worm attack





OUTLINE
  • Autorun.aa’s technical information
  • Autorun.aa controlled machine
  • Autorun.aa’s harmful deeds
  • Remove Autorun.aa worm manually
  • Learn Autorun.aa’s dissemination routine to prevent its re-image


Technical Information of Autorun.aa


Autorun.aa is actually Worm/autorun.aa. According to Global PC Support Center, it is written by VB language and developed by Borland Delphi 6.0 – 7.0. As its name suggests, Autorun.aa is a U disk parasite. When lands on a removable device or machine, it would drop down autorun.inf which shows as VBScript Script File to simply every disk/partition so as to confuse build-in security mechanism and guarantee automatic running.



Autorun.aa Affection Scenario

  1. Ads will pop up from nowhere and will not stop.
  2. The Autorun.aa affected machine cannot be turned on until several reboots have been tried.
  3. Some strange but verisimilar messages emerge somehow to ask download something.
  4. The hidden file functionality is modified by Autorun.aa to hide up almost everything on the affected machine.
  5. CPU is considerably consumed to result in a sluggish machine and periodical freezes.
  6. Additional infections might very well be detected before long.


Autorun.aa Harmful Deeds


All the above listed unpleasant scenarios are serving for one and only goal – money. By hogging plenty of CPU to keep the resource busy and compromising internal functionality, Autorun.aa becomes capable of drawing rights from user to access the confidential information including account, password, log-in credentials and the like, connecting to designated website/remote server to load down components or downloading extra infection for profitable commission.



Remove Autorun.aa Manually [Expert Guide]


Autorun.aa requires manual removal method rather than automatic one as it is highly elusive. Most of the dropped down items resemble the system ones, such as autorun.inf, desktop.ini that helps restore the deleted items by victims.

Take one case for example, Autorun.aa once disguises itself as an information loading file (“C:\Documents and Settings\Owner.LENOVO-F93A791D\Local Settings\Temporary Internet Files\Content.IE5\6AZHH7HN\pps[1].exe)

Besides, Autorun.aa would browse the build-in drives and pivotal executables after drawing rights from dld.dat file under NTFS disk so as to disable the corresponding services and remove the image hijack under DataBase. As a result, the original system files in System, Microsoft Shared folder under %Program Files%\Common Files\ will be replaced by the ones generated by Autorun.aa.


There’s no way for artificial anti-virus programs to tell the difference in such case. Therefore, manual removal method is required. However, only computer savvy could follow the below instruction without mistake that could lead to unexpected and more complicated issues. Should you want exclusive help according to your concrete situation, please start a live chat and contact VilmaTech Online Support.
live chat to get expert help in removing Autorun.aa



A
enter into Safe Mode

Windows 7/Vista/XP
  • Restart the system to keep tapping on F8 functional key when the system is restarting.
  • Choose “Safe Mode” when “Windows Advanced Options Menu” occurs.
  • Hit Enter key.
access Safe Mode in Windows7/XP/Vista to remove Autorun.aa

Windows 8
  • Restart the system to hold down Shift key and keep tapping on F8 functional key when the system is restarting.
  • Choose ‘See advanced repair options’ >‘Troubleshoot’ >‘Advanced Options’ >‘Windows Startup Settings’ > hit “Restart” button to enter into Safe Mode.
access Safe Mode in Windows8 to remove Autorun.aa



B
use Task Manager to locate and end the suspicious processes.

1. bring up Task Manager
(tip: the access to Task Manager might be disabled by Autorun.aa, therefor it is recommended to adopt DOS command to bring up Task Manager.)

Win+R key combination > Run box > type “CMD” > Enter key > put in one of the three commands:
taskkill.exe /im msblast.exe
taskkill.exe /im teekids.exe
taskkill.exe /im penis32.exe
> hit Enter key


2. use PID and other functionality to help locate suspicious items.

Access Task Manager > View > select columns > tick "PID" and "Path name" > go to open up System Information > end the process with path name directing to  Autorun.aa's path(according to the threat alert) or the path that doesn't belong to system.

use Task Manager to find out the processes related to Autorun.aa



C
unveil all hidden items to remove the items related to Autorun.aa.

Windows 7/XP/Vista - Control Panel > user accounts and family safety > Folder Options > View tab > tick ‘Show hidden files and folders’ > non-tick ‘Hide protected operating system files (Recommended)’ > OK button.

Windows 8 - Windows Explorer > View tab > tick ‘File name extensions’ and ‘Hidden items’ > OK button.
show hidden items on Windows8

%Program Files%\Common Files\
%DriveLetter%\
%SystemRoot%\system32\%Temp%\
%SystemDriver%\
C:\Windows
C:\Windows\System32
C:\windows\winstart.bat
C:\windows\wininit.ini
C:\windows\Autoexec.bat
C:\Users\[your username]\Documents\
C:\users\user\appdata\local\
C:\Program Files\

variable declarations
  • %SystemDriver% - the system division is "C:\" by default.          
  • %SystemRoot% - the directory of WINDOWS is known as“C:\Windows” by default.
  • %ProgramFiles% - the default installation directory of system programs defaults to“C:\ProgramFiles”.

(tip: how to locate the related items? One should find out the ones were created on the day when Autorun.aa was flagged by installed anti-virus program. To show the date, one should:

right click on the space of a window that is under inspection > select "Arrange by" > select "day")
show the date of the items related to Autorun.aa



How Autorun.aa Spreads?


Like any other worms, autorun.aa captures removable device and affect any connected system. According to survey, autorun.aa mainly adopts drive-by downloads:
  1. The worm piggybacks on counterfeit website with luring content to trap downloads or clicks.
  2. Autorun.aa is contained in attachment of an E-mail.
  3. The worm is bundled with rogueware (fake anti-virus program).
  4. The worm attacks loosely programmed applications/programs.
Apart from the above mentioned dissemination routines, Autorun.aa manages to take advantage of vulnerability in Microsoft IIS service and system to wage infiltration.


It should be noted that the depending on the Operating System installed, the directory displayed and the way to access certain place in this article might differ from what you observe when following these instructions on your computer. On the occurrence of additional infections and you don’t know what to do, you might either seek corresponding solution in virus reservoir or contact VilmaTech Online Support.  

 get expert help in removing Autorun.aa

Reference:

Remove Worm/autorun.aa That Keeps Returning, Effective Solution




No comments: