Remove ntdetec1.exe/(W32.Ceted) virus?

Flash drives or Pen drives are nowadays convenient way of file sharing. Floppies are replaced by these flash drives and as per users transition to flash drives, virus/w0rm writers have also shifted their targets to flash drives.
Recently a w0rm known as ntdect1.exe has infected lot of flash drives and still spreading. Anti viruses like Symantec, Macafee, AVG etc had failed to detect it as a malicious executable. This W0rm infects all Windows Operating systems from Windows 95 to Windows Vista. On vista when you double click on infected Flash/Pen drive, it brings pop-up saying something like unknown file ntdect1.exe, but we usually click OK on every pop up given by Windows instead of reading the message. Anyways, here is the brief overview of the w0rm. Please check Symantec recommendations at the bottom.

W0rm Overview:

Whenever w0rm runs for the first time, it creates the following files and gives them system, hidden, and read-only attributes:

* %SystemDrive%\ntdetec1\ntdetec1.exe
* %SystemDrive%\ntdetec1\cmrss.exe
* %SystemDrive%\ntdetec1\run.exe
* %SystemDrive%\ntdetec1\shell32.exe
* %SystemDrive%\ntdetec1\drivelist.txt
* %SystemDrive%\ntdetec1\child\autorun.inf
* %SystemDrive%\ntdetec1\child\ntdetec1.exe

W0rm creates 3 new processes by executing following files.
1) cmrss.exe
2) ntdetec1.exe
3) shell32.exe

How to detect infection?

1) Task Manager, Process Explorer gets closed automatically. ( It does this by monitoring the newly created process and searching the name for Task manager, Process Explorer to kill them.)
2) Google search result will get redirected to customized sreach result.
3) Following REGISTRY Entry is get created.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”winlogon” = “C:\ntdetec1\run.exe”

Removal Procedure:

1) Go to command prompt ( If You are using Vista, open command prompt with Administrator Privilege)
2) Go to %SystemDrive% ( Drive where Windows is Installed e.g C:\ )
3) Run following command
C:\>attrib ntdetec1 -s -h /s /d
This will remove the hidden and system attribute of the ntdetct1 directory and you can view ntdetec1 directory on c:
4) Now kill the associated process with the w0rm by following commands
c:\>taskkill /im cmrss.exe
c:\>taskkill /im ntdetec1.exe
c:\>taskkill /im shell32.exe
5) Delete the ntdetect1 directory.
c:\>rmdir /S ntdetec1 ( You can do shift+Delete from Explorer too )
6) Open REGISTRY Editor by typing ‘regedit‘ in Start->RUN box.
7) Traverse till HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
8 ) Delete “winlogon” = “C:\ntdetec1\run.exe” entry.

On Jan 9, 2008; Symantec named this w0rm as W32.Ceted and has rated it as Very Low Risk Level. Check the recommendations provided by Symantec here.

Next, time be more cautious before directly double clicking on friends Pen/Flash Drive.


About this entry