1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

backdoor.Win32.Virkel.Am Trojan.Win32.VB.aem

Discussion in 'Windows - Virus and spyware problems' started by iPirate, Apr 25, 2006.

  1. iPirate

    iPirate Regular member

    Joined:
    Mar 23, 2006
    Messages:
    3,376
    Likes Received:
    0
    Trophy Points:
    46
    Does anybody have any idea on how to get rid of these viruses?
     
  2. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
  3. iPirate

    iPirate Regular member

    Joined:
    Mar 23, 2006
    Messages:
    3,376
    Likes Received:
    0
    Trophy Points:
    46
    HiJackThis just crash's when im using it. The virus wont let it run.
     
  4. iPirate

    iPirate Regular member

    Joined:
    Mar 23, 2006
    Messages:
    3,376
    Likes Received:
    0
    Trophy Points:
    46
    any takers on how to get rid of Virkel.A this fake MSN Messenger 8.0 Beta. It disables so much read this from http://www.avira.com/en/threats/section/fulldetails/id_vir/1410/bds_virkel.a.html

    General Method of propagation:
    • Messenger


    Aliases:
    • Symantec: W32.Chod.D
    • Kaspersky: Backdoor.Win32.Virkel.a
    • Bitdefender: Backdoor.Chodebot.A


    Platforms / OS:
    • Windows 95
    • Windows 98
    • Windows 98 SE
    • Windows NT
    • Windows ME
    • Windows 2000
    • Windows XP
    • Windows 2003


    Side effects:
    • Blocks access to security websites
    • Disable security applications
    • Drops a malicious file
    • Lowers security settings
    • Registry modification
    • Steals information
    • Third party control

    Files It copies itself to the following location:
    • %SYSDIR%\%random character string%\csrss.exe



    It deletes the initially executed copy of itself.



    The following files are created:

    – %SYSDIR%\%random character string%\smss.exe Furthermore it gets executed after it was fully created. This file serves as flag for an internal routine.
    – %SYSDIR%\%random character string%\csrss.ini Contains parameters used by the malware.
    – %SYSDIR%\netstat.com This file serves as flag for an internal routine.

    Registry The following registry keys are added in order to run the processes after reboot:

    – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • "csrss"=""

    – [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    • "csrss"=""

    – [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    • "load"="%SYSDIR%\%random character string%\csrss.exe"
    • "run=%SYSDIR%\%random character string%\csrss.exe"



    The following registry keys including all values and subkeys are removed:
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CleanUp]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VirusScan Online]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec NetDriver Monitor]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmcService]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Outpost Firewall]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gcasServ]
    • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pccguide.exe]



    The following registry keys are added:

    – [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    • "Hidden"=dword:00000002
    • "SuperHidden"=dword:00000000
    • "ShowSuperHidden"=dword:00000000

    – [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    • "DisableRegistryTools"="1"
    • "NoAdminPage"="1"

    Messenger It is spreading via Messenger. The characteristics are described below:

    – AIM Messenger
    – MSN Messenger

    IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

    Server: bak.**********.net
    Port: 37737
    Channel: #.upd
    Nickname: %10 digit random character string%

    Server: pjn.**********.net
    Port: 37737
    Channel: #.upd
    Nickname: %10 digit random character string%



    – This malware has the ability to collect and send information such as:
    • Capture screen
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Platform ID
    • Information about running processes
    • Size of memory
    • Windows directory
    • Information about the Windows operating system


    – Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Launch DDoS ICMP flood
    • Launch DDoS TCP flood
    • Launch DDoS UDP flood
    • disconnect from IRC server
    • Download file
    • Edit registry
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Register a service
    • Terminate process
    • Updates itself
    • Upload file

    Hosts The host file is modified as explained:

    – In this case already existing entries remain unmodified.

    – Access to the following domains is effectively blocked:
    • avp.com; www.avp.com; ca.com; dispatch.mcafee.com;
    download.mcafee.com; f-secure.com; fastclick.net; ftp.f-secure.com;
    ftp.sophos.com; liveupdate.symantec.com; customer.symantec.com;
    pccguide.exe rads.mcafee.com; mast.mcafee.com; mcafee.com;
    my-etrust.com; nai.com; networkassociates.com; secure.nai.com;
    securityresponse.symantec.com; service1.symantec.com; sophos.com;
    support.microsoft.com; symantec.com; update.symantec.com;
    updates.symantec.com; us.mcafee.com; vil.nai.com; viruslist.com;
    www.viruslist.com; www.awaps.net; www.ca.com; www.f-secure.com;
    www.fastclick.net; www.mcafee.com; www.microsoft.com;
    www.my-etrust.com; www.nai.com; www.networkassociates.com;
    www.sophos.com; www.symantec.com; www3.ca.com; www.grisoft.com;
    grisoft.com; housecall.trendmicro.com; trendmicro.com;
    www.trendmicro.com; www.pandasoftware.com; pandasoftware.com;
    kaspersky.com; www.kaspersky.com; www.zonelabs.com; zonelabs.com;
    www.spywareinfo.com; spywareinfo.com; www.merijn.org; merijn.org

    List of processes that are terminated:
    • mpftray.exe; microsoft antispyware*; hijackthis*; msconfig.exe;
    kav.exe; kavsvc.exe; mcvsshld.exe; mcagent.exe; mcvsrte.exe;
    mcshield.exe; mcvsftsn.exe; mcdash.exe; mcvsescn.exe; mcinfo.exe;
    mpfagent.exe; CIzh_DataArrival; mpfservice.exe; mskagent.exe;
    mcmnhdlr.exe; sndsrvc.exe; usrprmpt.exe; ccapp.exe; ccevtmgr.exe;
    spbbcsvc.exe; ccsetmgr.exe; symlcsvc.exe; npfmntor.exe; navapsvc.exe;
    issvc.exe; ccproxy.exe; tmpfw.exe; navapw32.exe; navw32.exe; smc.exe;
    outpost.exe; zlclient.exe; vsmon.exe; isafe.exe; pandaavengine.exe;
    regedit.exe; hijackthis.exe; gcasdtserv.exe; gcasserv.exe;
    pcctlcom.exe; tmntsrv.exe; tmproxy.exe; pcclient.exe; ethereal.exe;
    wpe pro.exe; nat.exe; winsp3.exe; zonealarm.exe; zlclient.exe;
    vsmon.exe; mcupdmgr.exe; pccguide.exe; scrpres.dll; mcvsscrp.dll;
    vsmonapi.dll

    Processes with one of the following strings are terminated:
    • KAVPersonal50; Zone Labs Client; Symantec Core LC; services;
    OutpostFirewall; Tmntsrv; tmproxy; TmPfw; PcCtlCom; CAISafe; vsmon;
    SBService; SAVScan; SPBBCSvc; ccSetMgr; ccPwdSvc; ccProxy; SNDSrvc;
    ccEvtMgr; navapsvc; ISSVC; GuardDogEXE; MpfService; MCVSRte; McShield;
    kavsvc


    List of services that are disabled:
    • Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
    • System Restore Service
    • Microsoft AntiSpyware Server Process
    • System Restore Service
    • Windows Security Center Service

    Miscellaneous Internet connection:
    In order to check for its internet connection the following DNS servers are contacted:
    • dynupdate.**********.info
    • bak.**********.info


    Mutex:
    It creates the following Mutex:
    • ChodeBot 8=D

    File details Programming language:
    The file was written in Visual Basic.


    Runtime packer:
    In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
    • PE Compact 2.X

    Nasty little bugger aint it.
     
    Last edited: Apr 26, 2006
  5. BlinkN

    BlinkN Regular member

    Joined:
    Mar 26, 2006
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    26
    Indeed iPirate. Symantec lists the necessary steps to remove the worm but since you can't get access to Symantec's website because the worm blocks that site out, I will list it for you. The ones in bold are steps to remove the worm and the plan text is information you already know.

    W32.Chod.D
    Category 2
    Discovered on: August 04, 2005
    Last Updated on: November 04, 2005 11:14:30 AM



    W32.Chod.D is a worm with back door capabilities that spreads via MSN Messenger. The worm also lowers security settings and blocks access to several Web sites.

    Also Known As: Backdoor.Win32.Landis.b [Kaspersky], BKDR_LANDIS.A [Trend Micro], W32/Chode-G [Sophos], Win32.Nochod.{D, J, Q} [Computer Associates], WORM_CHOD.D [Trend Micro]

    Type: Worm
    Infection Length: 112,923 bytes



    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP





    protection
    # Virus Definitions (LiveUpdate™ Weekly)


    August 09, 2005
    # Virus Definitions (Intelligent Updater)


    August 04, 2005

    threat assessment

    Wild

    * Number of infections: 0 - 49
    * Number of sites: 0 - 2
    * Geographical distribution: Low
    * Threat containment: Easy
    * Removal: Moderate

    Wild:
    Low


    Damage:
    Medium


    Distribution:
    Medium

    Damage

    * Payload Trigger: n/a
    * Payload: Opens a back door that allows a remote attacker to have unauthorized access to the compromised computer.
    o Large scale e-mailing: n/a
    o Deletes files: n/a
    o Modifies files: n/a
    o Degrades performance: n/a
    o Causes system instability: n/a
    o Releases confidential info: n/a
    o Compromises security settings: Lowers security settings by terminating security-related processes and blocking access to security-related Web sites.

    Distribution

    * Subject of email: n/a
    * Name of attachment: n/a
    * Size of attachment: n/a
    * Time stamp of attachment: n/a
    * Ports: n/a
    * Shared drives: n/a
    * Target of infection: MSN Messenger

    technical details

    When W32.Chod.D is executed, it performs the following actions:

    1. Copies itself as the following:

    %System%\[RANDOM FOLDER NAME]\csrss.exe

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    2. Drops the following files:

    * %System%\[RANDOM FOLDER NAME]\csrss.dat
    * %System%\[RANDOM FOLDER NAME]\csrss.ini

    3. Creates the following shortcut to itself so that it executes every time Windows starts:

    %UserProfile%\Start Menu\Programs\Startup\csrss.lnk

    Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

    4. Adds the values:

    "Hidden" = "2"
    "SuperHidden" = "0"
    "ShowSuperHidden" = "0"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\Advanced

    so that Windows Explorer will not show Hidden and System files.

    5. Adds the values:

    "DisableRegistryTools" = "1"
    "NoAdminPage" = "1"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System

    to disable the Registry Editor on the Remote administration tab in the Password Properties dialog box.

    6. Adds the value:

    "Installed" = "1"

    to the registry subkeys:

    HKEY_CURRENT_USER\Software\Chode
    HKEY_CLASSES_ROOT\Chode

    7. Adds the value:

    "csrss" = ""

    to the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    8. Adds the following lines to the file %Windir%\win.ini on computers running Windows 95/98/ME:

    run = %System%\[RANDOM FOLDER NAME]\csrss.exe
    load = %System%\[RANDOM FOLDER NAME]\csrss.exe

    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

    9. Adds the values:

    "Load" = "%System%\[RANDOM FOLDER NAME]\csrss.exe"
    "Run" = "%System%\[RANDOM FOLDER NAME]\csrss.exe"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

    10. Stops the following security-related services:

    * ccEvtMgr
    * SNDSrvc
    * ccProxy
    * ccPwdSvc
    * ccSetMgr
    * SPBBCSvc
    * SAVScan
    * SBService
    * SmcService
    * OutpostFirewall
    * vsmon
    * CAISafe
    * PcCtlCom
    * TmPfw

    11. Attempts to disable the Windows Firewall and the Windows Security Center.

    12. Ends the following processes, which may be related to other threats or security-related programs:

    * msconfig.exe
    * kav.exe
    * kavsvc.exe
    * mcvsshld.exe
    * mcagent.exe
    * mcvsrte.exe
    * mcshield.exe
    * mcvsftsn.exe
    * mcdash.exe
    * mcvsescn.exe
    * mcinfo.exe
    * mpfagent.exe
    * mpftray.exe
    * mpfservice.exe
    * mskagent.exe
    * mcmnhdlr.exe
    * sndsrvc.exe
    * usrprmpt.exe
    * ccapp.exe
    * ccevtmgr.exe
    * spbbcsvc.exe
    * ccsetmgr.exe
    * symlcsvc.exe
    * npfmntor.exe
    * navapsvc.exe
    * issvc.exe
    * ccproxy.exe
    * navapw32.exe
    * navw32.exe
    * smc.exe
    * outpost.exe
    * zlclient.exe
    * vsmon.exe
    * isafe.exe
    * pandaavengine.exe
    * msblast.exe
    * penis32.exe
    * teekids.exe
    * bbeagle.exe
    * d3dupdate.exe
    * sysmonxp.exe
    * i11r54n4.exe
    * irun4.exe
    * mscvb32.exe
    * sysinfo.exe
    * mwincfg32.exe
    * wincfg32.exe
    * winsys.exe
    * zapro.exe
    * winupd.exe
    * enterprise.exe
    * regedit.exe
    * hijackthis.exe
    * gcasdtserv.exe
    * gcasserv.exe
    * pcctlcom.exe
    * tmntsrv.exe
    * tmproxy.exe
    * pccguide.exe
    * tmpfw.exe
    * pcclient.exe

    13. Attempts to delete entries from the following registry subkeys to disable several security-related programs:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CleanUp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCAgentExe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MCUpdateExe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VirusScan
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Online
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSOCheckTask
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccApp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Symantec
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetDriver
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monitor
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmcService
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Outpost
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Firewall
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gcasServ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pccguide.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client

    14. Adds the following lines to the hosts file to prevent access to various security-related Web sites:

    127.0.0.1 avp.com
    127.0.0.1 www.avp.com
    127.0.0.1 ca.com
    127.0.0.1 dispatch.mcafee.com
    127.0.0.1 download.mcafee.com
    127.0.0.1 f-secure.com
    127.0.0.1 fastclick.net
    127.0.0.1 ftp.f-secure.com
    127.0.0.1 ftp.sophos.com
    127.0.0.1 liveupdate.symantec.com
    127.0.0.1 customer.symantec.com
    127.0.0.1 rads.mcafee.com
    127.0.0.1 mast.mcafee.com
    127.0.0.1 mcafee.com
    127.0.0.1 my-etrust.com
    127.0.0.1 nai.com
    127.0.0.1 networkassociates.com
    127.0.0.1 secure.nai.com
    127.0.0.1 securityresponse.symantec.com
    127.0.0.1 service1.symantec.com
    127.0.0.1 sophos.com
    127.0.0.1 support.microsoft.com
    127.0.0.1 symantec.com
    127.0.0.1 update.symantec.com
    127.0.0.1 updates.symantec.com
    127.0.0.1 us.mcafee.com
    127.0.0.1 vil.nai.com
    127.0.0.1 viruslist.com
    127.0.0.1 www.viruslist.com
    127.0.0.1 www.awaps.net
    127.0.0.1 www.ca.com
    127.0.0.1 www.f-secure.com
    127.0.0.1 www.fastclick.net
    127.0.0.1 www.mcafee.com
    127.0.0.1 www.microsoft.com
    127.0.0.1 www.my-etrust.com
    127.0.0.1 www.nai.com
    127.0.0.1 www.networkassociates.com
    127.0.0.1 www.sophos.com
    127.0.0.1 www.symantec.com
    127.0.0.1 www3.ca.com
    127.0.0.1 www.grisoft.com
    127.0.0.1 grisoft.com
    127.0.0.1 housecall.trendmicro.com
    127.0.0.1 trendmicro.com
    127.0.0.1 www.trendmicro.com
    127.0.0.1 www.pandasoftware.com
    127.0.0.1 pandasoftware.com
    127.0.0.1 kaspersky.com
    127.0.0.1 www.kaspersky.com
    127.0.0.1 www.zonelabs.com
    127.0.0.1 zonelabs.com
    127.0.0.1 www.spywareinfo.com
    127.0.0.1 spywareinfo.com
    127.0.0.1 www.merijn.org
    127.0.0.1 merijn.org

    15. Opens a back door on the compromised computer by connecting to an IRC channel on one of the following domains:

    * [http://]update.ch0de.info/[REMOVED]
    * [http://]bk.vbulettin.com/[REMOVED]
    * [http://]bk.ch0dewaffles.info/[REMOVED]
    * [http://]superaids.zapto.org/[REMOVED]

    16. Allows a remote attacker to perform the following actions on the compromised computer:

    * Run a shell command
    * End processes
    * Download and delete files
    * Install an IRC daemon
    * Download updates to the worm
    * Spread through MSN Messenger
    * Patch the system driver TCPIP.SYS to allow many simultaneous connections
    * Shutdown and restart the compromised computer
    * Run a hacktool
    * Steal passwords
    * Perform denial of service attacks

    17. Spreads through MSN Messenger by sending the following message to all MSN contacts gathered from the compromised computer:

    hey, is this you?
    [http://]www.vbulettin.com/[REMOVED]msn.php?email=[RANDOM EMAIL ADDRESS]

    Note: If a recipient clicks on the above link a copy of the worm will be downloaded onto the recipient's computer.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    * Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    * If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    * Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    * Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    * Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    * Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    * Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    [bold]removal instructions

    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    1. Reinstall your Symantec antivirus program.
    2. Disable System Restore (Windows Me/XP).
    3. Remove all the entries that the risk added to the hosts file.
    4. Update the virus definitions.
    5. Run a full system scan and delete all the files detected.
    6. Edit the Win.ini file.
    7. Delete any values added to the registry.
    8. Restore the Windows Security Center.

    For specific details on each of these steps, read the following instructions.

    1. To reinstall your Symantec antivirus program
    As this risk attempts to remove the files and registry subkeys that your Symantec antivirus program uses, you may need to reinstall the program. If your Symantec antivirus program is not working properly, uninstall, and then reinstall it.

    2. To disable System Restore (Windows Me/XP)
    If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

    Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

    Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

    For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

    * How to disable or enable Windows Me System Restore
    * How to turn off or turn on Windows XP System Restore


    Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

    For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

    3. To remove all the entries that the risk added to the hosts file

    1. Navigate to the following location:

    * Windows 95/98/Me:
    %Windir%
    * Windows NT/2000/XP:
    %Windir%\System32\drivers\etc

    Notes:
    * The location of the hosts file may vary and some computers may not have this file. There may also be multiple copies of this file in different locations. If the file is not located in these folders, search your disk drives for the hosts file, and then complete the following steps for each instance found.
    * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

    2. Double-click the hosts file.
    3. If necessary, deselect the "Always use this program to open this program" check box.
    4. Scroll through the list of programs and double-click Notepad.
    5. When the file opens, delete all the entries added by the risk. (See the Technical Details section for a complete list of entries.)
    6. Close Notepad and save your changes when prompted.


    4. To update the virus definitions
    Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

    * Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to Virus Definitions (LiveUpdate).
    * Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to Virus Definitions (Intelligent Updater).

    The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.


    5. To scan for and delete the infected files

    1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    * For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
    * For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
    2. Run a full system scan.
    3. If any files are detected, click Delete.
    4. Click Start > Programs > Accessories > Windows Explorer
    5. Navigate to and delete the file %UserProfile%\Start Menu\Programs\Startup\csrss.lnk.
    6. Exit Windows Explorer.


    Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

    After the files are deleted, restart the computer in Normal mode and proceed with the next section.

    Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

    Title: [FILE PATH]
    Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

    6. To edit the Win.ini file
    If you are running Windows 95/98/Me, follow these steps:

    1. Click Start > Run.
    2. Type the following:

    edit c:\windows\win.ini

    and then click OK.

    (The MS-DOS Editor opens.)

    NOTE: If Windows is installed in a different location, make the appropriate path substitution.

    3. In the [windows] section of the file, look for lines similar to:

    run = %System%\[RANDOM FOLDER NAME]\csrss.exe
    load = %System%\[RANDOM FOLDER NAME]\csrss.exe

    4. If this lines exist, delete everything to the right of run= and load =

    5. Click File > Save.
    6. Click File > Exit.


    7. To delete the value from the registry
    Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

    1. Click Start > Run.
    2. Type regedit
    3. Click OK.

    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

    4. Navigate to the subkeys:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    5. In the right pane, delete the value:

    "csrss" = ""

    6. Navigate to the subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

    7. In the right pane, delete the values:

    "Load" = "%System%\[RANDOM FOLDER NAME]\csrss.exe"
    "Run" = "%System%\[RANDOM FOLDER NAME]\csrss.exe"

    8. Navigate to the subkeys:

    HKEY_CURRENT_USER\SOFTWARE\Chode
    HKEY_CLASSES_ROOT\Chode

    9. In the right pane, delete the value:

    "Installed" = "1"

    10. Navigate to the subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\Advanced

    11. In the right pane, reset the values:

    "Hidden" = "2"
    "SuperHidden" = "0"
    "ShowSuperHidden" = "0"

    12. Navigate to the subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System

    13. In the right pane, reset the values:

    "DisableRegistryTools" = "1"
    "NoAdminPage" = "1"

    14. Exit the Registry Editor.



    8. To restore the Windows Security Center
    This risk attempts to disable the features in the Windows Security Center, available in Windows XP Service Pack 2. If you are running Windows XP Service Pack 2 and would like to restore the full functionality of the Windows Security Center, please complete the following steps:

    Important: If your computer is connected to a domain, you may not be able to adjust these settings. If so, contact your network administrator for more information.

    1. Click Start > Control Panel.
    2. Double-click the Security Center.
    3. In the right pane, click Windows Firewall. The Windows Firewall appears.
    4. Select On.
    5. Click OK to close the Windows Firewall.
    6. In the left pane of the Security Center, select Change the way Security Center alerts me.
    7. Click Alert Settings.
    8. Select Alert Settings, Firewall, and Virus Protection.
    9. Click OK
    10. Click Automatic Updates.
    11. Select Automatic.
    12. Click OK.
    13. Exit the Security Center.[/bold]



    Write-up by: Costin Ionescu
     
  6. BlinkN

    BlinkN Regular member

    Joined:
    Mar 26, 2006
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    26
    Good luck.
     
  7. Dude2099

    Dude2099 Regular member

    Joined:
    Nov 4, 2004
    Messages:
    429
    Likes Received:
    0
    Trophy Points:
    26
    if you look at that and think "what a tedious task!" just format :)
     
  8. BlinkN

    BlinkN Regular member

    Joined:
    Mar 26, 2006
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    26
    That's what I would do Dude2099 in that case, but if he has data that he doesn't want to lose or doesn't feel like backing up, he has no choice but to follow all that step.

    :)
     
  9. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    Here's how to remove Chod.A

    Download MsnVirRem.exe on your desktop
    http://downloads.malwareremoval.com/MsnVirRem.exe

    [*]Close all windows because of the need of reboot
    [*]Doubleclick MsnVirRem.exe in order to run it
    [*]Click "Search and Destroy"
    [*]When ready, you'll be asked to reboot if you are infected, click OK
    [*]Click "REBOOT".
    [*]During reboot, you'll get error messages (probably 4).
    [*]MsnVirRem should give you a message pitäisi, if not, doubleclick program and it should be ready
    Send contents of C:\msnvirrem.log along with a fresh HijackThis log.
     

Share This Page