Virus Attack

Discussion in 'Software Q&A' started by FasTrack, Oct 28, 2004.

Thread Status:
Not open for further replies.
  1. FasTrack

    FasTrack New Member

    Joined:
    Aug 12, 2004
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South Of Heaven.
    My system has been attacked by a virus that refuses to clean and get deleted.

    O.S - Win xp
    I got Norton Anti whose virus definitions r up-2-date.

    the files that r reported 2 have been attacked are

    1) svohost.exe
    2) wmon23.exe

    i am not able 2 delete these files using norton options and manually too, what should i do ???
     
  2. beyondthegracefgod

    beyondthegracefgod New Member

    Joined:
    Oct 5, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Southside of >Heaven<
    Try it in safe mode .if still it does not go try using file shredder io guess norton has it .Or get spybot which surely has it.
    U can get in to safe mode by pressing F8 while u boot
     
  3. OP
    OP
    FasTrack

    FasTrack New Member

    Joined:
    Aug 12, 2004
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South Of Heaven.
    I tried pressing f8 when booting, but no effect.

    I use win xp.

    Do u think it's a spy-ware ?????
     
  4. mariner

    mariner New Member

    Joined:
    Dec 21, 2003
    Messages:
    522
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    mumbai
  5. OP
    OP
    FasTrack

    FasTrack New Member

    Joined:
    Aug 12, 2004
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South Of Heaven.
    I downloaded Webroot's SpySweeper and scanned my system for any spy ware softwares, strangely it reported a trojan.

    I used the options present and deleted it using the software.

    Norton also reported this virus as a trojan.

    So did i finaly got rid of it ????

    Yes, Thanks i will try the online scans and then report.
     
  6. rajat22

    rajat22 New Member

    Joined:
    Mar 18, 2004
    Messages:
    489
    Likes Received:
    7
    Trophy Points:
    0
    Location:
    Somewhere at Kolkata
    A bit details:
    TROJ_DUMARIN.H

    Backdoor.Nibu.G is a variant of Backdoor.Nibu.E that attempts to steal passwords and bank account information. This Trojan is packed with FSG.

    Overview Technical Details
    In the wild: Yes


    --------------------------------------------------------------------------------

    Payload 1: Steals system and user information

    Trigger condition 1: Upon execution


    --------------------------------------------------------------------------------

    Language: English

    Platform: 95, 98, ME, NT, 2000, XP

    Encrypted: Yes

    Size of virus: 21,088 Bytes

    Pattern file needed: 1.904.36

    Scan engine needed: 6.740

    Discovered: Jun. 2, 2004

    Detection available: Jun. 2, 2004



    --------------------------------------------------------------------------------

    Details:



    Installation and Autostart Technique

    Upon execution, this memory-resident Trojan drops the following copies of itself in the Windows system folder:

    SVOHOST.EXE
    SWCHOST.EXE
    It also drops the following files in the Windows startup and Windows folders, respectively:

    SVCHOST.EXE - a copy of itself
    PRNTSVR.DLL - a keylogger component file, which is detected as TROJ_DUMARIN.G
    Then, it creates the following registry entry so that it executes at every system startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\Run
    load32 = "C:\WINNT\System32\swchost.exe"

    As part of its autostart mechanism, it modifies the SYSTEM.INI and appends its name in the shell key of the boot section as follows:

    [boot]
    shell=explorer.exe %s\System%\svohost.exe

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

    On Windows NT, 2000, and XP, however, the .INI file is not modified. The following registry entry is changed instead:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows NT\Currentversion\Winlogon
    Shell = “explorer.exe %System%\svohost.exe�

    (Note: The original value is “explorer.exe�.)

    Information Theft

    This malware creates the following files in the Windows Temporary folder:

    FA4537EF.HTM
    FE43E701.HTM
    FEFF35A0.HTM
    The said files contain the following information, which it posts to a specific site:

    Internet Explorer (IE) version
    IP address of an infected machine
    Windows version
    The site is as follows:

    http://www.whatp<BLOCKED>osite.com/css/logger.php
    It then drops the file RUNDLLN.SYS, which serves as its log file, in the Windows folder.

    It also gathers account information of any online transaction made through WEBMONEY and E-GOLD.

    Disabling Access to Antivirus Web Sites

    To prevent a user from upgrading antivirus pattern files, this Trojan adds entries to the HOSTS file of the infected system. The said routine redirects the Internet browser to the local machine 127.0.0.1 whenever the following Web sites are accessed:

    avp.com
    ca.com
    customer.symantec.com
    dispatch.mcafee.com
    download.mcafee.com
    f-secure.com
    kaspersky.com
    liveupdate.symantec.com
    liveupdate.symantecliveupdate.com
    mast.mcafee.com
    mcafee.com
    my-etrust.com
    nai.com
    networkassociates.com
    rads.mcafee.com
    secure.nai.com
    securityresponse.symantec.com
    sophos.com
    symantec.com
    trendmicro.com
    update.symantec.com
    updates.symantec.com
    us.mcafee.com
    viruslist.com
    www.avp.com
    www.ca.com
    www.f-secure.com
    www.kaspersky.com
    www.mcafee.com
    www.my-etrust.com
    www.nai.com
    www.networkassociates.com
    www.sophos.com
    www.symantec.com
    www.trendmicro.com
     
  7. klinux

    klinux New Member

    Joined:
    Sep 25, 2004
    Messages:
    625
    Likes Received:
    0
    Trophy Points:
    0
    a good idea is to make sure u know where it originally came from , email , multimedia file etc . scan the system again thoroughly
     
  8. OP
    OP
    FasTrack

    FasTrack New Member

    Joined:
    Aug 12, 2004
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South Of Heaven.
    I tried scanning using Norton 2003 ( Up-2-date Virus Definitions ), It clearly showed Backdoor.nibu virus in my system.

    I tried 2 delete it using its properties, but in vain.

    I scanned the whole system, the virus gets detected but not deleted.

    Should alterations in the registry help ????

    Please Help. I'm in real mess after this.

    Rajat22 thaks 4 the info yaar, How do i find its origin ??????
     
  9. OP
    OP
    FasTrack

    FasTrack New Member

    Joined:
    Aug 12, 2004
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South Of Heaven.
    klinux and Rajat22 can i delete this registry key to atleast stop it from triggering ????.
     
  10. NikhilVerma

    NikhilVerma New Member

    Joined:
    May 12, 2004
    Messages:
    930
    Likes Received:
    2
    Trophy Points:
    0
    Location:
    India

    The files
    1) svchost.exe
    2) wmon23.exe

    are system files and can't be deleted while you are using windows...
    So you have to delete them through DOS or any other OS...

    But remember these are system essential files...
    Be sure to replace them with fresh files from
    [Drive]:\WINDOWS\ServicePackFiles\I386
     
  11. klinux

    klinux New Member

    Joined:
    Sep 25, 2004
    Messages:
    625
    Likes Received:
    0
    Trophy Points:
    0
    - try the registry changes if u have system restore point and have created the point .

    - u said u werent able to go to safe mode , try this . when in xp , run msconfig , under boot.ini , check safe mode option or safe boot whatever

    - get into safe mode and make changes to the file

    - keep ur xp cd handy if it causes trouble after a reboot .

    - if u have recovery console , use it and get to the winnt directory and find and delete the 2 *.exe files and extract those files from the original .

    - to find origins , delete all mail u might have received with attachments lately , clear temp directory for ALL users

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.g.html

    if u get another name see if its in the list

    http://www.f-secure.com/download-purchase/tools.shtml
    http://securityresponse.symantec.com/avcenter/tools.list.html
     
  12. GameAddict

    GameAddict New Member

    Joined:
    Apr 28, 2004
    Messages:
    265
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Hyderabad
    Try booting with a DOS Bootable

    Hi,

    You said that pressing F8 has no effect...may be the Worm Effect...

    Anyway, get a DOS bootable and boot through it and remove the Worm Files. And be sure to replace them as said by other members.

    Have you tried Stinger 2.4.3 (Released on 29/OCT/2004)

    http://vil.nai.com/vil/stinger

    Hope this helps!

    Bye!

    GA
     
  13. OP
    OP
    FasTrack

    FasTrack New Member

    Joined:
    Aug 12, 2004
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South Of Heaven.
    Ok! Fed-Up with the Virus, I have formatted the system.

    Everything was alright till yesterday, when i noticed my comp behaving the same way as it used 2 before.

    "THE VIRUS IS BACK AGAIN"

    Norton detected it and i just cant understand why it is back.

    An improvement, I can access various booting options using F8.

    What should i do ?????

    The effect of the Virus is While working a window springs up suddenly saying that the system will shut down in a minute and the countdown starts.

    System gets rebooted and this goes on.
     
  14. OP
    OP
    FasTrack

    FasTrack New Member

    Joined:
    Aug 12, 2004
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    South Of Heaven.
  15. rajat22

    rajat22 New Member

    Joined:
    Mar 18, 2004
    Messages:
    489
    Likes Received:
    7
    Trophy Points:
    0
    Location:
    Somewhere at Kolkata
Thread Status:
Not open for further replies.

Share This Page