Windows services are disabled by the Annew.A worm

The Annew.A worm makes quite a few changes to selected computers and then tries to disable certain Windows services or applications.

The Annew.A worm spreads primarily through removable media. The worm also creates a file on them that starts automatically when the media is mounted. Once this happens, it creates a number of files on the system drive and then modifies the registry. Among other things, this turns off Windows System Restore.

The worm then begins to perform "spectacular" operations. For example, it displays a fake error message, then changes the text in the title bar of windows, and stops processes belonging to applications.

When the Annew worm starts, it performs the following actions:

1. Create the following files:
% UserProfile% \ Application Data \ Microsoft \ Internet Explorer \ Quick Launch \ Quick Launch.exe
% CommonProgramFiles% \ default.exe
% System% \ msnmsgr.exe
% Windir% \ msdos.pif
% SystemDrive% \ [filename] .exe

2. Copy the% SystemDrive% \ [filename] .exe file with a different name as many times as the worm starts.

3. Create a autorun.inf file on removable disks that ensures that the worm starts automatically when you connect media to computers.

4. Create the following entries in the registration database:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”Shell” = “Explorer.exe %windir%\msdos.pif”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”MsnMsgr” = “%System%\msnmsgr.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”MsnMsgr” = “C:\WINDOWS\system32\msnmsgr.exe”

5. Modify the following entries in the registration database:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\System”DisableRegistryTools” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\System”DisableCMD” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System”DisableTaskMgr” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System”DisableRegistryTools” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System”DisableCMD” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System”DisableTaskMgr” = “1”

6. Modify the following entries in the registration database:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore”DisableConfig” = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore”DisableSR” = “1”

This turns off the Windows System Restore feature.

7. Modify the following entries in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”NoFolderOptions” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”Norun” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”NoFind” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”NoSetFolders” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer”NoLogoff” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”Hidden” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”Hidden” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”HideFileExt” = “0”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”HideFileExt” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”ShowSuperHidden” = “1”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”ShowSuperHidden” = “0”

8. It displays an error message with the title “Application Error” and the message “0xFFFFFFFF”.

9. Place the following text in the title bar of each window:
[^ _ ^ Anti Antivirus ^ _ ^]

10. Stops processes that have the following words in their names:
cmd
mconfig
task
Why
Hex
Spy.