Worm.Pabug.ck is a computer virus also known as Worm.Pabug.co, Dropper/QQPass.48436, Trojan-PSW.Win32.QQPass.jh or DeepScan.Generic.Malware.SP!dldPk!g.01C03DEE. The virus carries high system risk as the malicious dropper will disable some commonly used anti-virus software and unable to open security applications. Other reported infected symptoms include unable to update virus signatures, unable to access or load antivirus websites or forums. All these effects caused the removal or disinfection process for Worm.Pabug.ck/co virus a little bit harder.

The worm can’t self-propagate. It is likely that the system could be infected when a user downloads an executable file from email, messenger, board, and download centers and run the file. Or, it is possible that it is installed by other malicious codes (worms, viruses and Trojan horses). The worm which is a dropper, when executed, will create the following files:

%systemroot%\system32\gfosdg.exe or jusodl.exe
%systemroot%\system32\gfosdg.dll or jusodl.dll
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\mpnxyl.exe or pnvifj.exe
%systemroot%\system32\drivers\conime.exe
%systemroot%\system32\hx1.bat
%systemroot%\system32\noruns.reg
X:\OSO.exe
X:\autorun.inf

X represents non-system hard drive. %systemroot% folder is usually C:\Windows on most systems (so the path to the infected files are C:\Windows\System for Windows 95/98/ME, C:\WinNT\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP).

Beside, the dropper also adds the following value to Windows registry key entries by executing noruns.reg and then delete the file once done to run itself automatically whenever Windows starts.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] “NoDriveTypeAutoRun”=dword:b5

Above change the auto run method of the drive.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “jusodl” = “C:\WINDOWS\system32\severe.exe”
“pnvifj” = “C:\WINDOWS\system32\jusodl.exe”

or

“mpnxyl” = “C:\WINDOWS\system32\gfosdg.exe”
“gfosdg” = “C:\WINDOWS\system32\severe.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “Shell” = “explorer.exe C:\WINDOWS\system32\drivers\conime.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] Debugger = Windows system folder\drivers\pnvifj.exe

or

“Debugger”=”C:\WINDOWS\system32\drivers\mpnxyl.exe”

The above registry value is for the child registry key which based on the executables file names of the security programs, so that when these security software are been double clicked, the virus file that is been run. The child registry keys include:

+ 360Safe.exe
+ adam.exe
+ avp.com
+ avp.exe
+ IceSword.exe
+ iparmo.exe
+ kabaload.exe
+ KRegEx.exe
+ KvDetect.exe
+ KVMonXP.kxp
+ KvXP.kxp
+ MagicSet.exe
+ mmsk.exe
+ msconfig.com
+ msconfig.exe
+ PFW.exe
+ PFWLiveUpdate.exe
+ QQDoctor.exe
+ Ras.exe
+ Rav.exe
+ RavMon.exe
+ regedit.com
+ regedit.exe
+ runiep.exe
+ SREng.EXE
+ TrojDie.kxp
+ WoptiClean.exe

The worm terminates following running process(es). Targets (listed below) are antivirus software, firewall, system process, and other malicious codes. The command used in ‘net stop’ and using sc.exe to configure forbid usage of these services with the command “config [service_name] start=disabled”

srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter

The virus also terminates and stops the following process from running:

PFW.exe
Kav.exe
KVOL.exe
KVFW.exe
adam.exe
qqav.exe
qqkav.exe
TBMon.exe
kav32.exe
kvwsc.exe
CCAPP.exe
EGHOST.exe
KRegEx.exe
kavsvc.exe
VPTray.exe
RAVMON.exe
KavPFW.exe
SHSTAT.exe
RavTask.exe
TrojDie.kxp
Iparmor.exe
MAILMON.exe
MCAGENT.exe
KAVPLUS.exe
RavMonD.exe
Rtvscan.exe
Nvsvc32.exe
KVMonXP.exe
Kvsrvxp.exe
CCenter.exe
KpopMon.exe
RfwMain.exe
KWATCHUI.exe
MCVSESCN.exe
MSKAGENT.exe
kvolself.exe
KVCenter.kxp
kavstart.exe
RAVTIMER.exe
RRfwMain.exe
FireTray.exe
UpdaterUI.exe
KVSrvXp_1.exe
RavService.exe

It also modifies HOSTS file to keep the user from connecting specific addresses. Generally, the addresses are homepages of Internet security sites and antivirus engine updates servers. So the infected system’s user can’t get information or engine updates to scan and remove the malicious code.

Following is the addresses that are blocked:

127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com

The virus is may also affect USB flash drive or portable hard disk, by autorun OSO.exe. All non system partition will contains OSO.exe and autorun.inf virus files too. Beside, system time may be changed too to cause some anti virus programs to expire.

How to Remove and Disinfect Worm.Pabug.ck or Worm.Pabug.co Manually

To run antivirus program that has been disabled, you can try to rename the antivirus executable file name to another file name, and then run the new file name.

Terminate and end the following processes (tasks) using Task Manager (alternative you can use procexp):

%systemroot%\system32\gfosdg.exe
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\conime.exe

Remove the registry key added by virus under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key using Registry Editor or Autoruns (for Autoruns, remember to first select Options -> Hide Microsoft Entries to avoid mistaken delete valid entries). This process will allow anti virus or security software or system utilities such as IceSword, SREng and etc to be able to function properly again:

+ 360Safe.exe c:\windows\system32\drivers\mpnxyl.exe
+ adam.exe c:\windows\system32\drivers\mpnxyl.exe
+ avp.com c:\windows\system32\drivers\mpnxyl.exe
+ avp.exe c:\windows\system32\drivers\mpnxyl.exe
+ IceSword.exe c:\windows\system32\drivers\mpnxyl.exe
+ iparmo.exe c:\windows\system32\drivers\mpnxyl.exe
+ kabaload.exe c:\windows\system32\drivers\mpnxyl.exe
+ KRegEx.exe c:\windows\system32\drivers\mpnxyl.exe
+ KvDetect.exe c:\windows\system32\drivers\mpnxyl.exe
+ KVMonXP.kxp c:\windows\system32\drivers\mpnxyl.exe
+ KvXP.kxp c:\windows\system32\drivers\mpnxyl.exe
+ MagicSet.exe c:\windows\system32\drivers\mpnxyl.exe
+ mmsk.exe c:\windows\system32\drivers\mpnxyl.exe
+ msconfig.com c:\windows\system32\drivers\mpnxyl.exe
+ msconfig.exe c:\windows\system32\drivers\mpnxyl.exe
+ PFW.exe c:\windows\system32\drivers\mpnxyl.exe
+ PFWLiveUpdate.exe c:\windows\system32\drivers\mpnxyl.exe
+ QQDoctor.exe c:\windows\system32\drivers\mpnxyl.exe
+ Ras.exe c:\windows\system32\drivers\mpnxyl.exe
+ Rav.exe c:\windows\system32\drivers\mpnxyl.exe
+ RavMon.exe c:\windows\system32\drivers\mpnxyl.exe
+ regedit.com c:\windows\system32\drivers\mpnxyl.exe
+ regedit.exe c:\windows\system32\drivers\mpnxyl.exe
+ runiep.exe c:\windows\system32\drivers\mpnxyl.exe
+ SREng.EXE c:\windows\system32\drivers\mpnxyl.exe
+ TrojDie.kxp c:\windows\system32\drivers\mpnxyl.exe
+ WoptiClean.exe c:\windows\system32\drivers\mpnxyl.exe

Remove the following auto run on Windows startup registry entries located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key by using Registry Editor or SREng (System Repair Engineer)

“mpnxyl”=”C:\WINDOWS\system32\gfosdg.exe”
“gfosdg”=”C:\WINDOWS\system32\severe.exe”

Also navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key, double click on it and remove the text behind “Explorer.exe” in the value data, so that it will become looked like as below:

“shell”=”Explorer.exe”

Next delete all files planted by the virus. Note that even if you right click on these infected files may trigger the infection process, so it’s recommended to use IceSword or WinRAR to delete these files:

%systemroot%\system32\gfosdg.exe
%systemroot%\system32\gfosdg.dll
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\mpnxyl.exe
%systemroot%\system32\drivers\conime.exe
%systemroot%\system32\hx1.bat
%systemroot%\system32\noruns.reg
X:\OSO.exe
X:\autorun.inf

X mean all non system partitions, including your USB flash drive and portable hard disk.

System Recovery and Clean Up

Navigate to the following registry keys and add back the original value.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] “CheckedValue”=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] “NoDriveTypeAutoRun” value is vary depending on system, normally by default it will set as 91 (in HEX value)

Next remove all contents added by the worm in Hosts file. Use Notepad to open %systemroot%\system32\drivers\etc\hosts, and remove the entries or lines specified above. If you’re using SREng, simply click on “System Recovery” -> “Hosts file”, then click “Replace” and then “Save”.

Finally, you will need to recover or repair or reinstall the anti virus program, if it has been damaged.