Pages - Menu

Katrox's Blog | Computer Articles | Knowledge Articles

Tuesday, December 11, 2007

nhatquanglan / SCVHSOT / new folder virus / scvshosts

Virus File Name
New Folder.exe
Size: 192/196KB
virus file version 1,1,1,1
Icon: Folder
SCVHSOT.exe
Size: 192/196KB
Attributes: Hidden+System
virus file version 1,1,1,1
Icon: Folder
scvshosts.exe
Size: 247/248KB
Attributes: Hidden+System
virus file version 2,2,2,2
Icon: Folder

(added on 5Dec,2007)
File Name :SCVVHSOT
Icon :Folder
Type of file :Application
Size :283KB/288KB
Modified :June 10,2007
Attributes :ReadOnly,Hidden,System,Archive
File version :3.2.2.0
CompiledScript :AutoIt v3 Script : 3, 2, 2, 0
File Version :3, 2, 2, 0
etc.
Symptoms
You will find these files in your Windows folder, Shared Documents, etc.
Tools>Folder Option is disabled.
You are unable to see hidden files.
Task Manager is disabled.
Regedit is disabled.
If you are having a LAN connection you will be unknowingly spamming the chat box.
e.g.:
http://nhatquanglan.xlphp.net/
”C:\WINDOWS\hinhem.scr”
Behind the Screen
The following files are created:
C:\WINDOWS\SCVHSOT.exe
C:\WINDOWS\SCVVHSOT.exe
C:\WINDOWS\hinhem.scr
C:\WINDOWS\system32\SCVHSOT.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\autorun.ini
C:\Documents and Settings\All Users\Documents\SCVHSOT.exe
The virus is copied to other comps on the network in the Shared Docs.
\\ABC\SharedDocs\New Folder.exe
\\ABC\SharedDocs\scvshosts.exe
\\ABC\SharedDocs\autorun.inf
Modifies some files in the “Documents and settings” folder.
C:\Documents and Settings\Piyush Chandra\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Piyush Chandra\Cookies\index.dat
C:\Documents and Settings\Piyush Chandra\Local Settings\History\History.IE5\index.dat
Modifies some registries at:
\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4c4da22e-f800-11db-8de6-806d6172696f}\BaseClass ,etc.
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions
\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ ,etc.
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ,etc.
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ , etc.
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
Modifies some system files:
C:\Documents and Settings\Piyush Chandra\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Piyush Chandra\Cookies\index.dat
C:\Documents and Settings\Piyush Chandra\Local Settings\History\History.IE5\index.dat
Runs the following commands under DOS (only by the virus version 1,1,1,1):
C:\WINDOWS\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\cmd.exe /C AT /delete /yes
Solution
End Task(updated on 27/11/2007)
————————
Start> run
taskkill /f /t /im “New Folder.exe”
taskkill /f /t /im “SCVVHSOT.exe”
taskkill /f /t /im “SCVHSOT.exe”
taskkill /f /t /im “scvshosts.exe”
taskkill /f /t /im “hinhem.scr”
taskkill /f /t /im “blastclnnn.exe”
Enable Task Manager
——————-

1. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Enable Regedit
————–

1. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Folder Option & Hidden Files
—————————-

1. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
2. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
3. Start> run
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 1 /f
4. Start>run
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f
Other steps
——————

Delete the files
C:\WINDOWS\SCVVHSOT.exe
C:\WINDOWS\SCVHSOT.exe
C:\WINDOWS\hinhem.scr
C:\WINDOWS\system32\SCVHSOT.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\autorun.ini
C:\Documents and Settings\All Users\Documents\SCVHSOT.exe
Modify some registries
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell REG_SZ –> explorer.exe
\Software\Microsoft\Windows\CurrentVersion\Run\ Yahoo Messengger –>delete
Precaution
~~~~~~~~~
Never double click on such files which look like folders, instead use folder view for navigation.
You may like to disable “Shared Documents”.


Source:

2 comments:

ishmaiL said...

saya mahasiswa pts. . .
pc saya terdapat virus file version:3.2.2.0
autolt v3 . . . . dst
gmana cara basminya ya,cause udah pake bermacam2 antvirus tetep gak bisa hilang,tiap copy folder jadinya virus itu terus,jadi gagal deh skribsi. . .
tolong bantuanya,kirim email ke
el_capism@yahoo.com

ishmaiL said...

comelz19.blogspot.com