Heular W32.Baki.C, W32.Baki.D
Category: Computer Worm
Active and Spreading
09 Nov 2007
The W32.Baki.A malware is a network aware worm that spreads its infection through copying its code to removable and local drives. This malware is also known to deactivate several security associated processes that are running on the infected machine.
W32.Baki.A Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Baki.A from your computer.
More details about W32.Baki.A
The W32.Baki.A program is a network aware worm than can lower the security settings on the compromised computer by disabling its security-related processes. It can spreads by copying itself to removable and local drives. It creates several files when executed in the compromised machine. These files include C:\ Windows\ Documents and Settings\ All Users\ Documents\ Music.exe, C:\ Windows\ Documents and Settings\ All Users\ Start Menu\ Programs\ Startup\ Empty.pif, C:\ Windows\ ime\ imjp8_1\ applets\ lsass.exe, C:\ Windows\ mui\ smss.exe, C:\ Windows\ pchealth\ ERRORREP\ QHEADLES\ smss.exe, C:\ windows\ Autorun.inf and C:\ Windows\ SoftWareProtector\ Error_out.pr. The file Autorun.inf is dropped by the worm so that it can execute whenever the drive that the file is located in is accessed. The filename Open.exe is used by the worm to spread itself in all removable and local drives of the infected computer system.
The W32.Baki.A worm will also set some attributes of the folders C:\ Windows\ system32 and C:\ Windows\ Fonts to hidden. The worm will then create a certain registry entry to ensure that it starts when Windows starts. It will likewise modify certain registry entries to carry out its purpose of lowering the system's security settings. Then, it will create, alter, and delete a host of other registry entries for its malicious purposes. Next, all processes that the worm deems security related will be terminated. These processes may include the ashdisp.exe, ashavast.exe, ashserv.exe, ashmais.exe, aswupdsv.exe, ashwebsv.exe, AVS 2007.exe, avgcc.exe, mcmnhdlr.exe, McVSEscn.exe, mcshield.exe, MsAutoPro.exe, McVSftsn.exe, nod32krn.exe, nod32kui.exe and nod32.exe. The W32.Baki.A worm will also try to terminate windows titled with the strings ANT, ANT, AVAS, AUTO, AVAST, AVS, AVG, CLEA,BUG,CONSOL, COMPON, DETEC, ESSET, ESSE, KAV.KASP, MANAGEMENT, KILL, MACAFEE, MCA, MECHAN, NOD32, NOD, NORTON, NOR, PAND, REG, PROC, REMOV, REGISTRY EDITOR, SECUR, SCAN, SUPPORT, TASK, SYMAN, UNH, TRIA, UNLO, UNHO, VIR, W32 and VIRUS.