Removed: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe (worm Rayon)

Malware: C:\sand-box\cw2010.exe

Removed: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: Policies
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\EXPLORER.EXE
Type: Explorer Run

Item Name: DCOM Client Launcher
Author:
Related File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe /service
Type: Auto Services

Item Name: explorer.exe
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\EXPLORER.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies
Value: “C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe”

Registry: HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\ImagePath
Value: “C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe /service”

Registry: HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
Value: “http://comicosy.com”

Files:
C:\Documents and Settings\Administrator\Local Settings\Temp\svcinstall.txt
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe

—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2010.09.25 Trojan.Generic.4652263
Kaspersky 7.0.0.125 2010.09.25 Worm.Win32.Rayon.br
Microsoft 1.6201 2010.09.24 Trojan:Win32/Otran
NOD32 5477 2010.09.24 Win32/Agent.NHU

—————————————————————————————————————————-

MD5 9598abdbe216b9d479cf7c06a9434eeb

SHA1 1408e75a3493bb34a7bb7862f7f4eb5ea00986a5

SHA256 56e8706d617665a3db4e4b3b7ccd5504b2643e5e21056e196cbfc1a920439e77

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:4
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\Security

———————————-
Values added:12
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies: “C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions: 0×00000001
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\Type: 0×00000010
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\Start: 0×00000002
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\ImagePath: “C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe /service”
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\DisplayName: “DCOM Client Launcher”
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\ObjectName: “LocalSystem”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0×00000001

———————————-
Values modified:5
———————————-
(-) HKLM\System\CurrentControlSet\Services\Dnscache\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\Dnscache\Start: 0×00000004
(-) HKLM\System\CurrentControlSet\Services\ERSvc\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\ERSvc\Start: 0×00000004
(-) HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000004
(-) HKLM\System\CurrentControlSet\Services\wuauserv\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\wuauserv\Start: 0×00000004
(-) HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: “http://www.google.com/”
(+) HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: “http://comicosy.com”

———————————-
Files added:2
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\svcinstall.txt
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe

———————————-
Files [attributes?] modified:1
———————————-
C:\sand-box\cw2010.exe

———————————-
Total changes:24
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

Fix it immediately!

Free Download

UnHackMe removes malware invisible for your antivirus!

Leave a Reply