Korean Job Discussion Forums

[jkelly80]

I have Trend Micro, and I Have been informed (over and over again, especially when I have a device plugged in to my USB) that the file "tavo1.dll" in my "system32" folder is infected.

The trouble is, I can't find "tavo1.dll" in that folder. I do a search and go through it myself, and nothing comes up called tavo1.dll I found tavo0.dll and deleted it, but I still get the same problem. How can I have an infected file that doesn't exist?

The virus is called "mal_NSanti". Has anyone had this problem before? Thanks in advance.

[mrsquirrel]

Go into windows explorer.

tools - folder options - view - check show hidden files, show operating system files and show system folder files

[cangel]

My coworker found this useful:

Discovered: August 27, 2007
Updated: August 27, 2007 11:08:32 AM
Also Known As: Worm.Win32.AutoRun.bhx [Kaspersky]
Type: Worm
Infection Length: 75,520 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

When the worm executes, it creates the following files:

%System%\kavo.exe
%System%\kavo0.dll


The file kavo0.dll is then injected into all running processes.

It also creates the following file, which is a copy of Hacktool.Rootkit:
%Temp%\[RANDOM FILE NAME].dll

The worm then copies itself to all drives from C through Z as the following file:
[DRIVE LETTER]:\ntdelect.com

It also creates the following file so that it executes whenever the drive is accessed:
[DRIVE LETTER]:\autorun.inf

Next, the worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"kava" = "%System%\kavo.exe"

It then modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer\"NoDriveTypeAutoRun" = "0x91"


The worm checks if it has been injected into any of the following processes:

zhengtu.dat
elementclient.exe
dekaron.exe
hyo.exe
wsm.exe and ybclient.exe
fairlyclient.exe
so3d.exe
maplestory.exe
r2client.exe
InphaseNXD.EXE


It then attempts to steal sensitive information for the following online games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver


The worm ends the Matrix Password process if it finds a dialog box with the following characteristics:
Title: MatrixPasswordDlg
Message: Warning! (In Chinese characters)

The harvested information is then sent to the remote attacker via HTTP.RecommendationsSymantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

[ttompatz]

You might find this easier to follow if you need step-by-step directions for the non-computer geek types.

There are new Trojan/viruses that use autorun.inf to infect other drives. Most of the time it infects any removable media (external HDD or Flash Drive) that is connected to the infected unit. You will not notice it since the script runs at startup.

Note: This procedure is applicable to all Trojan/virus that uses a .inf file, but I will use �hbq.exe� for this example:

Here is how you can get rid of them:

- Open Task Manager ((press <control / alt / del> at the same time) and in Processes tab end explorer.exe and wscript.exe process if it is running.

- Open up File �> New Task (Run) in the Task manager

- Type cmd and hit Enter

Type
del /a:h /f c:\autorun.*

if you have multiple drive/partition, repeat this step to all drive/partition, make replacing �C:� with the appropriate drive letter.

- Go to your Windows\System32 directory by typing cd c:\windows\system32

Type dir /a:h /f hbq*.*

- If you see any files named hbq0.dll or hbq0.exe or hbo.exe, use the

Del /a:h -f avp*.exe
Del /a:h -f avp*.dll
Del /a:h -f kx*.exe
Del /a:h -f kx*.dll

to delete.

- Open up File �> New Task (Run) in the Task manager, Type regedit

- Navigate to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If there are any entries for kxvo.exe, delete them. Also delete all suspicious items

- Do a complete search of your registry for ntdelect.com or hbq.exe or kxvo.exe and delete any entries you find.

- To Restore Folder Options (�Show hidden files & folders�) Settings, Navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL

- Look at the �CheckedValue� key� This should be a DWORD key. If it isn�t, delete the key. Create a new key called �CheckedValue� as a DWORD (hexadecimal) with a value of 1. The �Show hidden files & folders� check box should now work normally.

[jkelly80]

I get "invalid switch" when I get to the "dir /a:h /f hbq*.*" point.

I turn offed system restore, rebooted, and turned on the CPU again, and it seems to have gone away. I ran a scan on system32 and nothing is coming up. Does that mean it's gone or it's gone stealth on me?

Thanks for the help everybody.

[ttompatz]

[jkelly80]

I can't get to this point:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL

There is no folder called "Folder" in "advanced".

Earlier, however, when I typed in "dir /a:h /f hbq*.* "

I came up with nothing suspicious. Same with "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

No results. Does that mean I'm okay?
Btw, I'm not sure what you mean by "registry" nor how to search it.

Thanks again.

[ttompatz]