Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Permanently Remove Karina.dat


  • Please log in to reply
1 reply to this topic

#1 scrocker1946

scrocker1946

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 29 July 2008 - 04:50 PM

Over the weekend we had two computers infected with what appeared to be the "UPS Virus" although it is not clear whether we actually giot the infection from a fake UPS email or not, but the pattern of infection was typical of what others were reporting.

Among the files in the infection was a file called KARINA.DAT - on our Win XP systems this file resided in the \WINDOWS\SYSTEM32 folder. The interesting thing about this file is that after we had removed all other visible problems, this file persisted. It would keep coming back at bootup even if deleted.

There was a registry key which would cause the file to load at startup. I am not at that site so I don't have the exact key name or location, but one of the words in the key was "appinit". Going into regedit and doing a search for KARINA.DAT should reveal the exact key. When the key value referring to KARINA.DAT was deleted, it too would be restored at bootup.

My first thought was to make a dummy file called KARINA.DAT to fool the unknown guardian program. This worked, but had unacceptable side effects. The registry call apparently hooks KARINA.DAT into everything that is launched - so whenever any program - even DOS apps, would launch an error messagwe would come up that KARINA.DAT was "not a valid windows image". You could click through to start the app, but the annoyance was unacceptable.

SO next, I googled "dummy dll" and found a dll that loads but does nothing. I renamed it as KARINA.DAT and this appeared to neutralize the issue.

However, this left us with the unknown "guardian" program still undected and running - a disconcerting state of affairs because who knows what else it might be doing.

I then noticed that of two computers, both infected with KARINA.DAT only one exhibited this persistence issue. On the other, KARINA was deleted and stayed deleted.

The only difference I could see was that on the other computer we had AVG antivirus (paid version) installed and had run it as part of the cleanup. Could it have removed the guardian program on that computer?

So I installed AVG on the computer that still had a problem , and did a complete scan. This resolved the KARINA.DAT issue, as tested by deleting the "appinit" key value and observing that it no longer regenerated at boot.

The file that it found which was probably the guardian was hidden in the Alternative Data Stream (ADS) of a file somewhere in or under \WINDOWS. I don't have the scan logs with me so I can't be more specific as to NTFS filename, ADS filename, or exact location.

But, if you are experiencing a recurring KARINA.DAT issue, perhaps my experience will be helpful to you.

-Steve

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:33 AM

Posted 31 July 2008 - 05:41 AM

Hi Steve and welcome to BC! :thumbsup:

This file can normally deleted by using the delete-on-reboot function that many tools possess. Basically, instead of deleting a file in safe mode, it deletes the file on reboot, before the operating system has been loaded, therefore giving much less chance of the file being active when you try to delete it. This normally means the file if more often than not, deleted. In the future I would recommend this method..

Do you have Hijackthis installed on the user's PC? If not, download/install it:
http://www.trendsecure.com/portal/en-US/_d.../HJTInstall.exe

Here are instructions for using the tool.
Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath you want to delete.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes..

Allow the PC to reboot, if it doesn't do it automatically, reboot manually.
In my experience, that's one of the best and safest methods to removing stubborn files.

In regard to your other question, it's impossible to tell whether the file was deleted by your AV on the other computer without seeing the detection logs. However, it is possible that even though both PCs were infected with the same malware, it just so happened on one it was able to 'hook' itself deep into the computer, wheras on the other that failed. Hence, on one PC it was almost impossible to delete yet on the other it was easy. Malware can fail to install fully in certain circumstances, ie increased security and protection.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users