Stop it: Rotinom (update.exe), the hard disk filling virus

Posted: April 26, 2011 in Uncategorized
Tags: , ,

Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further.

While many viruses contain a destructive payload, it is quite common for viruses to do nothing more than spread from one system to another.

There are a few that can potentially cause hardware failure and this article is intended to expose and discuss one of them called Rotinom.

Rotinom, which appears as ‘update.exe’ is a type of virus known as a worm that may propagate via removable drives or network shares.

HOW IT WORKS

It is activated when an infected folder is opened. It then replicates system files in the Operating System until your Local Disk drive is full, causing your system to shut down and in severe cases destroying your hard disk.

SYMPTOMS

The most noticeable characteristic is an unaccounted decrease in space on the Local Disk drive (commonly known as Local Disk C:), which eventually fills up the disk if left unchecked. Those who have partitioned their hard drive will notice that the partitioned drive will not be experiencing this phenomenon. Another distinguishable feature on infected pen drives and external hard drives is that, all folders on these drives will show a file size of 109 kb irrespective of the content.

METHOD OF INFECTION

The most common mode of infection is the opening of infected folders on infected external storage devices or networks by unsuspecting victims.

REMOVAL

This can be done manually or with a use of specific virus or malware removal tools that can be downloaded from the internet.

MANUAL REMOVAL (on Windows 7)

I would advice that you read through the instruction before you begin the removal process.

1. The first thing to do is to check the source of infection i.e. check if any external device or networked computer is infected so as to cut off any form of connection by logging off the network and unplugging any USB storage device.

2. The next thing to do is to go to Windows Task Manager. You can do this by pressing the keys Ctrl, Alt and Del simultaneously on your keyboard and selecting Start Task Manager in the window that opens.

3. You then click the tab labeled Processes in the Windows Task Manager scroll down and look for the program update.exe under Image Name.

4. Once you identify the program update.exe right click it and select Open file location. NB* this opens a window showing the location of a folder labeled update.

5. Leaving the window open go back to Windows Task Manager and right click the update.exe program again and this time choose End Process and go ahead to end the process. NB* by doing this you have stopped the activities of the worm.

6. You then go back to the window you opened earlier and permanently delete the folder labeled update from your computer. A short way of doing this is by selecting the folder and while holding the Shift button you press Del or delete button. By following this procedure you have successfully removed the worm from your system, you can cross check by restarting your machine and checking if the update.exe program is showing in Windows Task Manager.

Even though the worm has been removed, all the used space is not restored. All the lost space can be restored by following this procedure.

1. Open any folder, it doesn’t have to be specific and click on the tab labeled Organize scroll down and double click Folder and search options.

2. In Folder and search options choose the tab labeled View in the list of options choose Show hidden files, folders, and drives and uncheck the box beside Hide protected operating system files (Recommended).

NB* by doing this you will reveal hidden folders in your operating system

3. You then click on the Start button and double click to open your personal folder ( this is found on the upper right side above Documents when you click on Start, identifiable in most cases by the name of the owner of the PC)

4. Once you are in your personal folder you will identify a translucent folder labeled AppData, open it and look for another folder labeled Local.

5. Open the folder named Local and select all files and folder in it and attempt to delete them. I used the word attempt because some of them cannot be deleted since they are being used by the system. In such cases just skip them and go ahead with deleting the rest. NB* if you did not use the permanent delete method mentioned above then go into your Recycle
Bin and empty it.

6. Finally you go back to Folder and search options and under the View tab select ‘Don’t show hidden files, folders, or drives’ and check the box beside Hide protected operating system files (Recommended).

There will be another article on how to remove this worm from your external storage devices but if you do not have any important data on it you can just format it.

Always remember to update your anti virus regularly and comment if you have any difficulties.

Article by: Daniel Duedu/Adom FM/Ghana

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s