I saw the same activity on another unit but this time the infection is named bazirud.exe and is being loaded by toulobi. In which case, I believe this is the same virus strain and so I cleaned it up with the same procedures I mentioned here.
Is your unit continuously uploading something like emails to internet when you are not doing anything like that on your own? If so, then you may have been hit by this malware called yv8g67.exe. I have posted this before on my defunct www.junblogs.com and while I forwarded some entries I created there before to here, for whatever reason I forgot to include this one. Anyway, I will make this much simpler now.
What it does (minor things):
- Creates several exe with random filenames inside System32 folder and marks it hidden, Read-Only and System. Sizes varies between 41kb and 44kb.
- Further tracing shows it creates a backup/duplicate exe of all those inside System32 folder in the Local User’s temp folder, names are totally different than that inside System32
- It also creates registry entries to HKLM\Software\Microsoft\Shared Tools\MSConfig\startupreg; to ensure that those virus parts will be auto-loaded next log on.
- With the actions happening in the background with this virus, this results to unnecessary overpopulating of HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache entries in Registry
What it does (major things):
- Detects if you are connected to the internet then continuously sends spam emails to some other people’s addresses resulting to not just filling up their emails but also flooding your network with heavy traffic.
- With the passage of time, will eat your resources due to entries made on startupreg; until your unit slows down and eventually will cause BOD (Blue Screen of Death)
- Before reaching BOD, due to lacking resources, your unit will fill-up your screen with a lot of messageboxes of fail loading… (have I mentioned it will continuously create those exe and every one of those will be loaded on the start up next time)
- And if you are using a dial-up or broadband connection like me which is dependent of megabytes used, then this will burn a hole in your pocket, unnecessarily.
How to Fix:
- Delete all infections in temp and System32 folders
- Remove said Registry entries
- Ensured that there will be nothing loaded in the start up
Deception:
If you are not connected to the internet, the virus remains dormant. You thought you have solved the problem, but once a connection is re-established, then in the background it will start infecting your unit again within seconds’ interval. If you suddenly check your startup via MSCONFIG, you will be surprised to see a lot of new seedings. But then, haven't we removed everything that is loaded on startup via same MSCONFIG? So how does this malware able to do re-infection?
Stealth:
It was able to do that because this malware is designed to do a hit-and-run thing. It means, it will load itself immediately on startup, creates an exe, make the necessary registry entries so that newly created exe will be loaded on startup, activates the new exe in the meantime and that new exe will be the one to continuously infect; and immediately kills itself (yv8g67.exe) so it can't be easily traced.
All was done very fast that I was able to see it only after several restarts of my machine and several failed attempts to fully trace and clean. Actually during that time, it took me the whole night of Saturday and only at around 5am of Sunday (no sleeping until I trace that) I was able to really realize how it does those things.
Here it is, if you are not very fast in capturing this while the unit is still loading a lot of things after OS logon, within seconds it will disappear among the processes.
Here it is, if you are not very fast in capturing this while the unit is still loading a lot of things after OS logon, within seconds it will disappear among the processes.
Missing Final Fix:
I traced this later to be hiding inside the recycler folders. And this is among the reasons why I do not like recycler folders on my unit. Please read this on how to remove those: http://sandstorm36.blogspot.com/2011/11/steps-to-remove-recycler-folder.html
I hope this will be able to help you get rid of that infection. Cheers!
No comments:
Post a Comment