Removal of W32.Xabot.Worm and wininit32.exe

posted under Virus by Prince Mathew

Removal of W32.Xabot.Worm and wininit32.exe

orkut is sending viruses to your pc. To protect your pc close the windoworkut is infected by jammer worm

W32.Xabot.Worm is a Trojan/Backdoor that attempts to spread itself through the IRC and file-sharing networks. It also has backdoor Trojan Horse capabilities, which allows a hacker to gain control of a compromised computer. The existence of the file wininit32.exe is an indication of a possible infection.

Method of Installation

When executed, the worm copies self to: %System%\wininet32.exe.

It then adds the following keys to the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysInit = "%System%\wininet32.exe -drivers"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ SysInit = "%Syste

m%\wininet32.exe -drivers"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ SysInit =

"%System%\wininet32.exe -drivers"

to ensure that the worm is executed at each Windows start.

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

This worm is also known as:

• Backdoor.IRCBot.gen - named by Kaspersky.

• Win32.Xabot.B - named by Computer Associates.

• Win32/IRCBot.S trojan - named by Eset.

Name : W32.Xabot.Worm

Type : Trojan/Backdoor

Affected : Windows 2000, Windows 95, Windows 98, Windows Me,Windows NT, Windows Server 2003, Windows XP

Risk : Level 2: Low

Discovered : November 9, 2003

Update : February 13, 2007 12:13:35 PM

Wild Level : Low

Number of Infections : 0 - 49

Number of Sites : 0 - 2

Geographical Distribution: Low

Threat Containment : Easy

Removal : Moderate

Threat Assessment : Damage

Damage Level : Medium

Distribution Level : Medium

Writeup By : Robert X Wang

Manual Removal

► Open Windows Task Manager, choose Process Tab, find and kill process “Wininit32.exe”.

► Search your Hard Disk Partitions for “Wininit32.exe”, if found permanentally delete the file. (Note there is a system file called Wininit.exe, do not delete that file or it make you repair you OS).

► Open registry editor and remove the following entries.

Navigate through both HKLM as well as HKCU to find the below mentioned

keys.

Key: Software\Microsoft\Windows\Active Setup\Installed Components\SysInit

Value:StubPath

Key:

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 1

Key:

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value:10

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 11

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 12

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 13

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 14

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 15

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 16

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 17

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 18

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 19

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 2

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 20

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 21

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 22

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 23

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 24

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 25

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 26

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 27

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 28

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 29

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 3

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 4

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 5

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 6

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 7

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 8

Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

Value: 9

Key: Software\Microsoft\Windows\CurrentVersion\RunOnce

Value:SysInit

► Close the registry editor and Restart your computer.

► Now open your Web browser and open Orkut. Enjoy ☺

USB Autorun Virus Remover v2.3

posted under Software , Virus by Prince Mathew

USB Autorun Virus Remover v2.3

Autorun Virus Remover provides protection against any malicious programs trying

to attack via USB drive. When a USB devic

e is inserted into your computer, Autorun Virus Remover will automatically scan it, block and delete autorun virus, trojans, and malicious code. Also, it can detect and remove USB virus such as autorun.inf

virus in your computer.

Now you can be assured of immu

nity from those nasty pen drives, which are major sources of nasty viruses/

trojan horses/

worms.

Password: razor@inwarez.com

Removal of W32 USB worm

posted under Virus by Prince Mathew

Removal of W32 USB worm

“Orkut is banned you fool,The administrators didnt writs this program guess who did?? MUHAHAHA!!”

This error message is the aftereffect of a virus affection. The name of that virus is W32.USBWorm or Heap41a. This virus is spreads automatically to other computers by sending itself out by email or through Pen,USB,Thump disk. A program that propagates itself by attacking other machines and copying itself to the affected machine. Worms have self-replicating code that travels from machine to machine by various means. A worms first objective is merely propagation. Worms can be destructive depending on what payload they have been given. Worms may replace files, but do not insert themselves into files.

There are two ways to remove this virus; by manual and by software.

Properties of This Virus:

Autostarts/Stays Resident
No EULA present
No standard Uninstaller
Non-closeable ads
Stealth Tactics

Take a look at the funny error messages:

Orkut virus manual removal

Open the Task Manager by pressing Ctrl + Alt + Del and go to processes tab.
Locate svchost.exe under the image name. There will be many processes by that name but look for the ones which have your username under the username.
Just kill these processes by pressing Del key or right click and click end process .Only kill those which have your username under the username and leave the rest.
Open windows explorer and type "C:\heap41a" in the address bar and hit enter.
This is a hidden folder. Delete all the contents of this folder.
Open the registry. Search for heap41a in the registry by using the find command.
You will get something like this “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt“. Just delete the entries by pressing the del key.
Close the registry editor. Now the virus will be gone. ☺

Orkut virus removal tools

Mr. Sarath Lakshman from Kerala has created a fix to easily and automatically remove W32.USBWorm worm. Just download the fix from the link below, extract the archive and run Worm-fix.exe. Click the big Remove button and it’ll do its job.

You can download it from here:

Or you can also try cleaning it with Flash Disinfector created by sUBs.

You can download Flash Disinfector from here:

Thank You...

Have you ever seen Koenigsegg CC on Allepy?

posted under Pictures , Supercar by Prince Mathew

Have you ever seen Koenigsegg CC on Allepy?

posted under Virus by Prince Mathew

Win32.Xabot

Date Published : 12 Feb 2004

Last Updated : 18 Feb 2004

Type : Trojen/Backdoor

Category : Win32

Also known as : W32/Aebot.B (F-Secure), W32/Generic.b.worm (McAfee), Backdoor.IRCBot.gen (Kaspersky), W32.Kwbot.Worm (Symantec), Win32/P2P.Xabot.Worm

Description

Win32.Xabot is an Internet worm that spreads via P2P file sharing networks. The worm targets eDonkey, Kazaa, LimeWire, Morpheus and iMesh file sharing programs. It is also an IRC-controlled backdoor that allows unauthorized access to the victim's machine. The worm is a 22,636-byte, UPX-packed Win32 executable.

Method of Installation

When executed, the worm copies self to: %System%\wininet32.exe.

It then adds the following keys to the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysInit = "%System%\wininet32.exe -drivers"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ SysInit = "%System%\wininet32.exe -drivers"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ SysInit = "%System%\wininet32.exe -drivers"

to ensure that the worm is executed at each Windows start.

Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

Xabot also creates the mutex "26" to ensure that only one copy of the worm is running at any time.

Payload

Modifies System Settings/Edits Registry

The worm looks for the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\

and attempts to delete the following values in an effort to prevent the associated programs from running at start-up (this list includes, but is not limited to antivirus and other security-related applications):

3Dfx Acc

ABsr

Absr

AdobeA

adp

Adservice

Advapi

AIM reminder

Alevir

Alogserv

Amon

AnVir

Aornum

Api

Apvxd

Apvxdwin

Arupld32

Atrack

ausvc

Avast32

AvconsoleEXE

Avgserv9.exe

AvMaiSrv

avpcc

avx communicator

avxlni

awhost32

Backwork

bargains

bitdefenderlive

BlackIce Utility

BMail Installation

Bnexe

BOCleanautostart

Bonzi Buddy

boot

Bymer.Scanner

cAgOu

CC2KUI

Ccapp

Ccevtmgr

Ccpxysvc

Ccregvfy

Cd_load

Choke

CLICKTHEBUTTON

cmd

CMD

CmeSYS

Cmesys

CMESys

CmeUPD

Cmgrdian

ColdLife - icmp

ColdLife û icmp

Com+Services

Comsocks

config32.exe

Configuration Manager

Configuration Wizard

CoreSrv

Cpd

Cpdclnt

CriticalUpdate

CyDoor

Debug

Default

distributed.net client

dlder

DownloadWare

Dvp95

Eac_Cnry

eixfi

Element

explore

Explorer

explorer

Explorer de la dc

Explorer32

ExplorerTask

F-StopW

fSys

FuckCop

fuckyou

Gator

Generic Host Process for Win32 Services

GForce4DR

Gforce4DRv

GForce4DRv

GhostStartTrayApp

I386

Internat32.exe

InternetConfigure

Kernel32

Kernell32

LangSupportEx

LoadBlackD

LoadDBackUp

Loader

LoadFonts

LoadOrderVerification

LoadWinConf

LoadWinConf

LTM2

McAfee Firewall

McAfeeVirusScanService

messnger

Microsoft Configuration

Microsoft Diagnostic

Microsoft Netview

Microsoft System Monitor

mnsvc

MPFExe

MprHTML

Ms Spool32

MSAdmin

msconfigurator

MSKernel32

msn

msnb

Msrc

MSREGIT

Mswincfg

murphy shield

MxHLp32

Myapp

NAV Agent

NAV Configuration Wizard

NAV DefAlert

NAV Live Update

navapw32

NeroCheck

Netapi

Network Connections

Nod32CC

Norton Auto-Protect

NT Guard

NTFix

NTsocket ogrc

PAV.EXE

PCStart

PersFw

poeto.

Pop3trap.exe

PPMemCheck

print sharing

PrinTray

procmon

Program In Windows

ps2

RapApp

rdvs

Registry

Remote Procedure Call Locator

rundll

rundll32

Rundllsystem32

RunProg

Run_cd

rvds

ScanInicio

ScrSvr

server

serverex

Shellapi32

sistrai.exe

sistray

ssdpsrv.exe

ssdpsvr.exe

Supernova

Sustem

SVHOST

Svhost Loader

Svhost Loader

SymTray - Norton SystemWorks

SyncAgent

SysProtect

SysScan

System Configuration

System Monitor

System Service

System Service

System-Service

SystemBoot

SystemFTP

SystemMD

SystemReg

systemtray

systemtray32

SystemTray32

SystemUpdate

systray

SysTray

SysTray32

Task Bar

Task Manager

TaskMan

TaskMonitor

TaskReg

Taskschd

Tau monitor

tcactive

tcmonitor

Tiny Personal Firewall

TrackPointSrv

TrojanScanner

tskdbg

UMXLDRW

Update

updatek

updateWin

VAGuard

Vet Alert

Vet Start UpHookSys

vhostl

vptray

vscanner

Vshwin32EXE

vsmon

vsmon.exe

VsStatEXE

webiss

WebScan

WebScanX

Webtrap

WebTrapNT.exe

Whvlxd

Win Server

Win Server Updt

WIN-BUGSFIX

WIN32 DEBUG

Win32 Rundll Loader

win32app

Win32BaseServiceMOD

Win32DLL

Win386

Winahlp.exe

winapidr

WinApp32

WinConfig

Windows

Windows API Structure

windows auto update

Windows Explorer

Windows Registry Checker

Windows Subsys

windows update

WindowsFix32

WindowsMGM

WindowsUpdate

WindowsUpdate

WinDSNX

WinDSNX

WinFix32.exe

WinGate initialize

WinHelp

Wininit

WinLoader

WinProfile

WinProxy

wins

winserver

Winsock2 driverSysCmd

Winsock32 driver

Winsvc32

Winsys

WinSystem

WINTASK

winupd32.exe

WinUpdate

WinUpdatermsdos423

WQK

Zonavirus

ZoneAlarm

ZoneAlarm Pro

zzgshp

Xabot adds the following value to the registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = 1

and inserts values under this same key in an attempt to stop these programs from executing:

blackd.exe

blackice.exe

ethereal.exe

filemon.exe

generics.exe

guw32.exe

jammer.exe

ldnetmon.exe

lockdown2000.exe

monitor.exe

msconfig.exe

netmon.exe

netstat.exe

pmon.exe

portmon.exe

processmonitor.exe

programauditor.exe

realmon.exe

regmon.exe

safeweb.exe

scan32.exe

smc.exe

sniffem.exe

sniffem.exe

vsmain.exe

webtrap.exe

zapro.exe

zonealarm.exe

Xabot also adds the following value to the registry:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictAnonymous = 1

This value creates a bug with the administration of users on the machine. If the user's password expires, they are told that they do not have sufficient privileges to change their password. However, they will be unable to use the system until their password is changed.

(please visit Microsoft for further information http://support.microsoft.com:80/support/kb/articles/Q246/2/61.ASP&NoWebContent=1)

Deletes files

The worm deletes the following files from the Windows directory:

auth.ini

BigMac.exe

cnfgldr.exe

DWN.DAT

explore.exe

fdrive.dat

fonts\explorer.exe

fonts\rundll32.exe

gates.txt

Hello-Kitty.exe

IEXPLORE.EXE

iiscache.dll

litmus\killer.exe

litmus\MSGORV32.exe

litmus\msgsrv32.exe

litmus\MSGSRV320.exe

litmus\winup.exe

mirc.exe

mirc.ini

mirc2.ini

mirc3.ini

mirc32.exe

msgsrv.exe

msnb.exe

NAV32_LOADER.EXE

pr.ini

psexec.exe

RAVMOND.exe

rconnect.exe

remote.ini

script.ini

settings.ini

SNTMLS.DAT

SNTMLS.DAT

syslog.exe

sysmon16.exe

taskmrg.exe

TCPSVS32.EXE

temp.exe

temp.scr

temp2.exe

tskman.exe

tskmgr32.exe

vbrun7.dll

whvlxd.dat

whvlxd.exe

win.exe

WinHelp.exe

WINMGM32.EXE

Winnt32.nfo

winservices.exe

winsys.exe

Backdoor Functionality

The worm contains backdoor functionality that allows unauthorized access to a victim's machine. The worm connects to channels on particular servers, allowing it to be controlled via IRC. This allows the worm's controller to take several actions on an affected machine, including:

Keyloggoing

Visiting particular URLs

Disabling registry tools (i.e. use of regedit)

Opening a Socks 4 proxy on victim's computer

Removing itself

Recording system information (OS, cpu, etc)

Deleting files

Killing processes

Updating itself

Copying clipboard data

Editing registry start keys.

Method of Distribution

Via P2P File Sharing

Xaobot edits the registry entries of share programs in order to spread via P2P. The following Kazaa registry values are edited to facilitate this process:

HKLM\Software\Kazaa\Advanced\SuperNode = 0

HKLM\Software\Kazaa\LocalContent\DisableSharing = 0

HKLM\Software\Kazaa\LocalContent\Virus_Filter = 0

HKLM\Software\Kazaa\Transfer\Uploadbandwidth = 0

HKLM\Software\Kazaa\Transfer\NoUploadLimitWhenIdle = 1

HKLM\Software\Kazaa\Transfer\ConcurrentUploads = 32

HKLM\Software\Kazaa\LimitBitRate = 0

It then proceeds to check the following registry values to obtain the location of shared folders to copy itself to:

HKLM\Software\Morpheus\Install_Dir

HKLM\Software\Morpheus\My Shared Folder

HKLM\Software\iMesh\Client\DownlaodsLocation

HKLM\Software\Kazaa\Dir0

Once the above locations are obtained (if these programs are installed on an affected machine), the worm proceeds to copy itself to these shared folders, as well as to the directories "\Program Files\EDonkey2000\Incoming\" and "\Program Files\LimeWire\Shared\", using the following filenames:

Half-Life 2 NO CD Crack.exe

Half-Life 2 Keygen.exe

Doom 3 NO CD Crack.exe

Max Payne 2 NO CD Crack.exe

Jedi Academy NO CD Crack.exe

Hidden & Dangerous 2 NO CD Crack.exe

Counter-Strike Condition Zero Keygen.exe

Deus Ex Invisible War NO CD Crack.exe

It also copies itself using the above filenames to the 'My Music' folder in Windows, obtained by checking the registry value:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Music

Resources: ca.com

Subscribe to: Posts (Atom)

top