If you have been frustrated by this one, you might also be interested in how it works so I'm sharing it here...
This file virus is a Windows PE EXE file. The file is 380 416 bytes in size. It is written in Delphi.
When launched, the virus copies its executable file as follows:
%System%\config\csrss.exe
%WinDir%\media\arona.exe
It also creates the following file:
%System%\logon.bat
When this file is run, it will launch a copy of the virus:
%System%\config\csrss.exe
In order to ensure that the virus is launched automatically when the system is rebooted, it adds a link to its executable file to the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Worms" = "%System%\logon.bat"
The virus also creates the following files:
%System%\config\autorun.inf
h:\autorun.inf
f:\autorun.inf
i:\autorun.inf
g:\autorun.inf
k:\autorun.inf
l:\autorun.inf
o:\autorun.inf
j:\autorun.inf
These files will be launched each time the user opens the corresponding hard disk partition using Windows Explorer. When one of these files is run, it will launch a copy of the virus: %System%\config\csrss.exe.
Payload
The virus modifies values of the following system registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 1
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions = 1
It also searches the hard disk partitions listed below for files with an ".mp3" extension:
d:\
c:\
e:\
f:\
g:\
h:\
These files will then be deleted.
