Aug 20 2008
Virus, Worm, and Trojans
Reading daunting security threats from Sophos (http://www.sophos.com) the leading virus remover, I’ve found out that there are alot of virus, trojan and worm variations. These are what I found.Taga Lipa Are! is a VBS/Solow-B type of Worm. No variations has been set.Execution:When run VBS/Solow-B attempts to spread via removable storage drives and copies itself as FS6519.dll.vbs.
VBS/Solow-B also copies itself to \FS6519.dll.vbs.
The following registry entry is set to run VBS/Solow-B on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FS6519
\FS6519.dll.vbs
The following registry entry is set:
HKCU\Software\Microsoft\Internet Explorer\Main
Window Title
TAGA LIPA ARE!
VBS/Solow-B also creates the file \autorun.inf which contains the following lines:
[AutoRun]
shellexecute=wscript.exe FS6519.dll.vbs
This file autorun.inf can be safely removed.
For those who use chat clients which displays “http://thecoolpics.net/blahblah.jpg” links, you are infected with W32/Sohana-D type of Worm. It spread via Chat programs like Yahoo Messenger, Live Messenger, AIM and the like. Aliases are IM-Worm.Win32.Qucan.n and W32/Downloader.APMU.
Execution:
W32/Sohana-D contains code to spread via Instant Messaging protocols.
W32/Sohana-D includes functionality to download, install and run new software.
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Homepage
1
HKCU\Software\Microsoft\Internet Explorer\Main
Start Page
http://thecoolpics.net
Registry entries are created under:
HKCU\Software\Yahoo\pager\View\
I’m still looking for the present “Re cycler” virus but this is what I found with and 71% match about it. It’s a W32/SillyFDC-AK type of Worm. It spreads through Removable storage devices. Aliases are INFECTED Worm.Win32.VB.gd and Win32/VB.NLI worm.Execution:When first run W32/SillyFDC-AK copies itself to \Lcass.exe and creates the clean file \Mswinsck.ocx.W32/SillyFDC-AK spreads via removable shared drives by creating the file autorun.inf and a copy of the worm to \Lcass.exe on the removeable drive. The file autorun.inf is subsequently set to run the worm component upon connecting the removeable drive to another computer.
W32/SillyFDC-AK creates the following registry entry to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lcass
\Lcass.exe
AutoIT 3 is a W32/Wanted-A type of Worm. Aliases are Trojan.Win32.Autoit.d and DiabloCheat. No variations has been set.
Brief Description:
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me.
At the taskbar, click Start|Run. Type ‘Regedit’ and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the ‘Registry’ menu, click ‘Export Registry File’. In the ‘Export range’ panel, click ‘All’, then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadProfile
and delete it if it exists.
Close the registry editor.
If anything comes up, I’ll post it in this entry. Thank you very much.
Related posts brought to you by Yet Another Related Posts Plugin.
