The real name of this virus is Iddono. This threat copies its file(s) to your hard disk. Its typical file name is Iddono. Then it creates new startup key with name Iddono and value newfolder.exe. You can also find it in your processes list with name newfolder.exe or Iddono.



NewFolder.exe File Behaviour



NEW FOLDER.EXE has been seen to perform the following behavior:

The Process is packed and/or encrypted using a software packing process

Found on infected systems and resists interrogation by security products

Executes a Process

Registers a Dynamic Link Library File

This process creates other processes on disk

Changes the Internet Explorer Home Page Settings

Looks at the contents of the autoexec.bat file

Reads email address and phone book details

Adds products to the system registry

Modifies Windows Security Policies to restrict/expand User Privileges on the machine

Disables the built in Windows File Protection System

This Process Deletes Other Processes From Disk

Can communicate with other computer systems using HTTP protocols

Changes of IE options including home page, security tab, colour, font, advanced, menu

Disables Access to the Windows Registry Editior

Disables Access to the Task Manager built into Windows

Adds a Link in the Start Menu

NEW FOLDER.EXE has been the subject of the following behavior:

Added as a Registry auto start to load Program on Boot up

Deleted as a process from disk

Executed as a Process

Created as a process on disk

Registered as a Dynamic Link Library File

Has code inserted into its Virtual Memory space by other programs

Added as a Link in the Start Menu



NewFolder.exe Manual Detection



Below are manual removal instructions for newfolder.exe so you can remove the unwanted file from your PC. Always be sure to back up your PC before you modify anything.



Step 1:End Task



Start> run



taskkill /f /t /im “New Folder.exe”



taskkill /f /t /im “SCVVHSOT.exe”



taskkill /f /t /im “SCVHSOT.exe”



taskkill /f /t /im “scvshosts.exe”



taskkill /f /t /im “hinhem.scr”



taskkill /f /t /im “blastclnnn.exe”



Step 2:Enable Task Manager



1. Start> run



reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f



2. Start> run



reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f



Step 3:Enable Regedit



1. Start> run



reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f



2. Start> run



reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f



Step 4:Folder Option & Hidden Files



1. Start> run



reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f



2. Start> run



reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f



3. Start> run



reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 1 /f



4. Start>run



reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f



reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /f



reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f



reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f



Other steps



Delete the files



C:\WINDOWS\SCVVHSOT.exe



C:\WINDOWS\SCVHSOT.exe



C:\WINDOWS\hinhem.scr



C:\WINDOWS\system32\SCVHSOT.exe



C:\WINDOWS\system32\blastclnnn.exe



C:\WINDOWS\system32\autorun.ini



C:\Documents and Settings\All Users\Documents\SCVHSOT.exe



Modify some registries



\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell REG_SZ –> explorer.exe



\Software\Microsoft\Windows\CurrentVersion\Run\ Yahoo Messengger –>delete



Precaution

