BootMerlin virus
This is a virus written in MS VisualBasic that modifies the C:\Boot.ini file to display a Spanish message at boot time:
Upon execution, it can also be displaying a Wizard animation "speaking" in the Spanish language:
W32/BootMerlin can make copies of itself bearing the MS Word icon, in the following location(s):
-
%Windir%\System\csrss.exe
-
%Windir%\System32\dllcache\G-Vulcan-III.exe
-
X:\Recuerda que te quiero.exe
-
X:\LINEAS TELEFONICAS SIJIN VIEJA.exe
-
X:\PODER SALDARRIAGA1.exe
-
X:\SOLICITUD A MI GENERAL.exe
-
X:\SEGURO BTA EQUIPOS.exe
-
X:\CURSO CONSTITUCIONAL.copia.exe
(Where X: are the drive letter(s) used on the infected machine; %Windir% is the Windows folder, e.g. C:\Windows. A legitimate copy of csrss.exe may reside in %Windir%\System32 which is a part of the Windows operating system)
It installs the following registry key(s) to start at Windows boot up:
The C:\Boot.ini should be restored manually to the original settings (see removal section).
Method of infection: W32/BootMerlin is a worm that can make copies of itself over mounted network drives. It may infected other systems using the same network drives.
Removal: This virus can C:\boot.ini to display anti-MS Windows messages in Spanish. These messages can be removed using a text editor, for example:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="AUN Usas Windows..?"/fastdetect
edit it to become:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="{your original operating system name}" /fastdetect {your original boot up options where applicable}
Do not modify any other parts of the C:\boot.ini file. Also check under My Computer->Properties->Advanced->Startup and Recovery Settings that It is pointing to the default operating system that was originally configured for.
Source: McAfee Virus Library