Monday, June 13, 2011

Worm Win32.Zafi.B and its removal

Worm Win32.Zafi.B and its removal
The new internet worm Zafi.B spreads very fast mainly via email attachments, but also via filesharing networks.

The message subject and body text differs depending on the domain extension of the receiver's email address. Target email addresses are collected on the local computer and extracted from several files like temporary internet files and email address books.

Once the file has been executed, it will do following:

1. Creates mutex_Hazafibb
2. Prevents execution of the processes containing: regedit, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)
3. Deletes the following files from Windows folder: fvprotect.exe winlogon.exe services.exe jammer2nd.exe
4. Checks if the computer is connected to the internet by attempting to contact google.com or microsoft.com
5. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr
6. Avoids e-mail addresses containing: win, use, info, help, admi, webm, micro, msn, hotm, suppor, syma, vir, trend, panda, yaho, cafee, sopho, google, kasper, msn, office, nero, icq, game, winra, winzi, divx, movie, total, wina
7. Stores found e-mail addresses in random named dll files in %SYSTEM% folder
8. Creates registry key and entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"]
9. Uses it's own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.
10. Creates copies of the virus in folders containing "share" or "upload" as winamp 7.0 full_install.exe and/or Total Commander 7.0 full_install.exe
11. Creates a thread that attempts to flood: www.parlament.hu, www.virusbuster.hu, www.virushirado.hu, www.2f.hu
12. May create files C:\SYS.TXT and _upload.exe
13. The virus contains the following string:
A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen!2004, jun, Pecs,(SNAF Team).

Removal:

All antivirus vendors had protection for the Zafi.B worm with their latest updates. Symantec has a removal tool, and you could also use these free online scanners. Trend Micro's free online scanner, Housecall, McAfee's Stinger tool, or Panda Software's ActiveScan. F-secure has a removal tool available in several formats.

Because Zafi.B may disable or overwrite existing antivirus products on infected machines, users may need to use one of the removal utilities or scanners mentioned above. If your antivirus has been overwritten, you will need to reinstall it when your system is free of Zafi.

The main infection is removed by deleting files in the Windows system folder and removing registry entries. If you're not familiar with the Registry editor, you should probably use one of the removal tools mentioned above. While we highly recommend that you back up your registry before editing, you should be aware that the backup you make contains entries associated with Zafi.B. Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned, and is operating properly, you may want to delete the backup that has Zafi.B entries in it.

1. Turn off System Restore if you're using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
2. Restart the computer in Safe Mode. Since the Zafi.B worm creates running processes, and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, Zafi.B blocks the use of Regedit which is required below.
3. Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
4. IMPORTANT: Your antivirus software should, during detection, produce a list of files associated with the W32/Zafi.B or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
5. Make a backup of the registry before you edit. Delete the Run entries associated with Zafi.B from the registry. These will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the key:
"_Hazafibb"="%system%\.exe"
Also delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
6. Exit the registry editor.
7. Re-enable System Restore, reboot machine.
8. Re-scan to be sure all files are clean.
Worm Win32.Zafi.B and its removal

Ans to
"I apparently received an email that had the win32.zafi.b trojan attached to it. I have a sister who uses my computer and she opened it accidently, or so she says. Anyway, how do I remove this? Anyone know? Can I restore my PC to a previous date before the infection? Will McAfee Stinger detect this and correct things?"

Thursday, June 9, 2011

Win32.Rootkit

Win32.Rootkit is a very malicious item that designed to allow remote access to your computer to largely occupy precious system resource, trace your Internet habits to record/steal your personal information.

How to tell if the computer is infected by malware such as Win32.Rootkit?
The symptoms of Win32.Rootkit vary wildly, ranging from slow PC performance to loss of important data. If you are experiencing any of the symptoms listed below, chances are you have Win32.Rootkit or another risky unwanted programs installed on your computer:

Sudden slow PC performance

Win32.Rootkit can use a lot of your system resources to track your computer activities or deliver pop-up ads that may greatly slow down the computer or even make it crash randomly. If you are recently getting a lot of system crashes, the computer is running much slower than usual or you cannot access your hard properly, then your computer must be infected and should be took care of.

E-mail problems

Win32.Rootkit can collect and send your email address book to an email spammer and send unexpected email messages from your computer without your knowledge. If you get a lot of bounced back emails or notice that thousands of emails were sent without your permission, then it is possible that your computer is infected.

Constant unwanted ads

Win32.Rootkit will interrupt you with annoying pop-up ads for adult or other objectionable web sites. If it is controlled by hackers, this can make your computer completely useless once you visit the website in which malicious programming or code is planted.

Unexpected desktop icons, Toolbars or homepages

Win32.Rootkit or other threats may record and reset your account settings or change your default homepage to a different one, which sometimes cannot be changed back. Also, it can also add new desktop items or toolbars to Internet Explorer without letting you know.

How to remove Win32.Injector.CCQ manually?
How to remove Win32.Injector.CCQ from your computer?
What is Win32.Injector.CCQ?

Saturday, June 4, 2011

How to tell if the computer is infected by malware such as Win32.Injector.CCQ?

How to tell if the computer is infected by malware such as Win32.Injector.CCQ?
The symptoms of Win32.Injector.CCQ vary wildly, ranging from slow PC performance to loss of important data. If you are experiencing any of the symptoms listed below, chances are you have Win32.Injector.CCQ or another risky unwanted programs installed on your computer:

Sudden slow PC performance

Win32.Injector.CCQ can use a lot of your system resources to track your computer activities or deliver pop-up ads that may greatly slow down the computer or even make it crash randomly. If you are recently getting a lot of system crashes, the computer is running much slower than usual or you cannot access your hard properly, then your computer must be infected and should be took care of.

E-mail problems

Win32.Injector.CCQ can collect and send your email address book to an email spammer and send unexpected email messages from your computer without your knowledge. If you get a lot of bounced back emails or notice that thousands of emails were sent without your permission, then it is possible that your computer is infected.

Constant unwanted ads

Win32.Injector.CCQ will interrupt you with annoying pop-up ads for adult or other objectionable web sites. If it is controlled by hackers, this can make your computer completely useless once you visit the website in which malicious programming or code is planted.

Unexpected desktop icons, Toolbars or homepages

Win32.Injector.CCQ or other threats may record and reset your account settings or change your default homepage to a different one, which sometimes cannot be changed back. Also, it can also add new desktop items or toolbars to Internet Explorer without letting you know.


Also Read:-
How to remove Win32.Injector.CCQ manually?
How to remove Win32.Injector.CCQ from your computer?
What is Win32.Injector.CCQ?
How to tell if the computer is infected by malware such as Win32.Injector.CCQ?

Enhanced by Zemanta

ShareThis

Blog Widget by LinkWithin