Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/perlovga


  • Please log in to reply
4 replies to this topic

#1 bertieCead

bertieCead

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 01 November 2006 - 11:58 AM

Recently I was infected with W32/Perlovga. (Or at least I believe I was). This is what it was detected as by McAffee AV. I've found very little information on how to get rid of this virus from my computers. The virus is very contagious and had spread to 3 PCs I have access to before I noted a problem. The effects of the virus do not appear to be too sinister. With some searching online I found the following description.

recently, when i right click a drive letter (c, d, e), i notice a new item in the top of the context menu; 'Autoplay', when i click on it, a new window of windows explorer opens showing the contentes of that drive, this hapens even if i select the "open each folder in the same folder" option!

some exe files are created every time i do this...

two files is created in the root of the drive i select called copy.exe and host exe

two other file is created in the windows folder called svchost.exe xcopy.exe

two other files created in the system32 folder called temp1.exe and temp2.exe

svchost.exe and host.exe have been reported by KAV as Trojan-Dropper.Win32.Small.apl

copy.exe and xcopy.exe have been reported by KAV as Virus.Win32.Perlovga.a

temp1.exe has been reported by KAV as Virus.Win32.Perlovga.b

temp2.exe has been reported by KAV as Backdoor.Win32.small.lo

well, KAV can detect and delete all these files but they do return back when i click again on the "Autoplay" item!


This describes the issue I'm having perfectly. I've managed to delete the relevant files listed above. However when I double click the C drive or G: or H: (USBs) I get this error message and the drive refuses to open

"Windows cannot find 'copy.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search."

I can access the drives using explorer. (I've formatted the drives G: and H: to prevent infections of other machines.)

In the topic quoted above there is s solution mentioned

After two cups of black coffee while my little noisy son is 'eating rice with angels' (literal translating of arabic expression means sleeping) i found out the fellowing :

Every time KAV detects the malicious exe files it misses (and so do i) at least one of them so it recreate itself when i double-click the drive again!

This time I manually deleted all the malicious files, removed the svchost.exe from registy so it doesn't run at start up anymore and then i did reboot my computer!

But the "Autorun" item still there and when i double-click the drive, an error message appears saying that theres no such file called copy.exe!

I then regedit, did some search and found out these three registry keys that are apparently added by the virus to add an item to the context menu for every drive I have in my computer C, D and E :

CODE
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec0-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec0-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec1-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec1-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec3-bff7-11da-bcaf-806d6172696f}\Shell]@="AutoRun"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a8b69ec3-bff7-11da-bcaf-806d6172696f}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"



I deleted those keys and the item disappeared and the 'Open' item came back to the top of the menu as the default selection so when I double-click the drive it normally shows the contents of it in the same window and no exe files are created!

Looks like problem solved!

Thank you for reading and being patient


i've followed the above instructions, although the registry references are different on these PCs I've deleted all references in registry to "C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe".

When I do this the autoplay context option disappears from the C drive, however when I restart the computer the registry key is regenerated and the problem reappears.

Any suggestions or help as to how I can solve this would be appreciated.


P.S I've also ran Tend Micros online scanner, and eidos tiny scanner, this Pc is running Norton Corporate Edn 7.60 with daily scans.

bertieCead

EDIT: Forgot to mention I'm running Windows XP SP2 fully patched

Edited by bertieCead, 02 November 2006 - 06:08 AM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 PM

Posted 02 November 2006 - 01:06 PM

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and complicate the malware removal process.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 iSergiwa

iSergiwa

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Derna - Libya
  • Local time:04:18 AM

Posted 18 January 2007 - 01:27 PM

Hello bertieCead

few minutes ago, i was searching the net and found this topic of you!

First of all, i'm glad you found my topic on Kaspersky Forum partly helpful, but at the same time let me please blame you for not mentioning me (iSergiwa) as the original poster and giving no link for the topic you qouted from :thumbsup:

here's the topic

http://forum.kaspersky.com/lofiversion/index.php/t21881.html

When I do this the autoplay context option disappears from the C drive, however when I restart the computer the registry key is regenerated and the problem reappears.

Any suggestions or help as to how I can solve this would be appreciated.


if you read my topic to the end you would find that i answerd your question

but any way i'll answe you here too:

here's my analysis of this case:

Windows automaticly detectes any partition of your hard disk as a CD/DVD-ROM/RAM/WR if it finds a file called 'autorun.inf' in the root directory of it and it adds a sub menu item 'autoplay' to the context menu of that partition and stores these information in the registry!

when the virus 'win32.Perlovga.A' runs, it generates a text file and names it 'autorun.inf' and put it in the root directory of the partition it infects!

here's is the contents of the autorun.inf:

[autorun]
open=copy.exe


you then delete the exe files and remove all traces of 'copy.exe' from the registry and restart your system, but you (and so does KAV) always forget to delete the 'autorun.inf' file!!!

you then restart your system. when windows boots back, it finds the 'autorun.inf' again, so it recreat the menu item of the context mean again and again

here's what you should do :

After you make sure that you delete all exe files and remove all traces of 'copy.exe' and 'host.exe' from the registry, you MUST delete the autorun.inf file from the root of every partition you have, if you don't do that, the registry will be filled again with 'copy.exe' and 'host.exe' and the 'autoplay' thing will come back again!

iSergiwa - Kaspersky Forums
I shall not waste my life trying to enlong it!
Sergiwa.com

#4 bleep_Rod

bleep_Rod

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 23 February 2007 - 02:45 PM

Hi,

even after cleaning your disks and registry, you might want to mount your disks under another OS.

I mounted mine as USB EXT under Mac OSX, and only then did the real damage showup: I found 816 files AND FOLDERS, with names containg a question mark (actually it may be ant illegal character, but that is how it is presented).

For me, these are infected files, all the more so since MAC OSX recognizes them as UNIX EXECUTABLE files... YES, EVEN THE FOLDERS!

Under XP PRO, you cannot see those files: the illegal char in the name prevents any read or write access using the WINDOWS API to the actual file, but does not report the error... Maybe they think it is just not possible to embed an illegal char in the file name.

So, it might just be that most antivirus utility programms fail to see them as well, but one thing is sure: THEY ARE THERE! I found 816 files/folders in less than 15G of data.

By the way, in my case, the first obvious symptom was that iTunes would launch on its own, take the frontmost window, without any apparent activity. Of course, I would close it down, only to see it appear after a few seconds.

So, I tried to re-install iTunes, same symptom.

I then disabled PODCASTS in iTunes, and that did it: it was now Windows Media Player that starting acting up!!!!

I concluded that someone/something was launching an MP3 file, which in turn activated the default application.

These two popular apps have a few things in common, amongst others: the ability to connect to the Internet for various purposes. I think that the virus exploits that possibility to carry out its communications tasks.

So, I recommend checking your disk under another OS.

Please let me know if in your infected disk you find files/folders containing a "?" in the filename. (usually the last char).

I have submitted samples to Kaspersky, ClamAV, F-Prot, and am waiting for responses.

#5 cday

cday

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 AM

Posted 25 February 2007 - 07:59 AM

I myself removed this virus. Use a pure dos or dos bootable file manager like volkov file or any other and boot with it. Remove the files copy.exe, host.exe and autorun.inf from all drives (root directory e.g.: x:\). Also remove temp1.exe and temp2.exe from windows\system32 folder. Remove all registry entries using regedit relating to the above mentioned names.
LEARN TO SHARE AND SHARE TO LEARN




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users