Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Apr 01, 2011 | Updated Sep 15, 2017

Worm:Win32/Renocide.gen!J

Detected by Microsoft Defender Antivirus

Aliases: Win-Trojan/Autorun.989748 (AhnLab) Trojan-Spy.Win32.AutoIt.m (Kaspersky)

Summary

Worm:Win32/Renocide.gen!J is a worm and detection for a compiled AutoIt script that spreads via removable drives and mapped network shares. It attempts to download additional files from a remote server.
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
 
Additional remediation instructions for Win32/Renocide
This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. Registry data may require manual correction after the malware is removed.
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, refer to the following articles:
  • 256986 Description of the Microsoft Windows Registry
  • 322756 How to back up and restore the registry in Windows
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To remove/modify the changes that Win32/Renocide has made to your computer, follow these steps:
  1. Click Start and then click Run.
  2. In the Open box, type regedit and then click OK.
  3. Locate and then click on the following registry key:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  4. On the right panel, right-click on the following registry entry:
    Shell
  5. Select Modify and then click OK.
  6. In the "Value data:" entry box, edit the data such that it only contains the following:
    explorer.exe
  7. Close Registry Editor.
 
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares.
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
 
Disable Autorun functionality
This threat attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:
Follow us