Annoying csrss.exe final.exe virus

[AXE]

Recently, I've been finding increasing instances of an annoying virus, it's still not picked up by Anti-Virus software (Sophos, AVG, Norton, NOD, Avast, F-Secure etc.).
It infects automatically via removable storage\USB\Firewire devices (when formatted as NTFS) and over a network via UNC\shares (will also crack a WEP key on wireless networks to spread).
Usually runs the process csrss.exe at 100% (not the genuine csrss.exe).

It's easy to remove via recovery console, but still leaves some lasting damage to the registry.

Creates the following files:
%SYSTEMROOT%\csrss.exe
%SYSTEMROOT%\ctfmon.exe
%SYSTEMROOT%\logonui.exe
%SYSTEMROOT%\msnmsgr.exe
%SYSTEMROOT%\userinit.exe

And in each NTFS drive root:
Autorun.inf
Autorun.exe
Recycler.exe
System Volume Information.exe
Final.exe

Changes the registry:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\
- Adds entries to autorun from removable storage devices
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
- Sets Userinit to "%SYSTEMROOT%\system32\userinit.exe, %SYSTEMROOT%\csrss.exe" normally "%SYSTEMROOT%\system32\userinit.exe,"
- Sets System to "%SYSTEMROOT%\userinit.exe" normally ""
HKLM\SOFTWARE\Microsoft\Security Center\
- Sets AntiVirusDisableNotify to 1 normally 0
- Sets AntiVirusOverride to 1 normally 0
- Sets FirewallDisableNotify to 1 normally 0
- Sets FirewallOverride to 1 normally 0
- Sets FirstRunDisabled to 1 normally absent
- Sets UpdatesDisableNotify to 1 normally 0
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced\Folder\HideFileExt\
- Sets Type to "By Rover" normally "checkbox"
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced\Folder\SuperHidden\
- Sets Type to "By Rover" normally "checkbox"
- Sets UncheckedValue to 0 normally 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced\
- Sets ShowSuperHidden to 0
- Sets SuperHidden to 0
- Sets HideFileExt to 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\
- Sets DisallowRun to 1 normally absent
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\DisallowRun\
Adds entries for:
- regedit, taskmgr, cmd, rstrui, msconfig and various other anti-virus\anti-malware products
HKCU\Software\Policies\Microsoft\Windows\System\
- Sets DisableCMD to 1 normally absent
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\
- Sets DisableTaskMgr to 1 normally absent
- Sets DisableRegistryTools to 1 normally absent
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies
- Sets Allow Programmatic Cut_Copy_Paste to 0 normally absent

It's easy enough to script a repair to the registry. Hope this helps someone.

[tom_newton]

Can you upload it to http://www.virustotal.com/ and see who *does* catch it?