|Type||Computer virus, Programmed attack.|
|Short Description||A PC virus designed to delete user data.|
|Symptoms||Deleted user filers of various extensions. Unknown svchost.exe process.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by W32.Belvira Virus|
|User Experience||Join our forum to follow the discussion about W32.Belvira Virus.|
A particularly dangerous virus has been detected by Symantec security researchers, going by the name ‘Belvira’. This virus is reported to create multiple files on the user PC and modify these files in the Windows Registry to run on system start up. What is particularly bad regarding this virus is that it directly deletes user files of several different types. Users are advised to use firewall and to immediately disconnect their computer from the internet.
W32.Belvira Virus – How Did It Infect My PC?
One way you could have become victim of this computer is by opening a spam mail, containing a malicious attachment. If the attack is targeted it may have originated either from a spoof email (that resembles a familiar one) address or an external drive. Targeted attacks also originate to external links that are being clicked on by inexperienced users.
W32.Belvira Virus – How Does It Work?
Once activated on the user PC, the virus creates these files in the %windir% directory:
The svchost process is particularly interesting because it has the same filename of the actual svchost – an essential and important process for Windows. What is more, the virus creates another executable – a file, called smrss.exe in the %System% folder.
After which, the virus is believed to modify the windows.ini file within the %System% folder which is related to the Windows environment.
After its already created the malicious files the virus then makes several registry entries in HKEY_LOCAL_MACHINE to make them run on system startup:
→SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”freizer” = “%Windir%\System32\freizer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”svchost” = “%Windir%\system32\svchost.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “Explorer.exe smrss.exe
After it has done with the stage of situating itself on the user PC, the virus then scans its drives and deletes files with the following file extensions:
The devastating virus is also reported to infect files within the user PC with .exe and .scr extensions.
Removing W32.Belvira Virus Completely from Infected PC
The best way to remove this trojan horse is with special software since it can replicate several different files, shut down live defense features of antivirus software installed on the computer as well as firewall. This is why it is recommended to follow the step-by-step instructions below to install an advanced anti-malware on the computer and scan it more than one times. But first, you should immediately boot into safe mode without networking or boot a live operating system on the computer.
For how to boot a live OS, check out this tutorial:
And here are instructions on how to boot into Safe Mode and scan your PC to automatically remove the threat from its core and any other malware as well: