This virus spreading using social technique and autorun.inf, since it using social technique this virus can spreading easy. Did you ever received message from your TRUSTED friend like this sample?
Listen to me, don’t so easy clicked any link in email or anything! even it come from trusted source. In this case social technique can make you in danger position, Think if virus collecting your financial information :p
When you download this virus it will making 2 random file in %systemroot%\Documents and Settings\%user%\Local Settings\Temp with extension .tmp and .exe then created vshost.exe with size 122kb, file will available on every drive root.
Virus will also make another files:
* %systemroot%\autorun.inf [all drive]
* %systemroot%\RECYCLER\S-1-5-21-9949614401-9544371273-983011715-7040\winservices.exe
* %systemroot%\WINDOWS\system32\sysmgr.exe
* %systemroot%\WINDOWS\TEMP\5755.tmp
* %systemroot%\windows\system32\crypts.dll
* %systemroot%\windows\system32\msvcrt2.dll
It wil also change your registry to automatically started when your computers booting. Beside that, old autorun.inf technique also adopted in this virus spreading:
coutsonif-autorun
Virus will change your registry to allowed only 11 maximum active application, it also blocking your maximum port to only port 8000.
Automatic Update:
This virus will try to automatically update himself to this address list:
66.90.103.169:99/a.exe
66.90.103.169:6666/lsass .exe
66.90.103.169:443/crss .exe
TCP:72.249.94.146:7008 Port:27
TCP:127.0.0.1:1092 Port:30
TCP:66.90.103.169:99 Port:29
TCP:66.90.103.169:6666 Port:30
TCP:66.90.103.169:443 Port:30
Port 80 IP:83.133.127.5
Port 80 IP:68.180.151.74
Port 25 IP:127.0.0.1
Port 80 IP:65.55.21.250
TCP:83.133.127.5:443 Port:17
TCP:65.54.186.47:443 Port:17
Port 80 IP:87.248.208.54
TCP:89.149.254.14:443 Port:21
Port 80 IP:64.4.33.7
Port 80 IP:207.46.11.121
Port 80 IP:65.54.186.47
Port 80 IP:88.221.26.64
TCP:65.55.16.123:443 Port:28
TCP:92.122.112.124:443 Port:28
TCP:92.122.112.124:443 Port:28
TCP:88.221.165.186:443 Port:29
TCP:88.221.165.186:443 Port:29
TCP:83.133.127.5:443 Port:18
TCP:89.149.254.14:443 Port:2
TCP:65.55.16.123:443 Port:27
TCP:65.54.186.47:443 Port:27
TCP:92.122.112.124:443 Port:27
TCP:92.122.112.124:443 Port:28
TCP:88.221.165.186:443 Port:28
TCP:89.149.254.14:443 Port:21
Simple steps to cleaning Coutsonif.A:
1. Disable “System Restore” when in cleaning process.
2. Disable “autoplay/autorun” function by:
* Start -> Run -> Type “gpedit.msc” -> Computer Configuration -> Administrative Templates -> System -> look on “Turn off autoplay” -> Properties -> Setting tab -> Enabled
coutsonif-autoplay-disabled
coutsonif-autoplay-disabled-2
3. Kill active virus process in background, You can use any task manager tools such as Security Task Manager, just killed sysmgr.exe, vshost.exe, winservices.exe, *.tmp
*TMP is random.
4. Repair your registry files using code below or download repair.inf
[Version]
Signature=”$Chicago$”
Provider=Nobody
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKCU, SessionInformation, ProgramCount, 0×00010001,3
HKCU, AppEvents\Schemes\Apps\Explorer\BlockedPopup\.current,,,”C:\WINDOWS\media\Windows XP Pop-up Blocked.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Current,,,”C:\Windows\media\Windows XP Recycle.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\Navigating\.Current,,,”C:\Windows\media\Windows XP Start.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\SecurityBand\.current,,,”C:\WINDOWS\media\Windows XP Information Bar.wav”
[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Microsoft(R) System Manager
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, bMaxUserPortWindows Service help
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, MaxUserPort
5. Deleted this file list, when it hard you can use File Assasin tools:
* \vshost.exe [all drive]
* \autorun.inf [all drive]
* \RECYCLER\S-1-5-21-9949614401-9544371273-983011715-7040\winservices.exe
* \Documents and Settings\%user%\Local Settings\Temp
A415.tmp (random)
034.exe (Random)
Lady_Eats_Her_Shit–www.youtube.com
* \WINDOWS\system32\sysmgr.exe
* \WINDOWS\TEMP\5755.tmp
* \windows\system32\crypts.dll
* \windows\system32\msvcrt2.dll
6. Re-checking your system to make sure it clean using your best antivirus or use Norman Malware Cleaner
Done, Have a good day everyone :)
angliar ch gesen ih oilgomjtoi baigaa shvv dahiad 2 arga baigaa
ReplyDelete