Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
Hi, i'm new here and would like some help with a virus that just won't go away.

I had a virus called "backdoor" or something and NAV 2003 deleted the file (system32.exe) that contained it, but now I keep on getting the message attached. Can you help me?
 

Attachments

·
TSF Enthusiast
Joined
·
6,298 Posts
In C:\windows\system.ini, make sure there is nothing after shell=explorer.exe (not in the entire file, but on that line). If there is a modifier like "shell=explorer.exe C:\windows\system32\system32.exe" then you want to delete the path for C:\windows\system32\system32.exe.
 

·
Citizen of the world
Joined
·
51,041 Posts
This should explain what SYSTEM32.EXE is, and you don't want it! :D

This is aworm virus spreading via the Kazaa file sharing network.
The worm has a powerful backdoor routine which connects to an IRC channel and listens to commands from its "master".

The worm itself is a Windows PE EXE file about 100Kb of length written in Microsoft Visual C++, the worm is compressed by UPX file compression utility and then encrypted with "Krypton" Win EXE files encryptor.

When infected file starts, the installation routine gets control.

Installation
While installing the worm copies itself to Windows system directory with different names (see below) and registers that file in two system registry auto-run keys.
The worm copy names are:

"Tanked.11": "system32.exe"
"Tanked.13": "winsys.exe"
"Tanked.14": "cmd32.exe"

The registry keys are:
"Tanked.11":

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SystemSAS = system32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
SystemSAS = system32.exe

"Tanked.13":
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinSys = winsys.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WinSys = winsys.exe

"Tanked.14":
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CMD = cmd32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
CMD = cmd32.exe

Spreading
The worm copies itself to Kazaa directory with following names:
'Battlefield1942_bloodpatch.exe'
'Unreal2_bloodpatch.exe'
'UT2003_bloodpatch.exe'
'AquaNox2 Crack.exe'
'NBA2003_crack.exe'
'FIFA2003 crack.exe'
'C&C Generals_crack.exe'
'UT2003_keygen.exe'
'UT2003_no cd (crack).exe'
'Age of Empires 2 crack.exe'
'Anno 1503_crack.exe'
'C&C Renegade_crack.exe'
'Diablo 2 Crack.exe'
'Gothic 2 licence.exe'
'GTA 3 Crack.exe'
'GTA 3 patch (no cd).exe'
'Hitman_2_no_cd_crack.exe'
'Mafia_crack.exe'
'Neverwinter_Nights_licence.exe'
'NHL 2003 crack.exe'
'WarCraft_3_crack.exe'
'Splinter_Cell_Crack.exe'
'Battlefield1942_keygen.exe'
'Winamp 3.8.exe'
'MediaPlayer Update.exe'
'UT2003_patch.exe'
'ACDSee 5.5.exe'
'DivX Video Bundle 6.5.exe'
'Global DiVX Player 3.0.exe'
'QuickTime_Pro_Crack.exe'
'KaZaA Lite (New).exe'
'iMesh 3.7b (beta).exe'
'iMesh 3.6.exe'
'KaZaA Hack 2.5.0.exe'
'DirectDVD 5.0.exe'
'Flash MX crack (trial).exe'
'Ad-aware 6.5.exe'
'WinZip 9.0b.exe'
'SmartFTP 2.0.0.exe'
'ICQ Lite (new).exe'
'ICQ Pro 2003b (new beta).exe'
'ICQ Pro 2003a.exe'
'AOL Instant Messenger.exe'
'Download Accelerator Plus 6.1.exe'
'Trillian 0.85 (free).exe'
'MSN Messenger 5.2.exe'
'Network Cable e ADSL Speed 2.0.5.exe'
'mIRC 6.40.exe'
'GetRight 5.0a.exe'
'Pop-Up Stopper 3.5.exe'
'Yahoo Messenger 6.0.exe'
'KaZaA Speedup 3.6.exe'
'Nero Burning ROM crack.exe'
'WindowBlinds 4.0.exe'
'Animated Screen 7.0b.exe'
'Living Waterfalls 1.3.exe'
'Matrix Screensaver 1.5.exe'
'Popup Defender 6.5.exe'
'Space Invaders 1978.exe'
'SmartRipper v2.7.exe'
'TweakAll 3.8.exe'
'DVD Copy Plus v5.0.exe'
'Serials 2003 v.8.0 Full.exe'
'Zelda Classic 2.00.exe'
'Need 4 Speed crack.exe'
'Links 2003 Golf game (crack).exe'
'Netfast 1.8.exe'
'Guitar Chords Library 5.5.exe'
'DVD Region-Free 2.3.exe'
'Cool Edit Pro v2.55.exe'
'Coffee Cup Free HTML 7.0b.exe'
'Clone CD 5.0.0.3.exe'
'Clone CD 5.0.0.3 (crack).exe'
'Nimo CodecPack (new) 8.0.exe'
'Business Card Designer Plus 7.9.exe'
'Steinberg_WaveLab_5_crack.exe'
'Hot Babes XXX Screen Saver.exe'
'FreeRAM XP Pro 1.9.exe'
'IrfanView 4.5.exe'
'Audiograbber 2.05.exe'
'WinOnCD 4 PE_crack.exe'
'Final Fantasy VII XP Patch 1.5.exe'
'BabeFest 2003 ScreenSaver 1.5.exe'
'PalTalk 5.01b.exe'
'DirectX Buster (all versions).exe'
'DirectX InfoTool.exe'
'Unreal2_crack.exe'
'FlashGet 1.5.exe'
'Babylon 3.50b reg_crack.exe'
'mp3Trim PRO 2.5.exe'

Other
The worm has "copyright" text strings:
"Tanked.11":

T~Drone.11
t69 [sd]v0.5b TankEd.11
[sd]v0.5b TankEd.11 by [sd]

"Tanked.13":
T~Drone.13
t69 [sd]v0.5b TankEd.13
[sd]v0.5b TankEd.13 by [sd]

"Tanked.14":
T~Drone.14
t69 [sd]v0.5b TankEd.14
[sd]v0.5b TankEd.14 by [sd]
 

·
Registered
Joined
·
2 Posts
Discussion Starter #4
First of all, my ini is as follows in full:

; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON


that's it

second, I am really sorry, but I don't even know wahr an IRC is, or anything else for that matter, so could somebody explain what is causing the error message and how to get rid of it?
 

·
Citizen of the world
Joined
·
51,041 Posts
This is a left-over entry in the registry. If you have something like Norton Utilities, the WinDoctor will find and kill this entry, since you have removed the virus file. If you don't have Norton, I'd suggest you obtain a configuration utility and modify the startup to eliminate the line in question. X-Setup is one that I use and have had excellent luck with.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top