How to remove Phim nguoi lon.exe , Nguyen Tu Quang.exe
(Win32/Autorun.PD :Detect by NOD32)
Secret.exe, system.exe, Userinit.exe, DXGDIALOG.EXE
Phim nguoi lon.exe
MD5: 0658E57E4190FF5DB50A3507B3EC2887
SHA-1: FE094BE860B0E7C43D689BB5DCC492C70A2F2C17
MD5: 0658E57E4190FF5DB50A3507B3EC2887
SHA-1: FE094BE860B0E7C43D689BB5DCC492C70A2F2C17
MD5: 08D0941E57C4A7DD67D47844E9AABB4B
SHA-1: 49B9C523229D737335F23C02EDC532785AEFEBFC
Secret.exe, system.exe, Userinit.exe
Nguyen Tu Quang.exe
MD5: 27DCBCC8E8C4EB8A971E90ACAC96658A
SHA-1: 1B5581B3287DFAA2CE0718EE626784AB893721FD
==============================================
Aliases:
a-squared 4.5.0.24 2009.09.15 Worm.Win32.VB!IK
AhnLab-V3 5.0.0.2 2009.09.14 Win32/Autorun.worm.233472
AntiVir 7.9.1.14 2009.09.14 Worm/Autorun.cbm.4
Antiy-AVL 2.0.3.7 2009.09.15 -
Authentium 5.1.2.4 2009.09.15 W32/SysKeylog.B.gen!Eldorado
Avast 4.8.1351.0 2009.09.14 Win32:AutoRun-AHD
AVG 8.5.0.412 2009.09.14 Worm/Generic.HHJ
BitDefender 7.2 2009.09.15 Worm.Generic.80728
CAT-QuickHeal 10.00 2009.09.14 Worm.AutoRun.cbm
ClamAV 0.94.1 2009.09.14 Worm.Autorun-1758
Comodo 2321 2009.09.15 Worm.Win32.AutoRun.PD
DrWeb 5.0.0.12182 2009.09.15 Win32.HLLW.Autoruner.1083
eSafe 7.0.17.0 2009.09.14 Win32.AutoRun.cbm
eTrust-Vet 31.6.6737 2009.09.14 Win32/SillyAutorun.PE
F-Prot 4.5.1.85 2009.09.14 W32/SysKeylog.B.gen!Eldorado
F-Secure 8.0.14470.0 2009.09.15 Worm.Win32.AutoRun.cbm
Fortinet 3.120.0.0 2009.09.15 W32/VB.CBM!worm
GData 19 2009.09.15 Worm.Generic.80728
Ikarus T3.1.1.72.0 2009.09.15 Worm.Win32.VB
Jiangmin 11.0.800 2009.09.14 Worm/AutoRun.tc
K7AntiVirus 7.10.844 2009.09.14 Worm.Win32.AutoRun
Kaspersky 7.0.0.125 2009.09.15 Worm.Win32.AutoRun.cbm
McAfee 5741 2009.09.14 W32/Autorun.worm.bm
McAfee+Artemis 5741 2009.09.14 W32/Autorun.worm.bm
McAfee-GW-Edition 6.8.5 2009.09.14 Worm.Autorun.cbm.4
Microsoft 1.5005 2009.09.14 Trojan:Win32/Vhorse.Q
NOD32 4425 2009.09.14 Win32/AutoRun.PD
Norman 6.01.09 2009.09.14 W32/DLoader.FJTL
nProtect 2009.1.8.0 2009.09.14 Worm/W32.AutoRun.233472
Panda 10.0.2.2 2009.09.14 W32/AutoRun.DJ.worm
PCTools 4.4.2.0 2009.09.14 -
Prevx 3.0 2009.09.15 -
Rising 21.47.04.00 2009.09.14 Worm.Win32.VB.rm
Sophos 4.45.0 2009.09.15 Mal/VB-F
Sunbelt 3.2.1858.2 2009.09.15 Trojan.Win32.Generic!BT
Symantec 1.4.4.12 2009.09.15 W32.Versie.A
TheHacker 6.3.4.4.404 2009.09.15 W32/AutoRun.cbm
TrendMicro 8.950.0.1094 2009.09.14 WORM_AUTORUN.BBC
VBA32 3.12.10.10 2009.09.14 Worm.Win32.AutoRun.cbm
ViRobot 2009.9.14.1934 2009.09.14 Worm.Win32.Autorun.233472
VirusBuster 4.6.5.0 2009.09.14 Worm.AutoRun.GGV
AhnLab-V3 5.0.0.2 2009.09.14 Win32/Autorun.worm.233472
AntiVir 7.9.1.14 2009.09.14 Worm/Autorun.cbm.4
Antiy-AVL 2.0.3.7 2009.09.15 -
Authentium 5.1.2.4 2009.09.15 W32/SysKeylog.B.gen!Eldorado
Avast 4.8.1351.0 2009.09.14 Win32:AutoRun-AHD
AVG 8.5.0.412 2009.09.14 Worm/Generic.HHJ
BitDefender 7.2 2009.09.15 Worm.Generic.80728
CAT-QuickHeal 10.00 2009.09.14 Worm.AutoRun.cbm
ClamAV 0.94.1 2009.09.14 Worm.Autorun-1758
Comodo 2321 2009.09.15 Worm.Win32.AutoRun.PD
DrWeb 5.0.0.12182 2009.09.15 Win32.HLLW.Autoruner.1083
eSafe 7.0.17.0 2009.09.14 Win32.AutoRun.cbm
eTrust-Vet 31.6.6737 2009.09.14 Win32/SillyAutorun.PE
F-Prot 4.5.1.85 2009.09.14 W32/SysKeylog.B.gen!Eldorado
F-Secure 8.0.14470.0 2009.09.15 Worm.Win32.AutoRun.cbm
Fortinet 3.120.0.0 2009.09.15 W32/VB.CBM!worm
GData 19 2009.09.15 Worm.Generic.80728
Ikarus T3.1.1.72.0 2009.09.15 Worm.Win32.VB
Jiangmin 11.0.800 2009.09.14 Worm/AutoRun.tc
K7AntiVirus 7.10.844 2009.09.14 Worm.Win32.AutoRun
Kaspersky 7.0.0.125 2009.09.15 Worm.Win32.AutoRun.cbm
McAfee 5741 2009.09.14 W32/Autorun.worm.bm
McAfee+Artemis 5741 2009.09.14 W32/Autorun.worm.bm
McAfee-GW-Edition 6.8.5 2009.09.14 Worm.Autorun.cbm.4
Microsoft 1.5005 2009.09.14 Trojan:Win32/Vhorse.Q
NOD32 4425 2009.09.14 Win32/AutoRun.PD
Norman 6.01.09 2009.09.14 W32/DLoader.FJTL
nProtect 2009.1.8.0 2009.09.14 Worm/W32.AutoRun.233472
Panda 10.0.2.2 2009.09.14 W32/AutoRun.DJ.worm
PCTools 4.4.2.0 2009.09.14 -
Prevx 3.0 2009.09.15 -
Rising 21.47.04.00 2009.09.14 Worm.Win32.VB.rm
Sophos 4.45.0 2009.09.15 Mal/VB-F
Sunbelt 3.2.1858.2 2009.09.15 Trojan.Win32.Generic!BT
Symantec 1.4.4.12 2009.09.15 W32.Versie.A
TheHacker 6.3.4.4.404 2009.09.15 W32/AutoRun.cbm
TrendMicro 8.950.0.1094 2009.09.14 WORM_AUTORUN.BBC
VBA32 3.12.10.10 2009.09.14 Worm.Win32.AutoRun.cbm
ViRobot 2009.9.14.1934 2009.09.14 Worm.Win32.Autorun.233472
VirusBuster 4.6.5.0 2009.09.14 Worm.AutoRun.GGV
------------------------------------------------------------------------
virus ตัวนี้ ผมเขียนทำเป็นฉบับร่างตั้งนานแล้ว แต่ไม่ได้เผยแพร่ซะที
จนเมื่ออาทิตย์ก่อนได้ไฟล์ virus เจ้าตัวนี้ มาจากที่ทำงาน ซึ่ง NOD32
แจ้งว่าเป็น Win32/Autorun.PD ผมจึงลองเอา virus ตัวเก่าที่เคยเก็บไว้ มาดูอีกครั้ง
ปรากฎว่าค่า MD5 ต่างกัน ผมจึงลองทดสอบใหม่อีกครั้ง ผลทดสอบเป็นดังนี้ึึีครับ
===================================================
Files Created
%WinDir%\userinit.exe
%WinDir%\kdcoms.dll
%WinDir%\system32\system.exe
%WinDir%\system32\system.exe
%system%\MSWINSCK.OCX
%Temp%\Phim nguoi lon\Phim nguoi lon.exe (update 11/12/2009)
X:\Secret.exe
X:\DXGDIALOG.EXE
X:\autorun.inf
X:\[Folder]\Nguyen Tu Quang.exe
X:\[Folder]\Phim nguoi lon.exe
(Folder ที่เจ้า Phim nguoi lon.exe , Nguyen Tu Quang.exe อยู่ มันไม่แน่นอนครับ)
X:\ = USB Drive
%WinDir% = C:\Windows\
%System% = C:\Windows\System32\
%Temp% = C:\Documents and Settings\[UserName]\Local Settings\Application Data\Temp\
Registry Modifications
Keys Added
Keys Added
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\
{0DE86A52-2BAA-11CF-A229-00AA003D7352}
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\
{0DE86A53-2BAA-11CF-A229-00AA003D7352}
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\
{0DE86A57-2BAA-11CF-A229-00AA003D7352}
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\
{40FC6ED4-2438-11CF-A3DB-080036F12502}
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\CLSID\
{248DD897-BB45-11CF-9ABC-0080C7E7B78D}
HKLM\SOFTWARE\Classes\CLSID\
{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
HKLM\SOFTWARE\Classes\Interface\
{248DD892-BB45-11CF-9ABC-0080C7E7B78D}
HKLM\SOFTWARE\Classes\Interface\
{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\
{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\
{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
HKLM\SOFTWARE\Classes\Interface\
{248DD893-BB45-11CF-9ABC-0080C7E7B78D}
HKLM\SOFTWARE\Classes\Interface\
{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\
{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\
{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}
HKLM\SOFTWARE\Classes\TypeLib\
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0
HKLM\SOFTWARE\Classes\TypeLib\
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\MSWinsock.Winsock
HKLM\SOFTWARE\Classes\MSWinsock.Winsock\CLSID
HKLM\SOFTWARE\Classes\MSWinsock.Winsock\CurVer
HKLM\SOFTWARE\Classes\MSWinsock.Winsock.1
HKLM\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID
Values added
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\: "132497"
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\:
"MSWinsock.Winsock"
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\: "1.0"
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\:
"{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\: "C:\WINDOWS\system32\MSWINSCK.OCX, 1"
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\:
"MSWinsock.Winsock.1"
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\: "0"
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\: "C:\WINDOWS\system32\MSWINSCK.OCX"
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel:
"Apartment"
HKLM\SOFTWARE\Classes\CLSID\
{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\:
"Microsoft WinSock Control, version 6.0"
HKLM\SOFTWARE\Classes\CLSID\
{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\: "C:\WINDOWS\system32\MSWINSCK.OCX"
HKLM\SOFTWARE\Classes\CLSID\
{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\:
"Winsock General Property Page Object"
HKLM\SOFTWARE\Classes\Interface\
{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\:
"{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
HKLM\SOFTWARE\Classes\Interface\
{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\
{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\:
"{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\
{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\:
"{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\
{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\:
"IMSWinsockControl"
HKLM\SOFTWARE\Classes\Interface\
{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\:
"{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
HKLM\SOFTWARE\Classes\Interface\
{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\
{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\:
"{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\
{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\:
"{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\
{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\: "DMSWinsockControlEvents"
HKLM\SOFTWARE\Classes\TypeLib\
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\: "C:\WINDOWS\system32\MSWINSCK.OCX"
HKLM\SOFTWARE\Classes\TypeLib\
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\: ""
HKLM\SOFTWARE\Classes\TypeLib\
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\: "2"
HKLM\SOFTWARE\Classes\TypeLib\
{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\: "Microsoft Winsock Control 6.0"
HKLM\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\: "MSWinsock.Winsock.1"
HKLM\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\:
"{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
HKLM\SOFTWARE\Classes\MSWinsock.Winsock\:
"Microsoft WinSock Control, version 6.0"
HKLM\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\:
"{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
HKLM\SOFTWARE\Classes\MSWinsock.Winsock.1\:
"Microsoft WinSock Control, version 6.0"
Value modified
HKLM\SOFTWARE\Microsoft\Window NT\CurrentVersion\Winlogon\Userinit:
"C:\WINDOWS\userinit.exe"
------------------------------------------------------------------------
วิธีกำจัด/แก้ Virus :
Secret.exe, system.exe, Userinit.exe , DXGDIALOG.EXE
Phim nguoi lon.exe , Nguyen Tu Quang.exe
------------------------------------------------------------------------
No comments:
Post a Comment