Yesterday i spent hours removing a virus that had been detected by my anti-virus program(I am using Eset Nod32). It detected the virus and quarantined. But seems that the virus could reproduce itself after deletation. As a result my anti-virus kept popping up alert time and time. All it could do was blocking. I got annoyed with the pop-ups so decided to find solution for this. Spent hours (from afternoon till evening) surfing the internet and reading. The detail of the virus is below:
Win32/PSW.OnLineGames
|
Installation
When executed, the trojan copies itself into the:
folder with the following file names:
%system%
The following file is dropped in the same folder:
kavo.exe (117104 B)
kavo0.dll (96768)
The libraries with the following names are injected into all running processes:
The trojan creates and runs a new thread with its own program code within the following processes:
kavo0.dll
explorer.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
The following Registry entries are set:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"kava" = "%system%\kavo.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = 2
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = 0
Spreading
The trojan copies itself into the root folders of fixed and/or removable drives using the following name:
The following file is dropped in the same folder:
f.cmd
Thus, the trojan ensures it is started each time infected media is inserted into the computer.
autorun.inf
Information stealing
The trojan collects various information related to online computer games. The trojan gathers information related to the following processes:
The trojan is able to log keystrokes. The trojan can send the information to a remote machine. The HTTP protocol is used.
dekaron.exe
elementclient.exe
gc.exe
ge.exe
hyo.exe
maplestory.exe
Online6.dat
Ragexe.exe
so3d.exe
sro_client.exe
wsm.exe
ybclient.exe
zhengtu.dat
Other information
The trojan can download and execute a file from the Internet. The trojan contains a list of 13 URLs. The trojan alters the behavior of some security related applications. It uses techniques common for rootkits.
A type of trojan. A new type i guess. Its threat is win32/psw.onlinegames.nmy and the object is hidden..a familiar 'autorun.inf' and its hidden too. I tried one solution by modifying the content of the autorun.inf(start->-run->type c:/autorun.inf) and then save it as prompt but i just couldn't seem to save it because the virus sets it attribute to read only. I tried to view the autorun.inf that was hidden and wanted to changed the attribute so that i could save the modified content by unclicking the view in the folder option but i couldn't do that as well. The virus changed the
settings and registry itself. S***!!
I searched for other solutions and i found this->http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/. It solved my problem but the i still couldn't view the hidden files. I couldn't retrieve any Hidden files from the windows xp folders. When I change the setting to "shown hiddenfiles and folders" from Folder Options/View menu, this setting always goes back to the previous setting "Do not show...".Use this to solve the problem(go to here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix). My pc is up and running again =D
English Premier League started yesterday. Liverpool played Sunderland and they won by 1 goal to nil. To see the highlight go to here->http://vdo.me//play.php?vid=179
Here are some pictures:
ilang kepala traffic light.
accident lagi.
Kesian c darling bru mandi. Kana shampoo bersih dan berkilau.
me!
4 comments:
Virus?? hahahahaa...
d skulah kami jua tu..VIRUS game online apa kah...baik jua Norton antivirus 2007 ku...dapa detect...ilang ehh...di deletenya...tapinya...masa ia scan sama men delete atu...legging Pc ku berabisss....paham2 saja tia...namanya Norton...wahahahaha..
Nada lagi pop up...udh ko update ko punya NOD32 kah?
Lapas ko update mesti ko scan komputermu...then chek update..kalau nada baru tah ko try scan lagi....gerenti ilang virus ah...
Jenis VIRUS baru kali tu....
udah ku update yatah bru ia detect..sekali ada blik bah virus ah..pndai resurrect..lain sikit kali yg aku ani..cua ko cek folder option mu dpt ko show hidden files?? hehehe
dapat lah...apa la ko ani...ko inda dapat kah?
inda! hahaha
Post a Comment