Trojan.Win32.KillWin.fk, W32.Dronzho, TR/Spy.65536.I, Mal/Generic-A
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
04 Dec 2007
W32.Dronzho has been known as a worm actively spreading through removable drives and replacing userinit.exe with a copy of itself. It affects all Windows Operating System platforms. Another characteristic is that it has the ability to record confidential information by logging keystrokes on the compromised computer. This worm affects logging when you restart or start the computer.
W32.Dronzho Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Dronzho from your computer.
More details about W32.Dronzho
W32.Dronzho drops files and components since the worn is a component bundled with other malware packages. This can be obtained from malicious website. Thus, the user should deny all incoming connections and allow only trusted services. Passwords creation is also a key in protecting files and programs from viruses. Auto play facility in your computer should be disabled to further prevent the automatic launching of executable files on network and removable drives. It is also recommended to disconnect the drives when not required. File sharing should also be turned off if it is not needed. Do not always install or turn on computer services that popped up in your screen. These are critical avenues they usually attack. Bluetooth and mobile connection should be turned off as well and not lay it open or turned on even if you are not using it.
This worm sends the information it gathered from the system to a predetermined email address. It attacks all removable drives to ensure its automatic execution every time the accessible drives are accessed. Once executed, the infected computer or the removable drive may have the following files: AutoRun.inf, HELP.EXE, 1.DAT, 2.DAT, 4.DAT, 11.DAT (A Chinese version of notepad.exe) and 12.DAT. These DAT files also create the following files: calc.exe, mspw.dll, c_20718.nls, c_20819.nls, c_20921.nls and c_20996.nls. When the userinit.exe file is already present in your computer, system processes include copies of svchost.exe, userinit.exe and mshelp.dll. In order for the worm to steal information or log keystrokes typed on the compromised computer, it patches itself to explorer.exe file.