W32/AutoRun-CN [Sophos], W32/PifIo
Category: Computer Worm
Active & Spreading
Some parts of Asia, Europe, North and South America, Africa and Australia
29 Jun 2007
Also known as W32/AutoRun-CN and W32/PifIo, W32.Pifio produces copies of itself to all drives and downloads other possible harmful files. The worm also has the ability to end some particular security-related processes. This worm first discovered on June 29, 2007 and it mostly affects Windows operating systems like Windows 98, 95, XP, Me, NT, Server 2003 and 2000.
W32.Pifio Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Pifio from your computer.
More details about W32.Pifio
Once W32.Pifio is executed, the worm creates svchost.exe under the %CommonProgramFiles% folder, DirectX9.dll under the %System% folder and IO.pif under folder [DRIVE LETTER]. Every time the drive is accessed, the worm also creates autorun.inf. After which, the worm produces a particular system registry entries and stops or disables security-related services to run like Windows Firewall/Internet Connection Sharing and System Restore Service. Also, the worm has the ability to end processes which are security-related such as Windows Security Center, taskgmr.exe, regedit.exe and msconfig.exe. Furthermore, the worm may try to download other malicious files from either [http://]ip.591down.com.cn/fz/x106.e[REMOVED]or [http://]webye163.cn/hz/[RANDOM NUMBER].exe. [RANDOM NUMBER] is a number between 1 and 20.
The W32.Pifio software connects to pre-specified remote servers. It will add other unwanted applications to the system. The files may be placed in the Windows directory or other hidden folders. The programs are registered as startup values. They are then installed and executed. The downloader application can be used to spread advertising and spying software. The application may have the ability to spread the infected files to other computers. The malicious files may be dropped in folders shared on peer-to-peer (P2P) file sharing networks. They may be labeled as popular titles of movies, music, and applications. This is so other people will download them. The files can also be placed on network shares.