 New (?) virtumonde variant - StopGuard VIPFares, Analysis |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
How to use the self-help guides
This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.
If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log
  |
 Sep 28 2004, 04:00 PM
Post
#1
|
|
 Bleep Bleep!  Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3  |
Not sure if its new or not, but I found it to be a pain to figure out how to remove, so I thought I would share my findings. This infection will create popups to StopGuard , VIPFaires , and WinPopUpGuard Link to example log can be found here: http://www.bleepingcomputer.com/forums/ind...?showtopic=2721 QUOTE O4 - HKLM\..\Run: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD.EXE O4 - HKLM\..\RunOnce: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD.EXE rerun O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\TASKS\PLAY.EXE ren Notice that it now is set to run in Safe mode as well. The javaad file seems to be the master exe that stay static through reboots. It constantly monitors its registry keys and will recreate them if they are missing. On exit, or randomly (not sure on this) it calls itself so the process launches again, and also calls the c:\windows\system32\hostx.exe file that will reinstate its entry as well. If the hostx file does not exist it will download on reboot and when you kill the process: When hostx starts it connects to www.virtumonde.com and does a POST to /. Not exactly sure what it is doing there but maybe its for statistics. If you delete the hostx.exe file, it will be recreated by the master .exe. The play.exe is a random file name and is installed in a random location. I believe when it is first downloaded it will download as bkinst.exe. When it is run with the ren flag, the file will copy itself to a new location and change the RunOnce entry to point to the new file. If it sees that the master exe is missing it will download a new one. It will copy regshape.exe to arandom name/location and introduce entries to start them in the registry. Because this file is in the registry with the ren argument it will change its name/location every time you reboot. With testing on my pc I have found the easiest way to remove this infection is to use killbox to kill all four files and then reboot. Steps to remove are:
This is a self-help guide. Use at your own risk. BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum. If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you. -------------------- Lawrence
|
 |
 
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 22nd November 2008 - 06:29 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.