logo of system protector
  • Home
  • Guides
  • Tips & Tricks
  • Reviews
  • Products
  • Sitemap
  • Contacts

    • Latest in trend:

    » viruses

    Worm-Autorun.DMI

    What is Worm-Autorun.DMI?

    How does it affect your PC?

    How to remove Worm-Autorun.DMI manually?

    What is Worm-Autorun.DMI?

    Worm_Autorun.DMI is a type of worm that infects Windows predominantly. This worm poses a high risk to users due to the increased possibility of infection.

     

     


    It is also known as

    • PAK:UPack
    • Worm.Win32.AutoRun.fgd (Kaspersky)
    • W32/Autorun.worm.gen (McAfee)
    • Infostealer.Onlinegame (Symantec)
    • TR/Crypt.XDR.Gen (Avira)
    • VirTool:Win32/Obfuscator.C (Microsoft)

     

    Back to top

     

    How does it affect your PC?

    Worm_Autorun.DMI propagates itself through shared networks, removable drives, and by copying itself to all available physical drives. It may be downloaded from remote site(s) by other malware. It may also be downloaded unknowingly by a user when visiting malicious Website(s).
    Once attacked:

    • It drops multiple files on the affected system, including a copy of itself.
    • %System Root%\Program Files\Common Files\SafeSys.exe

    (Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

    • It makes multiple changes to the Windows registry. Some of these allow it to run at every system startup.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run
      SafeSys = "%System Root%\Program Files\Common Files\SafeSys.exe"
    • It also created the following keys and entries as part of its service installation:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\SafeSysDrv
      Type = "1"
      Start = "3"
      ErrorControl = "0"
      ImagePath = "%UserTemp%\~{random 5 characters}.tmp"
      DisplayName = "SafeSysDrv"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\{random 5 characters}
      Type = "1"
      Start = "3"
      ErrorControl = "0"
      ImagePath = "%Windows%\fonts\{random 5 characters}.fon" DisplayName = "{random 5 characters}"
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\{random 5 characters}\Security
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
      Services\{random 5 characters}\Enum
    • It drops copies of itself in all physical and removable drives and network shares. It also drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed. The dropped .INF file contains the following strings:
    • [AutoRun]
      Open=SafeSys.exe
      Shell\Open=´ò¿ª(&O)
      Shell\Open\Command=SafeSys.exe
      Shell\Open\Default=1
      Shell\Explore=×ÊÔ´¹ÜÀíÆ÷(&X)
      Shell\Explore\Command=SafeSys.exe
    • It accesses Web sites to download files that Trend Micro detects as the following:
    • TSPY_ONLINEG.INQ
    • TSPY_ONLINEG.ECB
    • TROJ_AGENT.AIFN
    • TSPY_DELF.PRZ
    • Mal_OLGM-23
    • TSPY_ONLINEG.IFR
    • TROJ_GAMETHI.EDP
    • TROJ_GAMETHI.EDQ
    • TROJ_MIDGARE.AA
    • TROJ_GAMETHI.EDT
    • TROJ_CINMENG.HA
    • TROJ_AGENT.BTP

     

    Back to top

     

    How to remove Worm-Autorun.DMI manually?

    For Windows ME and XP users: Please make sure you disable System Restore to allow full scanning of your computer.
    Step 1: Remove malware files dropped/downloaded by WORM_AUTORUN.DMI

    • TROJ_AGENT.BTP
    • • TROJ_CINMENG.HA
    Step 2: Restart in Safe Mode
    Step 3: Delete these registry values
    • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
      SafeSys = "%System Root%\Program Files\Common Files\SafeSys.exe"
    • • In HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon
    • ARPAccess = "0"
    • IEProtAccess= "0"
    • LeakShowed = "0"
    • MonAccess = "0"
    • SiteAccess = "0"
    • UDiskAccess = "0"
    • weeken = "0"
  • • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Image File Execution Options\
    {application name}
    o Debugger = "ntsd -d"

    • Step 4: Delete these registry keys

  • • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    o {random 5 characters}
    o SafeSysDrv

    • Step 5: Search and delete this file
    *Note: There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
    • %System Root%\Program Files\{random 5 characters}.bak

    Step 6: Search and delete AUTORUN.INF files created by WORM_AUTORUN.DMI that contain these strings
    [AutoRun]
    Open=SafeSys.exe
    Shell\Open=´ò¿ª(&O)
    Shell\Open\Command=SafeSys.exe
    Shell\Open\Default=1
    Shell\Explore=×ÊÔ´¹ÜÀíÆ÷(&X)
    Shell\Explore\Command=SafeSys.exe

    Step 7: Scan your computer with your antivirus product to delete files detected as WORM_AUTORUN.DMI and the following:
    • TSPY_ONLINEG.INQ
    • TSPY_ONLINEG.ECB
    • TROJ_AGENT.AIFN
    • TSPY_DELF.PRZ
    • Mal_OLGM-23
    • TSPY_ONLINEG.IFR
    • TROJ_GAMETHI.EDP
    • TROJ_GAMETHI.EDQ
    • TROJ_MIDGARE.AA
    • TROJ_GAMETHI.EDT

    Additional Windows ME/XP removal considerations

    Back to top