Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
09 Nov 2006
The W32.Usbalex application can spread in the mapped drives. When executed, the worm performs the subsequent actions.
W32.Usbalex Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Usbalex from your computer.
More details about W32.Usbalex
Once the W32.Usbalex was performed, it replicates itself to the folders such as the %UserProfile%\csrss.exe, %Temp%\Temp.exe, %Windir%\System\Regedit.exe, %ProgramFiles%\Microsoft Office\OFFICE11\MSTORDB0.EXE etc. The %UserProfile% variables refer to the recent folder of the User’s profile. This is the C:\Documents and Settings\[CURRENT USER] by default on Windows XP, Windows 2000, and Windows NT. The %Temp% variable refers to temporary folder of the Windows. This is the C:\Windows\TEMP (Windows XP, windows Me, Windows 98, Windows 95) or C:\WINNT\Temp (Windows 2000 and Windows NT) by default. The %Windir% variable refers to folders of the Windows installation. This is C:\Winnt or C:\Windows by default. The %ProgramFiles% variable refers to folders of the program files. This is the C:\Program Files by default. The worm creates the files such as D:\RECYCLED.EXE and D:\Autorun.inf on a removable drives or remote.
The W32.Usbalex generates files such as the %Temp%\TempServices.reg, %Temp%\Network.txt, %Temp%\Services.reg, %Temp%\SetTime.tme. The worm also checks the files such as C:\FolderData, C:\My Girls, C:\My Data, C:\Pictures, C:\Documents, C:\Data, C:\My CV, C:\Application, and C:\Girls having .exe extension and then deletes them. The worm creates services that have a Display Name of ‘MsInfo Service’ and an Image Path of "C:\RECYCLER\MsInfo\MsInfo.exe". The worm adds value to the subkey of the registry so that when the windows starts the worm will run at the same time. The worm also gathers the information of the system on the computers that was compromised and then send this to the remote attacker.