Virus Attack

[FasTrack]

My system has been attacked by a virus that refuses to clean and get deleted.

O.S - Win xp
I got Norton Anti whose virus definitions r up-2-date.

the files that r reported 2 have been attacked are

1) svohost.exe
2) wmon23.exe

i am not able 2 delete these files using norton options and manually too, what should i do ???

[beyondthegracefgod]

Try it in safe mode .if still it does not go try using file shredder io guess norton has it .Or get spybot which surely has it.
U can get in to safe mode by pressing F8 while u boot

[FasTrack]

I tried pressing f8 when booting, but no effect.

I use win xp.

Do u think it's a spy-ware ?????

[mariner]

try a couple of online scans

http://www.bitdefender.com/scan/licence.php


http://housecall.trendmicro.com/

maybe it will help

[FasTrack]

I downloaded Webroot's SpySweeper and scanned my system for any spy ware softwares, strangely it reported a trojan.

I used the options present and deleted it using the software.

Norton also reported this virus as a trojan.

So did i finaly got rid of it ????

Yes, Thanks i will try the online scans and then report.

[rajat22]

A bit details:
TROJ_DUMARIN.H

Backdoor.Nibu.G is a variant of Backdoor.Nibu.E that attempts to steal passwords and bank account information. This Trojan is packed with FSG.

Overview Technical Details
In the wild: Yes


--------------------------------------------------------------------------------

Payload 1: Steals system and user information

Trigger condition 1: Upon execution


--------------------------------------------------------------------------------

Language: English

Platform: 95, 98, ME, NT, 2000, XP

Encrypted: Yes

Size of virus: 21,088 Bytes

Pattern file needed: 1.904.36

Scan engine needed: 6.740

Discovered: Jun. 2, 2004

Detection available: Jun. 2, 2004



--------------------------------------------------------------------------------

Details:



Installation and Autostart Technique

Upon execution, this memory-resident Trojan drops the following copies of itself in the Windows system folder:

SVOHOST.EXE
SWCHOST.EXE
It also drops the following files in the Windows startup and Windows folders, respectively:

SVCHOST.EXE - a copy of itself
PRNTSVR.DLL - a keylogger component file, which is detected as TROJ_DUMARIN.G
Then, it creates the following registry entry so that it executes at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
load32 = "C:\WINNT\System32\swchost.exe"

As part of its autostart mechanism, it modifies the SYSTEM.INI and appends its name in the shell key of the boot section as follows:

[boot]
shell=explorer.exe %s\System%\svohost.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

On Windows NT, 2000, and XP, however, the .INI file is not modified. The following registry entry is changed instead:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\Currentversion\Winlogon
Shell = “explorer.exe %System%\svohost.exe�

(Note: The original value is “explorer.exe�.)

Information Theft

This malware creates the following files in the Windows Temporary folder:

FA4537EF.HTM
FE43E701.HTM
FEFF35A0.HTM
The said files contain the following information, which it posts to a specific site:

Internet Explorer (IE) version
IP address of an infected machine
Windows version
The site is as follows:

http://www.whatp<BLOCKED>osite.com/css/logger.php
It then drops the file RUNDLLN.SYS, which serves as its log file, in the Windows folder.

It also gathers account information of any online transaction made through WEBMONEY and E-GOLD.

Disabling Access to Antivirus Web Sites

To prevent a user from upgrading antivirus pattern files, this Trojan adds entries to the HOSTS file of the infected system. The said routine redirects the Internet browser to the local machine 127.0.0.1 whenever the following Web sites are accessed:

avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com

[klinux]

a good idea is to make sure u know where it originally came from , email , multimedia file etc . scan the system again thoroughly

[FasTrack]

I tried scanning using Norton 2003 ( Up-2-date Virus Definitions ), It clearly showed Backdoor.nibu virus in my system.

I tried 2 delete it using its properties, but in vain.

I scanned the whole system, the virus gets detected but not deleted.

Should alterations in the registry help ????

Please Help. I'm in real mess after this.

Rajat22 thaks 4 the info yaar, How do i find its origin ??????

[FasTrack]

Quote:

Then, it creates the following registry entry so that it executes at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
load32 = "C:\WINNT\System32\swchost.exe"

klinux and Rajat22 can i delete this registry key to atleast stop it from triggering ????.

[NikhilVerma]

Quote:

Originally Posted by FasTrack

I tried scanning using Norton 2003 ( Up-2-date Virus Definitions ), It clearly showed Backdoor.nibu virus in my system.
I tried 2 delete it using its properties, but in vain.
I scanned the whole system, the virus gets detected but not deleted.
Should alterations in the registry help ????
Please Help. I'm in real mess after this.
Rajat22 thaks 4 the info yaar, How do i find its origin ??????

The files
1) svchost.exe
2) wmon23.exe

are system files and can't be deleted while you are using windows...
So you have to delete them through DOS or any other OS...

But remember these are system essential files...
Be sure to replace them with fresh files from
[Drive]:\WINDOWS\ServicePackFiles\I386

[klinux]

- try the registry changes if u have system restore point and have created the point .

- u said u werent able to go to safe mode , try this . when in xp , run msconfig , under boot.ini , check safe mode option or safe boot whatever

- get into safe mode and make changes to the file

- keep ur xp cd handy if it causes trouble after a reboot .

- if u have recovery console , use it and get to the winnt directory and find and delete the 2 *.exe files and extract those files from the original .

- to find origins , delete all mail u might have received with attachments lately , clear temp directory for ALL users

http://securityresponse.symantec.com...or.nibu.g.html

if u get another name see if its in the list

http://www.f-secure.com/download-purchase/tools.shtml
http://securityresponse.symantec.com...ools.list.html

[GameAddict]

Hi,

You said that pressing F8 has no effect...may be the Worm Effect...

Anyway, get a DOS bootable and boot through it and remove the Worm Files. And be sure to replace them as said by other members.

Have you tried Stinger 2.4.3 (Released on 29/OCT/2004)

http://vil.nai.com/vil/stinger

Hope this helps!

Bye!

GA

[FasTrack]

Ok! Fed-Up with the Virus, I have formatted the system.

Everything was alright till yesterday, when i noticed my comp behaving the same way as it used 2 before.

"THE VIRUS IS BACK AGAIN"

Norton detected it and i just cant understand why it is back.

An improvement, I can access various booting options using F8.

What should i do ?????

The effect of the Virus is While working a window springs up suddenly saying that the system will shut down in a minute and the countdown starts.

System gets rebooted and this goes on.

[FasTrack]

Quote:

Have you tried Stinger 2.4.3 (Released on 29/OCT/2004)

http://vil.nai.com/vil/stinger

Hope this helps!

Tried it buddy, No use.

[rajat22]

Please check details at http://search.symantec.com/custom/us/query.html and follow instructions carefully.