Home > Trojan > W32.Daprosy

W32.Daprosy

July 16th, 2009 Leave a comment Go to comments

What is W32.Daprosy?

W32.Daprosy is a worm that will arrive on computer via attached file to spam email messages. W32.Daprosy may spreads through network mapped, fixed, and removable storage devices.

Type Trojan
Sub-Type Autorun
Aliases  
OS Affected Windows
Detected By Symantec

What W32.Daprosy Does?

It will create Windows Registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run\”WinSys” = “%Windir%\system.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”LSAShell” = “%Windir%\lsass.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\”SessionMngr” = “C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\”Shell” = “Explorer.exe \”C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe\”

The threat will drop the following malicious files:

  • C:\Windows.exe
  • C:\Program Files.exe
  • C:\[Existing Folder Name].exe
  • %System%\hlpsvc1.exe
  • %System%\hlpsvc2.exe
  • %SystemDrive%\Read1st!.exe
  • %SystemDrive%\goats.exe
  • %Windir%\Classified.exe
  • %Windir%\system.exe
  • %Windir%\lsass.exe
  • %UserProfile%\My Documents\Classified.exe
  • C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe
  • C:\Documents and Settings\All Users\Application Data\PolariSys\dirlock.exe
  • %Windir%\shutdown.dll
  • %DriveLetter%\Classified.exe
  • %DriveLetter%\Read1st!.exe
  • %DriveLetter%\autorun.inf
  • %SystemDrive%\autorun.inf

How to Remove W32.Daprosy Manually

1. Restart your computer in SafeMode
- After Power-On the computer, just before Windows start, press F8
- From the selections, Select SafeMode

2. Remove Registry entries that the threat added. You MUST BACKUP YOUR REGISTRY FIRST.
- Click Start > Run
- Type in the field, regedit
- Navigate and look for the registry entries mentioned above and delete if necessary

3. Delete malicious files that the threat added:
- Base on the given location above, browse and delete the file
- If no location is given, click Start>Search> and search for the file.
- If cannot be deleted, press Ctrl+Alt+Del to access Task Manager, see if the file is running in the process. If it is, select the file and click End Process. Perform file delete again.

Categories: Trojan Tags:
  1. Kramer Clan
    August 13th, 2009 at 23:59 | #1
    Reply | Quote

    This Daprosy worm cannot be removed in safe mode!

  2. t@vzs!!!
    October 9th, 2009 at 07:00 | #2
    Reply | Quote

    i do what all you say but nthing happen. damnn but thank you to your idea. can some body help me plssss

  3. marc
    November 28th, 2009 at 08:36 | #3
    Reply | Quote

    i have the same problem too.

    it seems that this virus cannot be deleted in safe mode, i’ve tried it.

    And my task manager is disabled, my anti virus is disabled too…

    and whenever im trying to intall something that is going to delete that, it cannot be processed or even installed besides it is being corrupted.

    please help…

  1. No trackbacks yet.