‹ How To Remove Virus "BackDoor.IRC.Bot.2144" ›
| Virus Name : |
BackDoor.IRC.Bot.2144 |
| Named By : |
Dr.Web |
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe] 'Debugger' = 'wnptp3.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'conime.exe' = 'conime.exe'
Creates the following files on removable media:
- <Drive name for removable media>:\Autorun.inf
- <Drive name for removable media>:\~TempData\587468665584.exe
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] '<SYSTEM32>\wnptp3.exe' = '<SYSTEM32>\wnptp3.exe:*:Enabled:LAN Router'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '<SYSTEM32>\wnptp3.exe' = '<SYSTEM32>\wnptp3.exe:*:Enabled:LAN Router'
Creates and executes the following:
- <SYSTEM32>\wnptp3.exe <Full path to virus>
Executes the following:
- <SYSTEM32>\ipconfig.exe /flushdns
Injects code into
the following system processes:
Searches for windows to
detect analytical utilities:
- ClassName: 'PROCMON_WINDOW_CLASS' WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
detect programs and games:
- ClassName: 'gdkWindowToplevel' WindowName: 'The Wireshark Network Analyzer'
Hides the following processes:
- <Full path to virus>
- <SYSTEM32>\wnptp3.exe
Modifies file system :
Creates the following files:
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\debug2[1].zip
- <SYSTEM32>\wnptp3.exe
Sets the 'hidden' attribute to the following files:
Deletes itself.
Network activity:
Connects to:
- 'sv###.#hezombieblog.net':22048
- 'sv###.#nsanesextrix.net':5276
- 'sv###.#exscandalism.com':41350
- 's8#.###cphotohost.com':80
TCP:
HTTP GET requests:
- s8#.###cphotohost.com/net/debug2.zip
UDP:
- DNS ASK sv###.#hezombieblog.net
- DNS ASK sv###.#nsanesextrix.net
- DNS ASK sv###.#exscandalism.com
- DNS ASK s8#.###cphotohost.com
Miscellaneous:
Searches for the following windows:
- ClassName: 'TCPViewClass' WindowName: ''
- ClassName: '#32770' WindowName: 'Regshot 1.8.2'
- ClassName: 'CNetmonMainFrame' WindowName: 'Microsoft Network Monitor 3.3'
- ClassName: 'SmartSniff' WindowName: 'SmartSniff'
Please note : some of the characters are replaced with symbols in order to prevent improper access to malwares.
|
- Download Dr.Web CureIt! and save it in desktop.
- Download Security Space Pro 7.0 (32/64-bit), save it in desktop.
- Reboot computer to Safe Mode (press F8 before any Microsoft logo appears).
- Double click "cureit.exe" on desktop, follow on screen instructions to scan hard disk.
(Wait patiently, it may take 20-60 minutes to perform an express scan.)
- After scanning is done, select all viruses found and choose "Cure".
(If some files are not suitable to be cured, choose "Quarantine" or "Delete".)
- When all viruses found are cured, quarantined, or deleted, reboot to Normal Mode.
- Uninstall existing anti-virus software which cannot kill the viruses, and then reboot again.
- Locate the setup file of Security Space Pro on desktop, double click to run it.
(For step-by-step procedures, please refer to installation video guide.)
- During setup, choose to obtain a demo key.
- After first time update, the scanner will be launched again, quit the scanner at this point.
- Complete the setup by rebooting computer.
- When time is allowed (may need several hours), perform a full scan in Dr.Web Scanner.
Note :
- If it is unable to start Windows due to virus infection, try Dr.Web LiveCD or Dr.Web LiveUSB instead of Dr.Web CureIt!
- Time needed for express scan or full scan relies on many factors, such as system performance, available memory, running processes, number of drives and files, etc.
|
|
|
|
Global Sites
