Expert Virus Removal Services and Technical advice.

We are Providing Computer users with Expert Virus Removal Services and Technical Advice.

Threats and their Removal.

Do you need a quick solution to a technical problem? With our live remote-assistance tool, a member of our support team can view your desktop and share control of your mouse and keyboard to get you on your way to a solution.

Spywares and their Removal.

Are you worried that your computer might be nfected with Spywares? Then this is were you can find Support.

Advices for Protecting the Computer.

Expert Advices for Protecting your computer from attacks from all threats

Different Anti Virus Software and Tools.

Familiarizing different Anti Virus Software and removal Tools.

January 18, 2011

Removal of WORM_SOHAND.MY

As this is the worm that auto-executes and comes from different means we may need to be cautious while clicking on any link on the internet and in instant messaging.


Removal Steps: 
  • Disable System Restore
  • Use process explorer to find the files loaded by WORM_SOHAND.MY that are running as processes kill their processes.
  • Enable registry Editor, Task Manager, and Folder options 
  • Delete the registry value
  • HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run 
                Yahoo Messengger = "C:\windows\gphone.exe" or "Users\Desktop" in Vista
  • HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Explorer>WorkgroupCrawler> Shares    shared = "\New Folder.exe"
  • HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Schedule          AtTaskMaxHours = "0"
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • From: Shell = "Explorer.exe gphone.exe"
  • To: Shell = "Explorer.exe" 
Locate the file AutoRun.INF in all the drives, open it with notepad and if you find the lines 
  • [AutoRun]
  • Open=gphone.exe
  • Shellexecute=gphone.exe
  • Shell\Open\command=gphone.exe
  • Shell=Open 
Delete the file from all the folders.
Also delete the files   
  • %User Temp%\log_{time stamp}.txt
  • {install path}\setting.ini 
  • {install path}\setting.ini.old 
Select My computer from the drop down list and shift delete them to delete permanently. 
Delete the scheduled task
  • System%\{malware file name}.exe

Facebook Threat Feasibility

Facebook's advanced search feature has brought some of the vulnerabilities in it to the lime light. If some one sets up a habit as smoking and chooses the option only friends should see it, that profile is being displayed when it is searched by advanced search. It is not blocking unless their profile is being excluded from searches.

Facebook Threats

Facebook is the most used social networking website now a days which has attracted the hackers and attackers to pay interest on this most famous site. They have attacked in different ways:

Removal of Worm.TDSS.TX

The Trojan has Drops files, Lowers Internet Explorer(IE) security settings, Modifies the Internet Explorer Zone Settings as the payload. It might have occurred by user visiting a malicious website.  The removal of it will have the following steps :

  1. Disable System Restore
  2. Deletes the files dropped by the worm that is EXPL_CPLNK.SMA.
  3. Restart the computer in Safe mode
  4. Check mark Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files in the search result\
  5. Delete the registry values

  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international
    • acceptlanguage=en-us
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
    • svchost.exe=8888
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • maxhttpredirects=8888
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • enablehttp1_1=1
     
 Restore the modified values to their default values :
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • From: CurrentLevel=0To: CurrentLevel=69632
  • In HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • From: 1601=0To: 1601=1
     
 Scan your computer with a good anti-virus program which will remove the worm completely.

WORM_TDSS.TX

This is a very dangerous threat. It attacks the known vulnerability to drop the EXPL_CPLNK.SMA which drops the routines in to the affected system. It lowers the system security and allows access to malicious sites automatically.

Effects:
  • It basically exploits the Zeroday exploit 
  • It also lowers Internet Explorer(IE) security settings, allowing auto access to sites with malicious code to run.
  • To propagate, it drops copies of itself into network shares, thus, making itself available to other users
  • This worm may be unknowingly downloaded by a user while visiting malicious websites
  • It executes then deletes itself afterward
  • It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
  • It modifies the Internet Explorer Zone Settings.
It modifies the following registry entries:
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    CurrentLevel = 0 where default value is 69632. 
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1601 = 0 where default value being 1. 

It adds the following registry entries:
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international; acceptlanguage = "en-us"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
    svchost.exe = 8888
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings maxhttpredirects = 8888
  •  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings enablehttp1_1 = 1
Mode of Attack:
This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system
It drops itself on network drives with the names 
  • setup{random number}.dll
  • setup{random number}.dat 
  •   setup{random number}.lnk –  EXPL_CPLNK.SMA
This worm does the following:
  • Creates a copy of itself named C:\Documents and Settings\{user name}\Local Settings\Temp\{random file name}.TMP
  • Changes its file characteristics to .DLL

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More