W32.Fujacks.D (spoclsv.exe/GameSetup.exe)- Virus
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When the worm executes, it performs the following actions:
Trouble:
Recently we received a mail from one of our readers whose computer was infected by Win32/NSAnti virus, this virus mainly causes drive opening problem by double click in windows XP.
If your system is infected by this virus you can’t see hidden files and folders , even after applying the settings to show hidden folders. This setting is reverted back to Don’t show hidden files and folders by the virus.
This happens because virus protects the two hidden, system files called d.com and autorun,inf which are created by amvo.exe and amvo0.dll , amvo1.dll which resides in system32 folder on the OS drive (hard disk partition on which windows operating system is installed).
Fix:
In order to fix the problems caused by this virus ,you will need to delete all these files created by the virus.
Follow the set of commands to delete these files
Note: Above procedure may seems cumbersome but proves to be of great help to repair your system, if none of your anti-virus tools is able to solve the problem and remove the infections caused by the virus.
1. Go to Start >> Run. Type cmd and press Enter to open the command prompt.
2. Now navigate to the directory from the command prompt.
3. Type the command dir/ah to list all the files under your directory.
Manually remove it (new folder.exe Fix)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“@”=[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Yahoo Messengger”=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=”Explorer.exe “
If u can delete "svichossst.exe" Manually Use fallowing methods...
First login system safe mode then try fallowing methods
Discovered: November 9, 1999
Updated: February 13, 2007 11:33:09 AM
Also Known As: VBS/BubbleBoy@MM [McAfee], I-Worm.BubbleBoy [AVP], VBS_BUBBLEBOY [Trend], VBS/BubbleBoy.Worm [CA], VBS/BubbleBoy [Panda], VBS/BubbleBoy-A [Sophos]
Type: Worm, Virus
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
VBS.BubbleBoy is a worm that works under Windows 98 and Windows 2000. The worm also works under Windows 95, but only if the Windows Scripting Host is installed. The worm only works with the English and Spanish versions of these operating systems, and does not work under Windows NT.
The computer must use Microsoft Outlook (or Express) with Internet Explorer 5 in order for the worm to propagate.
The worm utilizes a known security hole in Microsoft Outlook/IE5 to insert a script file, Update.hta, when the email is viewed. It is not necessary to detach and run an attachment.
Update.hta is placed in the StartUp folder. Therefore, the infection routine is not executed until the next time you start your computer. Update.hta is a script file that uses MS Outlook to send the worm email message to everyone in the MS Outlook address book.
Patching the known security hole in Microsoft Outlook/IE5, prevents the worm from propagating. For further information regarding the security hole, please read the following Microsoft article:
http://www.microsoft.com/technet/security/bulletin/fq99-032.asp Microsoft has provided a patch to fix this problem at http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
The worm will not propagate if IE5 Internet security settings have been set to "High."
Protection
Wild
A Trojan Horse Virus is a common yet difficult to remove computer threat. This is a type of virus that attempts to make the user think that it is a beneficial application. A Trojan Horse virus works by hiding within a set of seemingly useful software programs. Once executed or installed in the system, this type of virus will start infecting other files in the computer. A Trojan Horse Virus is also usually capable of stealing important information from the user's computer. It will then send this information to Internet servers designated by the developer of the virus. The developer will then be able to gain a level of control over the computer through this Trojan virus. While these things take place, the user will notice that the infected computer has become very slow or unexpected windows pop up without any activity from the user. Later on, this will result to a computer crash. A Trojan Horse virus can spread in a number of ways. The most common means of infection is through email attachments. The developer of the virus usually uses various spamming techniques in order to distribute the virus to unsuspecting users. These emails contain attachments. Once the user opens the attachment, the Trojan Horse Virus immediately infects the system and performs the tasks mentioned above. Another method used by malware developers to spread their Trojan Horse viruses is via chat software such as Yahoo Messenger and Skype. Another method used by this virus in order to infect other machines is through sending copies of itself to the people in the address book of a user whose computer has already been infected by the virus. The best way to prevent a Trojan Horse Virus from entering and infecting your computer is to never open email attachments or files that have been sent by unknown senders. However, not all files we can receive are guaranteed to be virus-free. With this, a good way of protecting your PC against malicious programs such as this harmful application is to install and update an antivirus program.
- Copies itself as the following files:
- [DRIVE LETTER]\setup.exe
- [NETWORK DRIVE LETTER]\GameSetup.exe
- %System%\Drivers\spoclsv.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Creates the following file to execute [DRIVE LETTER]\setup.exe:
[DRIVE LETTER]\autorun.inf - Adds the value:
"svcshare"="spoclsv.exe"
to the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that it executes whenever Windows starts. - May delete entries that contain the following strings:
"kav"
"KAVPersonal50"
"KvMonXP"
"McAfeeUpdaterUI"
"Network Associates Error Reporting Service"
"RavTask"
"ShStatEXE"
"yassistse"
"YLive.exe"
from the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Uses a series of "net share" commands to close any local shared folders found.
- May delete files with the following extensions from the root folder of local partitions, except the C drive:
- .gho
- .exe
- .scr
- .pif
- .com
- Uses the following password list in attempt to copy itself to available network shares:
- admin$
- admin$
- 1234
- password
- 6969
- harley
- 123456
- golf
- pussy
- mustang
- 1111
- shadow
- 1313
- fish
- 5150
- 7777
- qwerty
- baseball
- 2112
- letmein
- 12345678
- 12345
- ccc
- admin
- 5201314
- qq520
- 123
- 1234567
- 123456789
- 654321
- 54321
- 111
- 000000
- abc
- 11111111
- 88888888
- pass
- passwd
- database
- 123asd
- ihavenopass
- godblessyou
- enable
- 2002
- 2003
- 2600
- alpha
- Login
- pw123
- love
- mypc
- mypc123
- admin123
- mypass
- mypass123
- 901100
- Administrator
- Guest
- admin
- Root
- Ends all processes in windows that contain the following strings in the title:
- QQKav
- QQAV
- VirusScan
- Symantec AntiVirus
- iDuba
- esteem procs
- Wrapped gift Killer
- Winsock Expert
- msctls_statusbar32
- pjf(ustc)
- IceSword
- Ends the following processes:
- Mcshield.exe
- VsTskMgr.exe
- naPrdMgr.exe
- UpdaterUI.exe
- TBMon.exe
- scan32.exe
- Ravmond.exe
- CCenter.exe
- RavTask.exe
- Rav.exe
- Ravmon.exe
- RavmonD.exe
- RavStub.exe
- KVXP.kxp
- KvMonXP.kxp
- KVCenter.kxp
- KVSrvXP.exe
- KRegEx.exe
- UIHost.exe
- TrojDie.kxp
- FrogAgent.exe
- Logo1_.exe
- Logo_1.exe
- Rundl123.exe
- May end the following services, some of which may be security-related:
- Schedule
- sharedaccess
- RsCCenter
- RsRavMon
- RsCCenter
- RsRavMon
- KVWSC
- KVSrvXP
- KVWSC
- KVSrvXP
- kavsvc
- AVP
- AVP
- kavsvc
- McAfeeFramework
- McShield
- McTaskManager
- McAfeeFramework
- McShield
- McTaskManager
- navapsvc
- wscsvc
- KPfwSvc
- SNDSrvc
- ccProxy
- ccEvtMgr
- ccSetMgr
- SPBBCSvc
- Symantec Core LC
- NPFMntor
- MskService
- FireSvc
- Scans the compromised computer and infects any .exe files it finds.
Manual Deleting Solution:
- Restart your PC. Then go to safe mode (press F8).
- Open Start>>Run and type cmd and press enter. This will open windows command prompt window. On this window, type as directed in steps further and press enter at the end of each step.
- type cd\
- type cd windows\system32
- type attrib -r -h -s spoclsv.exe
- type del spoclsv.exe
- type del spoclsv.exe
- now type d: and press enter for d: drive partition.
- type attrib -r -h -s gamesetup.exe
- type gamesetup.exe
- type exit
- Open Start --->> Run and type msconfig and press enter. This will open windows msconfig window then uncheck spoclsv.exe and gamesetup.exe
- Open Start --->> Run and type regedit and press enter. This will open windows Registry Editor window then find and remove. (spoclsv.exe and gamesetup.exe)
- Then update your antivirus software (your all software (.exe) attacked virus). So reinstall your software.
Win32/NSAnti (amvo.exe/autorun.inf ) - Virus
Recently we received a mail from one of our readers whose computer was infected by Win32/NSAnti virus, this virus mainly causes drive opening problem by double click in windows XP.
If your system is infected by this virus you can’t see hidden files and folders , even after applying the settings to show hidden folders. This setting is reverted back to Don’t show hidden files and folders by the virus.
This happens because virus protects the two hidden, system files called d.com and autorun,inf which are created by amvo.exe and amvo0.dll , amvo1.dll which resides in system32 folder on the OS drive (hard disk partition on which windows operating system is installed).
Fix:
In order to fix the problems caused by this virus ,you will need to delete all these files created by the virus.
Follow the set of commands to delete these files
- Open Start>>Run and type cmd and press enter. This will open windows command prompt window. On this window, type as directed in steps further and press enter at the end of each step.
- type cd\
- type cd windows\system32
- type attrib -r -h -s amvo.exe
- type del amvo.exe
- type attrib -r -h -s avmo0.dll ,repeat the steps 5 and 6 again to delete avmo1.dll
- now type d: and press enter for d: drive partition.
- type attrib -r -h -s autorun.inf
- type del autorun.inf
- type attrib -r -h -s d.com
- type del d.com
Note: Above procedure may seems cumbersome but proves to be of great help to repair your system, if none of your anti-virus tools is able to solve the problem and remove the infections caused by the virus.
How to view hidden files in Command Prompt (Windows XP)
2. Now navigate to the directory from the command prompt.
3. Type the command dir/ah to list all the files under your directory.
New Folder.exe Virus Removal
Virus also known as- IT University Sohanad W32.HLLW.Ssdx newfolder.exe
If this virus infected in you computer, It will Disable the following …
Task Manager, Registry Editor, Folder Options, Run in start menu
And it will create exes like the icon of folders. If this virus is running it will use more than 50 % of your processor
Manually remove it (new folder.exe Fix)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“@”=[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Yahoo Messengger”=
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Shell”=”Explorer.exe “
If u can delete "svichossst.exe" Manually Use fallowing methods...
First login system safe mode then try fallowing methods
- Open Start>>Run and type cmd and press enter. This will open windows command prompt window. On this window, type as directed in steps further and press enter at the end of each step.
- type cd\
- type cd windows\system32
- type attrib -r -h -s svichossst.exe
- type del svichossst.exe ,repeat the steps 5 and 6 again to delete svichossst.exe
Godzilla virus removal MS32DLL.dll.vbs
This virus is spreading through the pen drive / external HDDs. They use the autorun function of windows to run this. Its create files in windows folder in the name of MS32DLL.dll.vbs. and create file named autorun.inf in the root directory of each drive. So whenever we double click on the drive, the script will run from c:\windows\MS32DLL.dll.vbs
After infection
We can not Double Click to open any Drive on our computer. But we can Right Click to Open or Explore.
It will effect regedit, task manager, hidden folders/ files etc …
Related filesMS32DLL.dll.vbs
Autorun.inf
Flashy.exe
Manual Deleting Solution:
Open task manager and end following process
1. wscript.exe
2. mslogon.exe
3. systemnt.exe
4. wscript.exe
5. flashy.exe
6. sondmsg.exe
Open command prompt and do the following
Change attributes of the file
Attrib –s –r –h autorun.inf
Remove autorun.inf from root directory.
Del autorun.inf
Delete MS32DLL.dll.vbs from windows directory
Delete c:\windows\MS32DLL.dll.vbs
Open registry editor
Delete following values
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - MS32DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - flashy.exe
HKU\Software\Microsoft\InternetExplorer\Main - "window Title"
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\system - disabletaskmgr
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\system - disableregistrytools
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer - NoFolderOptions
Now restart the PC
How to avoid spreading
To avoid spreading this, disable autorun in windows.
And there is a small tric
Just create a folder named autorun.inf in all the root directory. And change the all the atribs to “+” so that they can’t chant put the files to root direct easly
Eg :
MD autorun.inf & Attrib +h +s +r autorun.inf
After infection
We can not Double Click to open any Drive on our computer. But we can Right Click to Open or Explore.
It will effect regedit, task manager, hidden folders/ files etc …
Related filesMS32DLL.dll.vbs
Autorun.inf
Flashy.exe
Manual Deleting Solution:
Open task manager and end following process
1. wscript.exe
2. mslogon.exe
3. systemnt.exe
4. wscript.exe
5. flashy.exe
6. sondmsg.exe
Open command prompt and do the following
Change attributes of the file
Attrib –s –r –h autorun.inf
Remove autorun.inf from root directory.
Del autorun.inf
Delete MS32DLL.dll.vbs from windows directory
Delete c:\windows\MS32DLL.dll.vbs
Open registry editor
Delete following values
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - MS32DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - flashy.exe
HKU\Software\Microsoft\InternetExplorer\Main - "window Title"
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\system - disabletaskmgr
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\system - disableregistrytools
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer - NoFolderOptions
Now restart the PC
How to avoid spreading
To avoid spreading this, disable autorun in windows.
And there is a small tric
Just create a folder named autorun.inf in all the root directory. And change the all the atribs to “+” so that they can’t chant put the files to root direct easly
Eg :
MD autorun.inf & Attrib +h +s +r autorun.inf
BubbleBoy virus
Updated: February 13, 2007 11:33:09 AM
Also Known As: VBS/BubbleBoy@MM [McAfee], I-Worm.BubbleBoy [AVP], VBS_BUBBLEBOY [Trend], VBS/BubbleBoy.Worm [CA], VBS/BubbleBoy [Panda], VBS/BubbleBoy-A [Sophos]
Type: Worm, Virus
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
VBS.BubbleBoy is a worm that works under Windows 98 and Windows 2000. The worm also works under Windows 95, but only if the Windows Scripting Host is installed. The worm only works with the English and Spanish versions of these operating systems, and does not work under Windows NT.
The computer must use Microsoft Outlook (or Express) with Internet Explorer 5 in order for the worm to propagate.
The worm utilizes a known security hole in Microsoft Outlook/IE5 to insert a script file, Update.hta, when the email is viewed. It is not necessary to detach and run an attachment.
Update.hta is placed in the StartUp folder. Therefore, the infection routine is not executed until the next time you start your computer. Update.hta is a script file that uses MS Outlook to send the worm email message to everyone in the MS Outlook address book.
Patching the known security hole in Microsoft Outlook/IE5, prevents the worm from propagating. For further information regarding the security hole, please read the following Microsoft article:
http://www.microsoft.com/technet/security/bulletin/fq99-032.asp Microsoft has provided a patch to fix this problem at http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
The worm will not propagate if IE5 Internet security settings have been set to "High."
Protection
- Initial Rapid Release version November 15, 1999
- Latest Rapid Release version August 20, 2008 revision 017
- Initial Daily Certified version November 15, 1999
- Latest Daily Certified version August 20, 2008 revision 016
- Initial Weekly Certified release date November 15, 1999
Wild
- Wild Level: Low
- Number of Infections: 0 - 49
- Number of Sites: 0 - 2
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Easy
- Damage Level: Low
- Distribution Level: Low
0 comments:
Post a Comment