We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Worm:Win32/Renocide.gen!H
Aliases: Worm/AutoIt.xl.157 (Avira) Win32.HLLW.Autoruner.based (Dr.Web) Worm.Win32.Autoit.xl (Kaspersky) W32/Autorun.worm.zf.gen (McAfee) W32.Harakit (Symantec)
Summary
Worm:Win32/Renocide.gen!H is the detection for a worm that spreads via removable drives and mapped network shares. It attempts to download additional files from a remote server.
Recovering from recurring infections on a network
- Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares.
- Ensure that all available network shares are scanned with an up-to-date antivirus product.
- Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
- Remove any unnecessary network shares or mapped drives.
Additional remediation instructions for Win32/Renocide
- Click Start and then click Run.
- In the Open box, type regedit and then click OK.
- Locate and then click on the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - On the right panel, right-click on the following registry entry:
Shell - Select Modify and then click OK.
- In the "Value data:" entry box, edit the data such that it only contains the following:
explorer.exe - Close Registry Editor.