Remove W32.Slegon

Posted on: June 30th, 2009


Discovered: June 29, 2009
Updated:

June 29, 2009 10:12:00 AM
Type:

Worm
Systems Affected:

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Recommended Action:
In order to Remove W32.Slegon you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of W32.Slegon .. Read our full No Adware Review.

No Adware Review

Technical Details:

When the worm is executed, it creates the following file:
%System%\logon.exe

It then creates the following registry entry, so that it starts when Windows
starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run\"svchost" = "C:\WINDOWS\system32\logon.exe"

The worm also modifies the following registry entry, so that it starts when
Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\"Shell" = "Explorer.exe logon.exe"

The worm then deletes the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot

The worm may spread by copying the following files to removable drives:
%DriveLetter%\autorun.exe
%DriveLetter%\autorun.inf

The worm creates the following registry entry, allowing it access through
the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Authorized
Applications\List\"" = "%CurrentFolder%\[ORIGINALLY EXECUTED

FILE]:*:Enabled:RUNTIME_EXECUTABLE"

Next, the worm downloads files from the following Web sites:
[http://]downloadoemsoftware.com/infloat/a51[REMOVED]
[http://]joomlaprojects.cn/infloat/a51[REMOVED]
[http://]joomlaprojects.cn/bot[REMOVED]
Action Steps:
FREE SCAN: NoAdware can Remove W32.Slegon. Click the link below for your free download & scan your PC now.

Please click here for manual removal instructions.

Posted on Tuesday, June 30th, 2009 at 7:59 am - filed under Blog, Worm.