Virus Attack

Status
Not open for further replies.

FasTrack

Journeyman
My system has been attacked by a virus that refuses to clean and get deleted.

O.S - Win xp
I got Norton Anti whose virus definitions r up-2-date.

the files that r reported 2 have been attacked are

1) svohost.exe
2) wmon23.exe

i am not able 2 delete these files using norton options and manually too, what should i do ???
 
Try it in safe mode .if still it does not go try using file shredder io guess norton has it .Or get spybot which surely has it.
U can get in to safe mode by pressing F8 while u boot
 

mariner

Ambassador of Buzz
try a couple of online scans

*www.bitdefender.com/scan/licence.php


*housecall.trendmicro.com/

maybe it will help
 
OP
F

FasTrack

Journeyman
I downloaded Webroot's SpySweeper and scanned my system for any spy ware softwares, strangely it reported a trojan.

I used the options present and deleted it using the software.

Norton also reported this virus as a trojan.

So did i finaly got rid of it ????

Yes, Thanks i will try the online scans and then report.
 

rajat22

In the zone
A bit details:
TROJ_DUMARIN.H

Backdoor.Nibu.G is a variant of Backdoor.Nibu.E that attempts to steal passwords and bank account information. This Trojan is packed with FSG.

Overview Technical Details
In the wild: Yes


--------------------------------------------------------------------------------

Payload 1: Steals system and user information

Trigger condition 1: Upon execution


--------------------------------------------------------------------------------

Language: English

Platform: 95, 98, ME, NT, 2000, XP

Encrypted: Yes

Size of virus: 21,088 Bytes

Pattern file needed: 1.904.36

Scan engine needed: 6.740

Discovered: Jun. 2, 2004

Detection available: Jun. 2, 2004



--------------------------------------------------------------------------------

Details:



Installation and Autostart Technique

Upon execution, this memory-resident Trojan drops the following copies of itself in the Windows system folder:

SVOHOST.EXE
SWCHOST.EXE
It also drops the following files in the Windows startup and Windows folders, respectively:

SVCHOST.EXE - a copy of itself
PRNTSVR.DLL - a keylogger component file, which is detected as TROJ_DUMARIN.G
Then, it creates the following registry entry so that it executes at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
load32 = "C:\WINNT\System32\swchost.exe"

As part of its autostart mechanism, it modifies the SYSTEM.INI and appends its name in the shell key of the boot section as follows:

[boot]
shell=explorer.exe %s\System%\svohost.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

On Windows NT, 2000, and XP, however, the .INI file is not modified. The following registry entry is changed instead:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\Currentversion\Winlogon
Shell = “explorer.exe %System%\svohost.exe�

(Note: The original value is “explorer.exe�.)

Information Theft

This malware creates the following files in the Windows Temporary folder:

FA4537EF.HTM
FE43E701.HTM
FEFF35A0.HTM
The said files contain the following information, which it posts to a specific site:

Internet Explorer (IE) version
IP address of an infected machine
Windows version
The site is as follows:

*www.whatp<BLOCKED>osite.com/css/logger.php
It then drops the file RUNDLLN.SYS, which serves as its log file, in the Windows folder.

It also gathers account information of any online transaction made through WEBMONEY and E-GOLD.

Disabling Access to Antivirus Web Sites

To prevent a user from upgrading antivirus pattern files, this Trojan adds entries to the HOSTS file of the infected system. The said routine redirects the Internet browser to the local machine 127.0.0.1 whenever the following Web sites are accessed:

avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
 

klinux

Ambassador of Buzz
a good idea is to make sure u know where it originally came from , email , multimedia file etc . scan the system again thoroughly
 
OP
F

FasTrack

Journeyman
I tried scanning using Norton 2003 ( Up-2-date Virus Definitions ), It clearly showed Backdoor.nibu virus in my system.

I tried 2 delete it using its properties, but in vain.

I scanned the whole system, the virus gets detected but not deleted.

Should alterations in the registry help ????

Please Help. I'm in real mess after this.

Rajat22 thaks 4 the info yaar, How do i find its origin ??????
 
OP
F

FasTrack

Journeyman
Then, it creates the following registry entry so that it executes at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
load32 = "C:\WINNT\System32\swchost.exe"

klinux and Rajat22 can i delete this registry key to atleast stop it from triggering ????.
 

NikhilVerma

Padawan
FasTrack said:
I tried scanning using Norton 2003 ( Up-2-date Virus Definitions ), It clearly showed Backdoor.nibu virus in my system.
I tried 2 delete it using its properties, but in vain.
I scanned the whole system, the virus gets detected but not deleted.
Should alterations in the registry help ????
Please Help. I'm in real mess after this.
Rajat22 thaks 4 the info yaar, How do i find its origin ??????


The files
1) svchost.exe
2) wmon23.exe

are system files and can't be deleted while you are using windows...
So you have to delete them through DOS or any other OS...

But remember these are system essential files...
Be sure to replace them with fresh files from
[Drive]:\WINDOWS\ServicePackFiles\I386
 

klinux

Ambassador of Buzz
- try the registry changes if u have system restore point and have created the point .

- u said u werent able to go to safe mode , try this . when in xp , run msconfig , under boot.ini , check safe mode option or safe boot whatever

- get into safe mode and make changes to the file

- keep ur xp cd handy if it causes trouble after a reboot .

- if u have recovery console , use it and get to the winnt directory and find and delete the 2 *.exe files and extract those files from the original .

- to find origins , delete all mail u might have received with attachments lately , clear temp directory for ALL users

*securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.g.html

if u get another name see if its in the list

*www.f-secure.com/download-purchase/tools.shtml
*securityresponse.symantec.com/avcenter/tools.list.html
 

GameAddict

In the zone
Try booting with a DOS Bootable

Hi,

You said that pressing F8 has no effect...may be the Worm Effect...

Anyway, get a DOS bootable and boot through it and remove the Worm Files. And be sure to replace them as said by other members.

Have you tried Stinger 2.4.3 (Released on 29/OCT/2004)

*vil.nai.com/vil/stinger

Hope this helps!

Bye!

GA
 
OP
F

FasTrack

Journeyman
Ok! Fed-Up with the Virus, I have formatted the system.

Everything was alright till yesterday, when i noticed my comp behaving the same way as it used 2 before.

"THE VIRUS IS BACK AGAIN"

Norton detected it and i just cant understand why it is back.

An improvement, I can access various booting options using F8.

What should i do ?????

The effect of the Virus is While working a window springs up suddenly saying that the system will shut down in a minute and the countdown starts.

System gets rebooted and this goes on.
 

rajat22

In the zone
Please check details at *search.symantec.com/custom/us/query.html and follow instructions carefully. :shock:
 
Status
Not open for further replies.
Top Bottom