Worm.Win32.Dorkbot_460d215e2a

by malwarelabrobot on February 3rd, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Worm.Win32.Dorkbot (VIPRE), Trojan.Win32.Loktrom!IK (Emsisoft), Worm.Win32.Dorkbot.FD, WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericDNSBlocker.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR, BankerGeneric.YR, GenericProxy.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.

Summary
Technical Details
Removal Recommendations

MD5: 460d215e2ac7d46fbc1cc4099a2b2de9
SHA1: 719e33735cac4eb801f32b9fe36278880e1691c2
SHA256: 9876af85e1a8e0f76509ea091d1cb7531237dd66583764d8bc0626f124dfa333
SSDeep: 3072:8Z3emkuuW1Kaq2pmyYWAdkN5S1Fov0XoWW1JCUrAagcGRP:8RemHuWbmpoSsv0XoWW1rR8B
Size: 186880 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1995-12-11 12:36:30
Analyzed on: Windows7 SP1 64-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
DNSBlocker A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet.
UDPFlooder This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Trojan-Proxy This program can launch a proxy server (SOCKS4) on a designated TCP port.
USBInfector A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.


Process activity

The Worm creates the following process(es):

WMIADAP.EXE:2344
%original file name%.exe:1012
IEXPLORE.EXE:800
IEXPLORE.EXE:2408

The Worm injects its code into the following process(es):

mspaint.exe:588

File activity

The process WMIADAP.EXE:2344 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (363 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (924 bytes)

The Worm deletes the following file(s):

C:\Windows\System32\wbem\Performance\WmiApRpl.h (0 bytes)

The process %original file name%.exe:1012 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\temp.bin (673 bytes)

The process mspaint.exe:588 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Itiyig.exe (673 bytes)

The Worm deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process IEXPLORE.EXE:800 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DF043008CE3228AF66.TMP (3839 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5B66229C-8CE5-11E3-A4E7-000C29A8BD90}.dat (12029 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFBD1598FF9BFB8D4B.TMP (4415 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5B66229B-8CE5-11E3-A4E7-000C29A8BD90}.dat (12781 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E8FD4644-8CDB-11E3-A7B7-000C29A8BD90}.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8FD4643-8CDB-11E3-A7B7-000C29A8BD90}.dat (0 bytes)

Registry activity

The process %original file name%.exe:1012 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "FB DD 9A 1B F2 20 CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "4C 21 3C F7 E8 20 CF 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2B 00 00 00 09 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process mspaint.exe:588 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "32 FB 57 28 F2 20 CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionReason" = "1"
"WpadDecisionTime" = "C9 E6 6B 20 F2 20 CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2D 00 00 00 09 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Itiyig" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Itiyig.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process IEXPLORE.EXE:800 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"CompatibilityFlags" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"FullScreen" = "no"

[HKCU\Software\Microsoft\Internet Explorer\Recovery\AdminActive]
"{5B66229B-8CE5-11E3-A4E7-000C29A8BD90}" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"
"WpadNetworkName" = "Network 2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore]
"LoadTimeArray" = "88 01 00 00 2D 00 00 00 3B 00 00 00 5F 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "FB DD 9A 1B F2 20 CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore]
"Type" = "3"
"Time" = "DE 07 02 00 01 00 03 00 0F 00 0A 00 31 00 5D 03"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore]
"Type" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Window_Placement" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionTime" = "C9 E6 6B 20 F2 20 CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore]
"Time" = "DE 07 02 00 01 00 03 00 0F 00 0A 00 32 00 5F 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
"SecuritySafe" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore]
"Count" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore]
"Count" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore]
"LoadTimeArray" = "02 01 00 00 05 00 00 00 04 00 00 00 0B 00 00 00"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Internet Explorer\Recovery\AdminActive]
"{E8FD4643-8CDB-11E3-A7B7-000C29A8BD90}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process IEXPLORE.EXE:2408 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"DeviceID" = "0"
"AdapterInfo" = "vendorId=0x15ad,deviceID=0x405,subSysID=0x40515ad,revision=0x0,version=7.14.1.5025hypervisor=Hypervisor detected (No SLAT)"
"DXFeatureLevel" = "0"
"Wow64-DeviceId" = "0"
"Wow64-SubSysId" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Wow64-VersionLow" = "0"
"Wow64-VendorId" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VersionHigh" = "0"
"Wow64-DXFeatureLevel" = "0"
"Wow64-Revision" = "0"
"SubSysId" = "0"
"Wow64-SoftwareFallback" = "0"
"Wow64-VersionHigh" = "0"
"VendorId" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Revision" = "0"
"VersionLow" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WMIADAP.EXE:2344
    %original file name%.exe:1012
    IEXPLORE.EXE:800
    IEXPLORE.EXE:2408

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (363 bytes)
    C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (924 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\temp.bin (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Itiyig.exe (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DF043008CE3228AF66.TMP (3839 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5B66229C-8CE5-11E3-A4E7-000C29A8BD90}.dat (12029 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DFBD1598FF9BFB8D4B.TMP (4415 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5B66229B-8CE5-11E3-A4E7-000C29A8BD90}.dat (12781 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Screen Saver Pro 3.1" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ScreenSaverPro.scr"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Itiyig" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Itiyig.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.