Thursday, December 25, 2008

Worm - WYAutoIT Sohanad Imaut Variant REMOVAL

Worm - WYAutoIT Sohanad Imaut Variant REMOVAL

Symptoms:

> There is an AutoIT script error which appears very oft (Screenshot attached)

Line 0 (File "C:\Windows\system32\SVCIICHOST.exe");
$mang[$i] = "\\" & $read
^ ERROR
Error: Array Variable has incorrect number of subscripts or subscript dimension range exceeded.

> the following entries are detected by HijackThis

F2: REG:system.ini: Shell=Explorer.exe SVIICHOST.exe

D4: HKCU\..\Run: [Yahoo Messengger] C:\windows\system32\SVIICHOST.exe
further to symantec / sophos detail i chekced up for new folder.exe and this is there

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Value: "shared" = "\New Folder.exe"

> There is a scheduled task entry which enables SVIICHOST.exe to run daily
c:\windows\tasks\AT1.* is found.

> Task Manager and Registry Editor are disabled.

> SVIICHOST.exe is found running as an active process.

> During an online scan, ClamAV is supposed to detect it but clamwin 0.94.1 or WinClamavShield latest version doesnt detect it.

> It creates exe files in the name of all the folders opened just like any other autorun type worms.thereby spreading very easily through removable drives (thats how my colleague got it in first place)

> While runing messenger there is strange messages broadcasted every now and then.

> host of file names reported is available here - http://www.threatexpert.com/threats/w32-yautoit.html shows how variable and masquerading this is . threat levelmight be low but just a while ago i logged on to our storage server and it is fully infected with the folder name.exe files....

> broadcasts messages ilke this to all of your messenger contacts..

"E may, vao day coi co con nho nay ngon lam http://nhattruongquang.0catch.com

"Vao day nghe bai nay di ban http://nhattruongquang.0catch.com"

"Vao day nghe bai nay di ban http://nhattruongquang.0catch.com"

"Biet tin gi chua, vao day coi di http://nhattruongquang.0catch.com"

"Trang Web nay coi cung hay, vao coi thu di http://nhattruongquang.0catch.com"

"Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? http://nhattruongquang.0catch.com"

"Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... http://nhattruongquang.0catch.com"

more error messages may be there on the syste,..

To remove! Just follow the Standard Removal Procedure Guide

1 comment:

rajeshontheweb said...

http://forum.spywareterminator.com/Default.aspx?g=posts&t=5708&find=unread gives the details and a specific fix designed by me try it out pls.

tags

Friend Connect