http://nhattruongquang.0catch.com

further to the sample submission, i am posting the information i have about the malware.

it has been pestering me since a couple of days now

Symptoms:

> There is an AutoIT script error which appears very oft (Screenshot attached)

Line 0 (File “C:\Windows\system32\SVCIICHOST.exe”);
$mang[$i] = “\\” & $read
^ ERROR
Error: Array Variable has incorrect number of subscripts or subscript dimension range exceeded.

> the following entries are detected by HijackThis

F2: REG:system.ini: Shell=Explorer.exe SVIICHOST.exe

D4: HKCU\..\Run: [Yahoo Messengger] C:\windows\system32\SVIICHOST.exe

<update> further to symantec / sophos detail i chekced up for new folder.exe and this is there

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Value: “shared” = “\New Folder.exe”
> There is a scheduled task entry which enables SVIICHOST.exe to run daily
c:\windows\tasks\AT1.* is found.

> Task Manager and Registry Editor are disabled.

> SVIICHOST.exe is found running as an active process.

> During an online scan, ClamAV is supposed to detect it but clamwin 0.94.1 or WinClamavShield latest version doesnt detect it.

> It creates exe files in the name of all the folders opened just like any other autorun type worms.thereby spreading very easily through removable drives (thats how my colleague got it in first place)

> While runing messenger there is strange messages broadcasted  every now and then.

> host of file names reported is available here – http://www.threatexpert.com/threats/w32-yautoit.html shows how variable and masquerading this is . threat levelmight be low but just a while ago i logged on to our storage server and it is fully infected with the folder name.exe files….

> broadcasts messages ilke this to all of your messenger contacts..

“E may, vao day coi co con nho nay ngon lam http://nhattruongquang.0catch.com

“Vao day nghe bai nay di ban http://nhattruongquang.0catch.com

“Vao day nghe bai nay di ban http://nhattruongquang.0catch.com

“Biet tin gi chua, vao day coi di http://nhattruongquang.0catch.com

“Trang Web nay coi cung hay, vao coi thu di http://nhattruongquang.0catch.com

“Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan… Ve dau toi biet di ve dau? http://nhattruongquang.0catch.com

“Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa… http://nhattruongquang.0catch.com

more messages may be there.

> a summary of information is available here: http://www.threatexpert.com/report.aspx?md5=495de04859a29d37e0d953d397c41e4e

REMOVAL

> this removal instruction did work for me: http://www.sophos.com/security/analyses/viruses-and-spyware/w32sohanas.html also, on another pc, i used smitfraudfix followed by combofix and it also seems to have cleaned it effectively but for novice users, i would like ST to do something Sad

rajeshontheweb attached the following image(s):
SCVIICHOST.JPG

Just an update.

to get rid of the virus completely,

1) run fiximaut21.exe

2) Run clamwin and remove all detected AutoIT 13 files (there will be hell lot of it !)

3)  Restart your pc

4) Run FixImaut21.exe again

5) Restart you PC

you should be done now, run Clamwin again to get a proper confirmation Happy

source: http://forum.spywareterminator.com/default.aspx?g=posts&t=5708

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: