The Solow worm causes serious damage

The Solow worm, in addition to being able to spread fairly quickly, even makes infected computers completely unusable.

The Solow worm gets onto computers primarily through removable storage. When you start on them, it creates a number of files and modifies the registry. The worm counts the number of times it has run and deletes the most important Windows system files or directories for the 100th time. This will make the operating system unusable.

Until the worm starts 100, the worm tries to get on as many removable storage devices as possible, such as a flash drive.

When the Solow worm starts, it performs the following actions:

1. Create the following files:
% Windir% \ pchealth \ helpctr \ binaries \ msconfig.exe
% Windir% \\\ egedit.exe
% System% \ cmd.exe
% System% \ systeminit.exe
% System% \ taskmgr.exe
% System% \ wininit.exe
% System% \ winsystem.exe

2. Copy the following two files to removable media:
kerneldrive.exe
autorun.inf

3. Create the following entries in the registration database:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\Run”wininit” = “%System%\wininit.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”Userinit” = “%System%\systeminit.exe”
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main”Window Title” = “Hacked by 1BYTE”
HKEY_CURRENT_USER\Software\Microsoft”nFlag” = “[number of code runs]”
HKEY_CURRENT_USER\Software\Microsoft”ServicePack” = “1.2”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Policies \ System

4. Modify the following entries in the registration database:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer”SearchHidden” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer”SeachSystemDirs” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Policies\Explorer”NoDriveTypeAutoRun” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”NoFolderOptions” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”Hidden” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”HildeFileExt” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”ShowSuperHidden” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”SuperHidden” = “1”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HaredAccess”Start” = “1”
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Current Version\Policies\Explorer”NoFolderOptions” = “1”

5. When the worm starts for the hundredth time, it tries to delete the following system files:
% SystemDrive% \ boot.ini
% SystemDrive% \ IO.SYS
% SystemDrive% \ MSDOS.SYS
% SystemDrive% \ NTDETECT.COM
% SystemDrive% \\\ tldr

6. Delete all files from the following directories:
% Windir%
% ProgramFiles%
% SystemDrive% \ Documents and Settings.