strom2.exe, Origin.exe, Browsers, Player.exe
Files size 628,736 bytes
MD5: 23CAFA5DBF348DA43B710B8874181D14
SHA-1: 5A132B5A9FAFCC23B6D3A93F331B9060501C4628
==================================================
Aliases :
a-squared 2009.12.21 Trojan-Spy.Win32.Banker.bbh!IK
AhnLab-V3 2009.12.21 -
AntiVir 2009.12.21 TR/Spy.628736.1
Antiy-AVL 2009.12.18 Trojan/Win32.Scar.gen
Authentium 2009.12.02 W32/SysVenFak.A.gen!Eldorado
Avast 2009.12.20 Win32:Spyware-gen
AVG 2009.12.20 Generic15.BQNB
BitDefender 2009.12.21 Gen:Trojan.Heur.MG0@rOs5Makb
CAT-QuickHeal 2009.12.21 Trojan.Scar.asap
ClamAV 2009.12.21 -
Comodo 2009.12.21 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 2009.12.21 Trojan.DownLoad.61707
eSafe 2009.12.20 -
eTrust-Vet 2009.12.21 -
F-Prot 2009.12.20 W32/SysVenFak.A.gen!Eldorado
F-Secure 2009.12.21 Gen:Trojan.Heur.MG0@rOs5Makb
Fortinet 2009.12.20 W32/Scar.ASAP!tr
GData 2009.12.21 Gen:Trojan.Heur.MG0@rOs5Makb
Ikarus 2009.12.21 Trojan-Spy.Win32.Banker.bbh
Jiangmin 2009.12.21 Trojan/Scar.esx
K7AntiVirus 2009.12.17 Trojan.Win32.Malware.1
Kaspersky 2009.12.21 Trojan.Win32.Scar.asap
McAfee 2009.12.20 Generic.dx!ior
McAfee+Artemis 2009.12.20 Generic.dx!ior
McAfee-GW-Edition 2009.12.21 Heuristic.BehavesLike.Win32.Spyware.J
Microsoft 2009.12.21 -
NOD32 2009.12.21 -
Norman 2009.12.21 -
nProtect 2009.12.21 Trojan/W32.Scar.628736
Panda 2009.12.15 Trj/Downloader.MDW
PCTools 2009.12.21 Spyware.007Spy
Prevx 2009.12.21 High Risk Spyware
Rising 2009.12.21 -
Sophos 2009.12.21 Mal/Behav-056
Sunbelt 2009.12.20 Trojan.Win32.Generic!SB.0
Symantec 2009.12.21 Spyware.007Spy
TheHacker 2009.12.21 -
TrendMicro 2009.12.21 -
VBA32 2009.12.19 Trojan.Win32.Scar.asap
ViRobot 2009.12.21 -
VirusBuster 2009.12.20 -
Files Created
%System%\Storm2.exe
%System%\Origin.exe
D:\Browsers.exe
%System% = C:\Windows\System32\
Registry Modifications
Values Added
HKLM\SOFTWARE\Classes\txtfile\shell\open\command\
(Default) = "d:\Browsers.exe %1"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
WBOpen = "%System%\Storm2.exe"
Verdana = "%System%\Origin.exe"
Value deleted
HKLM\SOFTWARE\Classes\txtfile\shell\open\command\
(Default) = "%System%\NOTEPAD.EXE %1"
Remote Host
d.laiyiba.com port 1034
HTTP URLs were started reading
hxxp://d.laiyiba.com/admin/inc/mac2.php?macaddr=&banben=1123&oper=run&flag=3
http://www.hao123.cn
http://www.123456.cn
http://www.hao123.cn/xing.htm
http://www.163jiankang.com/zhuanqian/index9501.htm
http://www.hao22.com/zhuanqian/article_biaotixia500.htm
http://www.5678.cn/zhuanqian/tuijian.htm
http://www.123xa.net/chao/lunxian3001.html
http://www.163jiankang.com/zhuanqian/article3001.html
http://www.123xa.net/chao/neiindex.html
http://www.hao123.cn/meinv/
http://www.sifanghua.com/zhuanqian/biaotixia.htm
hxxp://d.laiyiba.com/dianji2.htm
hxxp://d.laiyiba.com/sureh/player.exe
hxxp://d.laiyiba.com/sureh/origin.exe
อาจมี pop up ให้ set default home page ดังตัวอย่าง
====================================================
วิีธีกำจัด/แก้ virus : Storm2.exe , Origin.exe, Browsers.exe, Player.exe
====================================================
---------------------------------------------------------------------------
เมื่อติดไวรัสตัวนี้จะมีเสียงดังรัวๆออกทางลำโพงตลอดเวลา วิธีแก้คือ
1. Run โปรแกรม Process Explorer แล้ว
Kill process ไฟล์ Strom2.exe, Origin.exe, Browsers.exe
2. Run โปรแกรม NOD32RecoveryTool แล้วเลือก Fix now เพื่อ Show hidden files และ Reset winlogon
3. เข้าไป Delete ไฟล์ ตามนี้
%System%\Storm2.exe
%System%\Origin.exe
D:\Browsers.exe
4. Run Hijack This > Fix checked ที่บรรทัดต่อไปนี้
O4 - HKCU\..\Run: [WBOpen] C:\WINDOWS\System32\Storm2.exe
O4 - HKCU\..\Run: [Verdana] c:\windows\system32\Origin.exe
ขอบคุณครับ มีประโยชน์มากครับ
ReplyDeleteI all the time emailed this website post page to all
ReplyDeletemy contacts, as if like to read it next my contacts
will too.