IRC-Worm.Fagot [Kaspersky], Fagot [F-Secure], IRC.Trojan.Fgt
W32/Petch.worm!irc, W32/Petch.A, W32.Petch.B
Category: Computer Worm
Some parts of Asia, Europe, North and South America, Africa and Australia
26 Oct 2003
On October 26, 2003, a worm that disables firewall and security software was discovered. This worm is W32.Petch which is a downloaded file that also removes critical system files and changes the Internet Explorer home page to a pornographic page. The operating systems this worm affects are Windows 2000, 95, 98, Me, NT and XP. This worm is UPX-packed and written in the Delphi programming language.
W32.Petch Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Petch from your computer.
More details about W32.Petch
W32.Petch performs several actions after it is executed. It copies itself as the following files: C:\Windows\System32\Userinit32.exe, C:\Windows\System32\Dllhost32.exe, C:\Windows\Notepad.exe and C:\Windows\Regedit.exe. These files are hard-coded and they do not depend on system variables. Then, the worm changes the value to "Userinit"="C:\Windows\system32\userinit32.exe" in a certain system registry key. Afterwards, the worm looks for processes as well as programs and disables them. Some system registry keys will be deleted and the Internet Explorer home page will be reset to another home page which contains pornographic material. Furthermore, the worm sets the default user name and the alternate default user name as to a different name. Then, most .exe files from the drive C: will be deleted. The worm doesn’t stop there. It also removes most of the subkey paths from these system registry subkeys: HARDWARE, SECURITY, SOFTWARE, SYSTEM, Software and System. A fake error message appears then the worm runs mIRC to be able to execute a one-line command.
The website that’s responsible for distributing this worm is no longer available. But that doesn’t mean W32.Petch does not exist anymore. Once the worm is executed, the user will no longer be able to start Windows. It makes numerous changes to the system registry and deletes system files. If this happened, replace the deleted files and the Windows registry from a clean backup or reinstall the OS. If the registry has been replaced with a clean copy and missing system files are restored, update the virus definitions. Then, run a full system scan to be able to find all infected files. Remove all the files that are detected as W32.Petch. However, these manual removal steps will only work if W32.Petch has not yet executed. In other words, if the worm has already executed, it will be hard to remove it manually. You only need to have an expert technician to be able to remove this worm once the worm is executed.