further to the sample submission, i am posting the information i have about the malware.

it has been pestering me since a couple of days now


> There is an AutoIT script error which appears very oft (Screenshot attached)

Line 0 (File “C:\Windows\system32\SVCIICHOST.exe”);
$mang[$i] = “\\” & $read
Error: Array Variable has incorrect number of subscripts or subscript dimension range exceeded.

> the following entries are detected by HijackThis

F2: REG:system.ini: Shell=Explorer.exe SVIICHOST.exe

D4: HKCU\..\Run: [Yahoo Messengger] C:\windows\system32\SVIICHOST.exe

<update> further to symantec / sophos detail i chekced up for new folder.exe and this is there

Value: “shared” = “\New Folder.exe”
> There is a scheduled task entry which enables SVIICHOST.exe to run daily
c:\windows\tasks\AT1.* is found.

> Task Manager and Registry Editor are disabled.

> SVIICHOST.exe is found running as an active process.

> During an online scan, ClamAV is supposed to detect it but clamwin 0.94.1 or WinClamavShield latest version doesnt detect it.

> It creates exe files in the name of all the folders opened just like any other autorun type worms.thereby spreading very easily through removable drives (thats how my colleague got it in first place)

> While runing messenger there is strange messages broadcasted  every now and then.

> host of file names reported is available here – shows how variable and masquerading this is . threat levelmight be low but just a while ago i logged on to our storage server and it is fully infected with the folder name.exe files….

> broadcasts messages ilke this to all of your messenger contacts..

“E may, vao day coi co con nho nay ngon lam

“Vao day nghe bai nay di ban

“Vao day nghe bai nay di ban

“Biet tin gi chua, vao day coi di

“Trang Web nay coi cung hay, vao coi thu di

“Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau?

“Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…

more messages may be there.

> a summary of information is available here:


> this removal instruction did work for me: also, on another pc, i used smitfraudfix followed by combofix and it also seems to have cleaned it effectively but for novice users, i would like ST to do something Sad

rajeshontheweb attached the following image(s):

Just an update.

to get rid of the virus completely,

1) run fiximaut21.exe

2) Run clamwin and remove all detected AutoIT 13 files (there will be hell lot of it !)

3)  Restart your pc

4) Run FixImaut21.exe again

5) Restart you PC

you should be done now, run Clamwin again to get a proper confirmation Happy



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: