MMVO Virus Removal

Recently (Jun, 2008), some of the computers in my University's laboratory were infected by a Trojan Virus. The name of the virus differ according to some companies:

• Trojan-PSW.Win32.OnLineGames.alex [Kaspersky Lab]
• Packed.Generic.61 [Symantec]
• W32/Autorun.worm.bx.gen.dll [McAfee]
• WORM_ONLINEG.UGZ [Trend Micro]

It is mainly propagated through USB drives and it install itself in the system directory.

 How do you know if you computer is infected?

Open the windows console: Start -> Run -> (type:) cmd, and click "OK".
C:\> del C:\windows\system32\mmvo (and press TAB key).
If automatically the last part change from "mmvo" to "mmvo.exe" or "mmv0.dll" or something similar, then you computer is infected.

Even you press "Enter key" after the last command you would not be able to deleted it.
So I will explain how to do it in a moment.

How do you know if you USB is infected?

If you find any file ending with ".cmd" and a "autorun.inf" file, it is very probable it is infected.

Antispyware, Antimalware and Antivirus Software

I tried with some applications to detect and remove the virus obtaining these results:

Software	Virus in Memory	Virus Files	Remove
Symantec Antivirus	Partial	Failed	Failed
CLAMWin Antivirus (Free)	Good	Failed	Failed
Lavasoft Ad-aware (Free)	Failed	Failed
Panda Software	Partial	Failed	License Required
PrevxFree	Good	Good	License Required
Windows Defender (Free)	Failed	Failed
Microsoft Malware Removal Tool (Free)	Failed	Failed

According to the previous table, Prevx seems to be the only (I tested) that fully detects the virus. However, in order to proceed to try to remove the virus, a license must be bought.

I will explain how to remove the virus manually.

How do I remove that virus from my USB?

Removing the trojan from your USB is easiest than removing it from your Windows computer.

The best way is to open your USB in a Mac or Linux system (to prevent the system to be infected). Locate and remove any file that ends with .cmd, autorun.inf and any other file that looks like random generated code (e.g.,6KTHP0.cmd). I recommend to remove the RECYCLER folder (if present). In case some file cannot be removed, rename it to something else.

If you don't have a Linux or Mac computer near, you may proceed first to remove the virus from the USB before removing it from your computer. I cannot be sure that the virus will not reinfect your USB at any moment after you "clean" it.

How do I remove the virus from my Windows Computer (the free way)?

I recommend to download PrevxFree in order to scan your computer (for this particular virus). This application will show you the files that are need to be deleted from your system. Take note of the location and names.

Once you confirmed your computer is infected proceed as follows:

1) You will need to enter Windows in safe mode

• Restart your computer
• Before it shows the "windows" logo, press "F8"
• Select "Safe Mode"
  

2) Disable start-up programs:

• Start -> Run -> (type:) msconfig, and click "OK".
• Got to "Startup" tab
• Uncheck any item that ends with "mmvo.exe" or similar.
  

3) Disable services:

• In the same window, go to "Services" tab
• Uncheck any item that looks like a code (without name), for example:
  $kajsd-orisnd-23danf-asjd34...
• Uncheck "System Restore" service to prevent the viruses to be restored by windows.
  
• Click on "Accept" and exit.

4) Clear registry:

• Start -> Run -> (type:) regedit, and click "OK".
• Press "F3" key and type "mmvo" and click on "search"
• Delete any item you find with that name.

Note: Please be careful when cleaning your registry, if you are not sure, ask the help of someone else.

5) Delete the files: (basic MSDOS commands required)

• Open the windows console ("cmd" command previously introduced).
• Go to "\" and list the directory files: "dir /a"
• locate "autorun.inf" or any file that looks like a generated code (e.g.,6KTHP0.cmd).
  
• execute these commands:
• attrib +a -s -h autorun.inf
• del autorun.inf
• (in case you cannot remove it, rename it to anything else:) move autorun.inf trash1.txt
• Repeat the same 2 steps (attrib, del or move) for each of the files:
• C:\windows\system32\mmvo.exe
• C:\windows\system32\mmv0.dll
• C:\windows\system32\mmv1.dll
• Empty this folder: C:\Documents and Settings\__USER__NAME__\Local Settings\Temp
• (subtitute __USER__NAME__ for your login name, for example: Administrator)
• Repeat the "attrib, del (or move)" steps for each of the files found with Prevx.

Thats it!

Final steps:

• Restart your computer and login as usual.
• Delete all those files that you couldn't delete and that you moved, for example: trash1.txt
• Run again Prevx (clicking on the "options" menu at the right hand corner).

It must show now that your system is clean (hopefully). You can also download ClamWin and scan the memory, if you want a second opinion.

Before buying any antivirus software, I recommend you to install a free Personal Firewall (e.g., Comodo , Core Force , PCTools Firewall) that will be more useful to keep your computer away from unwanted malware applications.

Personally I don't understand why Microsoft haven't removed that vulnerability that automatically launch any application listed in a "autorun.inf" file in a USB, without asking you! Ideally for any virus...

The previous procedure may also work for other similar viruses such as:

• kavo.exe / kav0.dll
  
• avpo.exe / avp0.dll
• amvo.exe / amv0.dll
  
• tavo.exe / tav0.dll
  
• taso.exe / tas0.dll
• mnso.exe / mns0.dll
  

For more information:

http://www.prevx.com/filenames/X1591482110620292974-0/MMVO.EXE.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LEGMIR.VF&VSect=T
http://www.threatexpert.com/report.aspx?uid=b942c82a-9647-4f57-83be-d0e5c17ba917
http://zatu.blog10.fc2.com/blog-entry-1147.html
http://www.wilderssecurity.com/showthread.php?t=186594

I hope it was useful this information :)