Removed: spoolsv.exe, svchost.exe, blsys.bln, mrsys.exe, explorer.exe
Malware: X.exe
Removed: C:\WINDOWS\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\blsys.bln
C:\Documents and Settings\Administrator\Local Settings\Application Data\mrsys.exe
C:\WINDOWS\system32\explorer.exe
Classification:
Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2009.11.09 -
Kaspersky 7.0.0.125 2009.11.11 Trojan.Win32.VB.yfq
McAfee 5798 2009.11.10 -
Microsoft 1.5202 2009.11.10 -
NOD32 4593 2009.11.10 -
Symantec 1.4.4.12 2009.11.11 -
Additional information
File size: 192533 bytes
MD5 : fa638274367f78526cc305545278e9e0
SHA1 : c53a4b5a60f94c8700ad3c1a1db5876eacd243d9
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys added:8
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR
HKCU\Software\VB and VBA Program Settings
HKCU\Software\VB and VBA Program Settings\Explorer
HKCU\Software\VB and VBA Program Settings\Explorer\Process
HKCU\Software\VB and VBA Program Settings\Svchost
HKCU\Software\VB and VBA Program Settings\Svchost\Process
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:14
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath: "C:\Documents and Settings\Administrator\Local Settings\Application Data\mrsys.exe MR"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer: "c:\windows\system32\explorer.exe RU"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost: "c:\windows\svchost.exe RU"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Explorer: "c:\windows\system32\explorer.exe RO"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Svchost: "c:\windows\svchost.exe RO"
HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours: 0x00000048
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Type: 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\VB and VBA Program Settings\Explorer\Process\LO: "0"
HKCU\Software\VB and VBA Program Settings\Explorer\Process\BL: ""
HKCU\Software\VB and VBA Program Settings\Explorer\Process\NF: "0"
HKCU\Software\VB and VBA Program Settings\Svchost\Process\BL: ""
----------------------------------
Values modified:4
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "C:\WINDOWS\explorer.exe, c:\windows\system32\explorer.exe"
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId: 0x00000002
----------------------------------
Files added:12
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Application Data\mrsys.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF1561.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF262F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFE8B1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF746.tmp
C:\WINDOWS\system32\blsys.bln
C:\WINDOWS\system32\cmsys.cmn
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\blsys.bln
C:\WINDOWS\spoolsv.exe
C:\WINDOWS\svchost.exe
----------------------------------
Files deleted:0
----------------------------------
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:38
----------------------------------
Detected by UnHackMe:
Item Name: spoolsv.exe
Author:
Related File: C:\WINDOWS\spoolsv.exe
Type: Detected using Heuristic Algorithm
Item Name: svchost.exe
Author:
Related File: C:\WINDOWS\svchost.exe
Type: Detected using Heuristic Algorithm
Reanimator was blocked by the virus.
We restarted computer to the "Safe mode with command prompt".
In this we were able to start Reanimator.
Detected by Reanimator:
Item Name: spoolsv.exe
Author:
Related File: C:\WINDOWS\spoolsv.exe
Type: Detected using Heuristic Algorithm
Item Name: svchost.exe
Author:
Related File: C:\WINDOWS\svchost.exe
Type: Detected using Heuristic Algorithm
Item Name: Svchost
Author:
Related File: c:\windows\svchost.exe RU
Type: Registry Run
Item Name: Svchost
Author:
Related File: c:\windows\svchost.exe RO
Type: Registry RunOnce
Item Name: At2
Author:
Related File: c:\windows\svchost.exe
Type: Scheduled Tasks
Item Name: At1
Author:
Related File: c:\windows\svchost.exe
Type: Scheduled Tasks
Item Name: shell
Author: Unknown
Related File: C:\WINDOWS\explorer.exe, c:\windows\system32\explorer.exe
Type: System.ini
Item Name: {Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
Author:
Related File: C:\Documents and Settings\Administrator\Local Settings\Application Data\mrsys.exe MR
Type: ActiveSetup
Item Name: blsys.bln
Author: Unknown
Related File: C:\WINDOWS\blsys.bln
Type: Detected using Heuristic Algorithm
Removal Results: Success
Number of reboot: 2
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Comments
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
- Remember: the best way to remove rootkits is from the outside!
