Folder Option is disabled.You are unable to see hidden files.Task Manager is disabled.Regedit is disabled.
Download
www.kaspersky.com
Monday, March 3, 2008
Nhatquanglan / SCVHSOT / new folder virus / scvshosts
Nhatquanglan / SCVHSOT / new folder virus / scvshosts
Virus File Name
New Folder.exe
Size: 192/196KB
virus file version 1,1,1,1
Icon: Folder
SCVHSOT.exe
Size: 192/196KB
Attributes: Hidden+System
virus file version 1,1,1,1
Icon: Folder
scvshosts.exe
Size: 247/248KB
Attributes: Hidden+System
virus file version 2,2,2,2
Icon: Folder
(added on 5Dec,2007)
File Name :SCVVHSOT
Icon :Folder
Type of file :Application
Size :283KB/288KB
Modified :June 10,2007
Attributes :ReadOnly,Hidden,System,Archive
File version :3.2.2.0
CompiledScript :AutoIt v3 Script : 3, 2, 2, 0
File Version :3, 2, 2, 0
etc.
Symptoms
You will find these files in your Windows folder, Shared Documents, etc.
Tools>Folder Option is disabled.
You are unable to see hidden files.
Task Manager is disabled.
Regedit is disabled.
If you are having a LAN connection you will be unknowingly spamming the chat box.
e.g.:
”http://nhatquanglan.xlphp.net/“
”C:\WINDOWS\hinhem.scr”
Behind the Screen
The following files are created:
C:\WINDOWS\SCVHSOT.exe
C:\WINDOWS\SCVVHSOT.exe
C:\WINDOWS\hinhem.scr
C:\WINDOWS\system32\SCVHSOT.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\autorun.ini
C:\Documents and Settings\All Users\Documents\SCVHSOT.exe
The virus is copied to other comps on the network in the Shared Docs.
\\ABC\SharedDocs\New Folder.exe
\\ABC\SharedDocs\scvshosts.exe
\\ABC\SharedDocs\autorun.inf
Modifies some files in the “Documents and settings” folder.
C:\Documents and Settings\Piyush Chandra\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Piyush Chandra\Cookies\index.dat
C:\Documents and Settings\Piyush Chandra\Local Settings\History\History.IE5\index.dat
Modifies some registries at:
\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4c4da22e-f800-11db-8de6-806d6172696f}\BaseClass ,etc.
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions
\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ ,etc.
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ,etc.
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ , etc.
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
Modifies some system files:
C:\Documents and Settings\Piyush Chandra\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Piyush Chandra\Cookies\index.dat
C:\Documents and Settings\Piyush Chandra\Local Settings\History\History.IE5\index.dat
Runs the following commands under DOS (only by the virus version 1,1,1,1):
C:\WINDOWS\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\cmd.exe /C AT /delete /yes
Solution
End Task(updated on 27/11/2007)
Start> run
taskkill /f /t /im “New Folder.exe”
taskkill /f /t /im “SCVVHSOT.exe”
taskkill /f /t /im “SCVHSOT.exe”
taskkill /f /t /im “scvshosts.exe”
taskkill /f /t /im “hinhem.scr”
taskkill /f /t /im “blastclnnn.exe”
Enable Task Manager
-
1. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Enable Regedit
1. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Folder Option & Hidden Files
1. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
2. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
3. Start> run
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 1 /f
4. Start>run
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f
Other steps
Delete the files
C:\WINDOWS\SCVVHSOT.exe
C:\WINDOWS\SCVHSOT.exe
C:\WINDOWS\hinhem.scr
C:\WINDOWS\system32\SCVHSOT.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\autorun.ini
C:\Documents and Settings\All Users\Documents\SCVHSOT.exe
Modify some registries
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell REG_SZ –> explorer.exe
\Software\Microsoft\Windows\CurrentVersion\Run\ Yahoo Messengger –>delete
Precaution
Never double click on such files which look like folders, instead use folder view for navigation.
You may like to disable “Shared Documents”.
DOWNLOAD
Heal for nhatquanglan virus
Download Page for other heals
Virus File Name
New Folder.exe
Size: 192/196KB
virus file version 1,1,1,1
Icon: Folder
SCVHSOT.exe
Size: 192/196KB
Attributes: Hidden+System
virus file version 1,1,1,1
Icon: Folder
scvshosts.exe
Size: 247/248KB
Attributes: Hidden+System
virus file version 2,2,2,2
Icon: Folder
(added on 5Dec,2007)
File Name :SCVVHSOT
Icon :Folder
Type of file :Application
Size :283KB/288KB
Modified :June 10,2007
Attributes :ReadOnly,Hidden,System,Archive
File version :3.2.2.0
CompiledScript :AutoIt v3 Script : 3, 2, 2, 0
File Version :3, 2, 2, 0
etc.
Symptoms
You will find these files in your Windows folder, Shared Documents, etc.
Tools>Folder Option is disabled.
You are unable to see hidden files.
Task Manager is disabled.
Regedit is disabled.
If you are having a LAN connection you will be unknowingly spamming the chat box.
e.g.:
”http://nhatquanglan.xlphp.net/“
”C:\WINDOWS\hinhem.scr”
Behind the Screen
The following files are created:
C:\WINDOWS\SCVHSOT.exe
C:\WINDOWS\SCVVHSOT.exe
C:\WINDOWS\hinhem.scr
C:\WINDOWS\system32\SCVHSOT.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\autorun.ini
C:\Documents and Settings\All Users\Documents\SCVHSOT.exe
The virus is copied to other comps on the network in the Shared Docs.
\\ABC\SharedDocs\New Folder.exe
\\ABC\SharedDocs\scvshosts.exe
\\ABC\SharedDocs\autorun.inf
Modifies some files in the “Documents and settings” folder.
C:\Documents and Settings\Piyush Chandra\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Piyush Chandra\Cookies\index.dat
C:\Documents and Settings\Piyush Chandra\Local Settings\History\History.IE5\index.dat
Modifies some registries at:
\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4c4da22e-f800-11db-8de6-806d6172696f}\BaseClass ,etc.
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions
\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ ,etc.
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ,etc.
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ , etc.
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
Modifies some system files:
C:\Documents and Settings\Piyush Chandra\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Piyush Chandra\Cookies\index.dat
C:\Documents and Settings\Piyush Chandra\Local Settings\History\History.IE5\index.dat
Runs the following commands under DOS (only by the virus version 1,1,1,1):
C:\WINDOWS\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\cmd.exe /C AT /delete /yes
Solution
End Task(updated on 27/11/2007)
Start> run
taskkill /f /t /im “New Folder.exe”
taskkill /f /t /im “SCVVHSOT.exe”
taskkill /f /t /im “SCVHSOT.exe”
taskkill /f /t /im “scvshosts.exe”
taskkill /f /t /im “hinhem.scr”
taskkill /f /t /im “blastclnnn.exe”
Enable Task Manager
-
1. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Enable Regedit
1. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Folder Option & Hidden Files
1. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
2. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
3. Start> run
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 1 /f
4. Start>run
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f
Other steps
Delete the files
C:\WINDOWS\SCVVHSOT.exe
C:\WINDOWS\SCVHSOT.exe
C:\WINDOWS\hinhem.scr
C:\WINDOWS\system32\SCVHSOT.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\autorun.ini
C:\Documents and Settings\All Users\Documents\SCVHSOT.exe
Modify some registries
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell REG_SZ –> explorer.exe
\Software\Microsoft\Windows\CurrentVersion\Run\ Yahoo Messengger –>delete
Precaution
Never double click on such files which look like folders, instead use folder view for navigation.
You may like to disable “Shared Documents”.
DOWNLOAD
Heal for nhatquanglan virus
Download Page for other heals
Subscribe to:
Posts (Atom)