Windows defender has detected the following worms on my system and I was wondering how dangerous are they and what is it that they do?
2 Answers
Worm:Win32/Goldrv!rfn is a trojan that installs Win32/Rootkit.Agent.HU malware.
Installation: The trojan does not create any copies of itself.
The trojan creates the following files: %windir%\system32\drivers\symavc32.sys (167936 B, Win32/Rootkit.Agent.HU) %temp%\_it.bat
Installs the following system drivers (path, name): %windir%\system32\drivers\symavc32.sys, symavc32
The trojan executes the following files: %temp%\_it.bat
The trojan deletes the original file.
The trojan may delete the following folders: %currentfolder%
- 41
- 2
Worms will often give themselves randomized names to avoid user detection, you won't find many worms that will names themselves "IAMAVIRUS.worm". It's impossible for us to tell what the worms would do without seeing their inner workings, but to be honest you should probably just remove them from your machine if Windows Defender flags them.
- 1,489
- 11
- 17
-
I found some info on the first one from Microsoft's Malware Protection Center but I was looking for a little bit of more details. https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32%2FGoldrv!rfn&ThreatID=-2147274438 – Django Jan 26 '16 at 18:23
-
1I think that the more secure option is to wipe the computer and reinstall. – Neil Smithline Jan 26 '16 at 18:29
-
In fairness to the guy asking, if Windows Defender flagged the thing, that means Windows Defender recognized it. Or, at least, recognized something about it that was suspicious. If it's a known type of malware, we probably **can** say specifically what it's doing because someone already went to the trouble to analyze it. Of course, the larger question "how did it get on the system?" is murkier. – Parthian Shot Jan 26 '16 at 18:31
-
@NeilSmithline I want that to be my last option. – Django Jan 26 '16 at 18:36
-
@ParthianShot That's what I want to know, my initial guess would be this flash drive I plugged into my system which had a new folder.exe and a new folder(2).exe in it of which I did not open but one of them disappeared right before my eyes which I found that to be quite alarming. – Django Jan 26 '16 at 18:39
-
Of course you do @KosarF. I understand. See [How do you explain the necessity of nuke it from orbit to management and users?](https://security.stackexchange.com/questions/24195/how-do-you-explain-the-necessity-of-nuke-it-from-orbit-to-management-and-users). schroeder's answer seems the most relevant. – Neil Smithline Jan 26 '16 at 18:42
-
1You didn't mention problems with a flash drive. Destroy it and throw it out. Never plug it into another computer. If you must, use a junker computer to extract the critical information and then reformat that computer. – Neil Smithline Jan 26 '16 at 18:44
-
@NeilSmithline Thanks for that "nuke it from orbit" Q&A. – Django Jan 26 '16 at 19:21
-
@NeilSmithline I have already discarded the flash drive. – Django Jan 26 '16 at 19:22