Registry Cleaner Geeks

Once executed, the worm drops the following files:

* %ProgramFiles%\Dump\Dump.exe
* %System%\drivers\Mseu.sys
* %System%\drivers\Mstart.sys
* %System%\ainf.inf
* %System%\mseus.exe
* %System%\tokset.dll

It drops the following nonmalicious files into C:\IQTEST and then opens an
Explorer window and displays the C:\IQTEST folder contents:

* C:\IQTEST\Iqtest.exe (clean version of the IQ test)
* C:\IQTEST\Readme.txt

The program c:\iqtest\Iqtest.exe is a clean program that looks like this:

The worm then deletes itself.

After a predetermined number of days the worm copies itself as zipsetup.exe to
the following drives and to the first 9 physical drives:

* C:
* D:
* E:
* F:
* G:
* H:
* I:
* J:

The worm creates the following registry entry, so that it runs every time Windows
starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run\"Dump" = "%ProgramFiles%\Dump\Dump.exe"

It creates new services with the following characteristics:
Service Name: Mseu
Display Name: Mseu
Startup Type: Automatic
Image Path: System32\Mseus.exe

Service Name: Mstart
Display Name: Mstart
Startup Type: Automatic
Image Path: \??\C:\WINDOWS\system32\Drivers\MSTART.SYS

Service Name: UnzipService
Display Name: UnzipService
Startup Type: Automatic

Service Name: Self Extract Service
Display Name: Self Extract Service
Startup Type: Automatic

The worm creates the services by adding entries to the following registry subkeys:

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSTART
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
UnzipService

It spreads through removable drives as the file zipsetup.exe and it is also
shared online as the following program:
IqTest.exe

It also copies the following file so that it runs when the removable devices
are accessed:
%DriveLetter%\autorun.inf

After a predetermined amount of time the threat will attempt to delete the
following files:

* C:\System Volume Information
* D:\System Volume Information
* E:\System Volume Information
* F:\System Volume Information
* G:\System Volume Information
* H:\System Volume Information
* I:\System Volume Information
* J:\System Volume Information
* C:\Documents and Settings\Administrator\My Documents
* D:\Documents and Settings\Administrator\My Documents
* E:\Documents and Settings\Administrator\My Documents
* F:\Documents and Settings\Administrator\My Documents
* G:\Documents and Settings\Administrator\My Documents
* H:\Documents and Settings\Administrator\My Documents
* I:\Documents and Settings\Administrator\My Documents
* J:\Documents and Settings\Administrator\My Documents
* C:\Users\Administrator
* D:\Users\Administrator
* E:\Users\Administrator
* F:\Users\Administrator
* G:\Users\Administrator
* H:\Users\Administrator
* I:\Users\Administrator
* J:\Users\Administrator
* C:\Documents and Settings
* D:\Documents and Settings
* E:\Documents and Settings
* F:\Documents and Settings
* G:\Documents and Settings
* H:\Documents and Settings
* I:\Documents and Settings
* J:\Documents and Settings
* C:\Users
* D:\Users
* E:\Users
* F:\Users
* G:\Users
* H:\Users
* I:\Users
* J:\Users
* C:\BOOT.INI
* C:\BOOT.INI
* C:\NTDETECT.COM
* C:\NTDETECT.COM
* C:\NTLDR
* C:\NTLDR
* C:\HYBERFILE.SYS
* C:\HYBERFILE.SYS
* C:\BOOTMGR
* C:\BOOTMGR
* C:\BOOTMGR.BAK
* C:\BOOTMGR.BAK
* C:\BOOTSECT
* C:\BOOTSECT
* C:\BOOTSECT.BAK
* C:\BOOTSECT.BAK

The threat also deletes all system restore points by deleting the following
folders:

* C:\System Volume Information
* D:\System Volume Information
* E:\System Volume Information
* F:\System Volume Information
* G:\System Volume Information
* H:\System Volume Information
* I:\System Volume Information
* J:\System Volume Information

It will also attempt to overwrite the beginning of the disk in order to overwrite

the master boot record (MBR), thereby not allowing the compromised
computer to be restarted.

When restarted, the system may display the message "Operating System not
found".

FREE SCAN:

Please click here for manual removal instructions.