opdux.exe , herss.exe
Files size116,017 bytes
MD5: FB023F287D2EE2207F466DBF8BA5145E
SHA-1: 2E174AFB45C7A07F7B57B44FC6CF296758A81B42
==================================================
a-squared 4.5.0.41 2009.11.15 Packed.Win32.Krap!IK
AhnLab-V3 5.0.0.2 2009.11.13 -
AntiVir 7.9.1.65 2009.11.13 TR/Crypt.XPACK.Gen
Antiy-AVL 2.0.3.7 2009.11.13 -
Authentium 5.2.0.5 2009.11.14 -
Avast 4.8.1351.0 2009.11.14 -
AVG 8.5.0.425 2009.11.14 -
BitDefender 7.2 2009.11.15 -
CAT-QuickHeal 10.00 2009.11.13 -
ClamAV 0.94.1 2009.11.15 -
Comodo 2957 2009.11.15 -
DrWeb 5.0.0.12182 2009.11.15 -
eSafe 7.0.17.0 2009.11.12 Suspicious File
eTrust-Vet 35.1.7121 2009.11.14 -
F-Prot 4.5.1.85 2009.11.14 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.15 -
GData 19 2009.11.15 -
Ikarus T3.1.1.74.0 2009.11.15 Packed.Win32.Krap
Jiangmin 11.0.800 2009.11.12 -
K7AntiVirus 7.10.896 2009.11.13 -
Kaspersky 7.0.0.125 2009.11.15 -
McAfee 5802 2009.11.14 -
McAfee+Artemis 5802 2009.11.14 Artemis!FB023F287D2E
McAfee-GW-Edition 6.8.5 2009.11.14 Heuristic.LooksLike.Win32.SuspiciousPE.B
Microsoft 1.5202 2009.11.14 -
NOD32 4608 2009.11.14 -
Norman 6.03.02 2009.11.15 OnLineGames.KGCC
nProtect 2009.1.8.0 2009.11.15 -
Panda 10.0.2.2 2009.11.15 Suspicious file
PCTools 7.0.3.5 2009.11.13 -
Prevx 3.0 2009.11.15 High Risk Cloaked Malware
Rising 22.21.06.05 2009.11.15 -
Sophos 4.47.0 2009.11.15 Mal/Taterf-A
Sunbelt 3.2.1858.2 2009.11.12 BehavesLike.Win32.Malware (v)
Symantec 1.4.4.12 2009.11.15 -
TheHacker 6.5.0.2.070 2009.11.14 -
TrendMicro 9.0.0.1003 2009.11.15 -
VBA32 3.12.10.11 2009.11.15 Trojan-PSW.Win32.OnlineGames.3
ViRobot 2009.11.14.2037 2009.11.14 -
VirusBuster 4.6.5.0 2009.11.14 -
------------------------------------------------------------------------
Files created
C:\Documents and Settings\[UserName]\Local Settings\Temp\herss.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\cvasds0.dll(0-9)
X:\opdux.exe
X:\autorun.inf
Registry Modifications
Value Added
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
cdoosoft = "%Temp%\herss.exe"
Values modified
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x00000091
URL to be downloaded/data identified
http://www.yahoofv0.com/1mg/am1.rar > %Temp%\am1.rar >am1.exe
=======================================================
วิธีกำจัด/แก้ virus : opdux.exe , herss.exe
=======================================================
Download Fix Tool : PeeTechFix-Win32/PSW.OnlineGame 2.0.5
THANK YOU FOR THIS HELPFUL INFORMATION. I don't know how it happened, but I ended up with an OPDUX.EXE infection and the registry entries and files mentioned above are ACCURATE. Many thanks!
ReplyDeleteI have some revisions to the above.
ReplyDeleteTo test if you are affected by this rootkit, go to your Windows directory in File Explorer and try to see the "Installer" folder. This is a "superhidden" folder. If you don't see it, try to set your folder to show hidden files and folders (Folder Options|View). If this fails then you will need to change the registry settings mentioned above.
Pay particular attention to the HKLM and HKLU roots above.
The values above are the ALTERED values. The values you should use are:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Hidden: 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\ShowSuperHidden: 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDriveTypeAutoRun: 0x000000FF
I recommend FF for NoDriveTypeAutoRun as this will disable autorun on ALL drives. (I think autorun is a dangerous feature in general.)
Hope this helps someone...
Thank you very much for the comment.
ReplyDeleteMore I disable function autoplay in the next version....
-------------------------------------------------------------
HKU > HKCU