Shaktimishra007′s Weblog

June 11, 2008

Mahsa / New Folder virus

Filed under: ViRuS SoLuTiOnS — Tags: , , , , , — shaktimishra007 @ 3:05 pm

Virus File
————
File Name: New Folder.exe  (inside all folders)
File Name: Top Pictures.exe  (shared documents)
File Name: Windows Explorer.exe (c:\windows\)

Icon:  Looks like a Folder
Type:  Application
Size:  104KB/112KB
FileVersion: 1.0.0.0
Internal Name: Mahsa
OriginalFileName: Mahsa.exe
Product Version: 1.00

Recognized by antivirus
—————————-
Trojan.Win32.VB.aol
Worm.P2P.Generic

Symptoms
————-
You wil find New Folder.exe inside every folders.
You cannot open system utilities like Task Manager, Regedit, Msconfig; it opens and suddenly closes.
You cannot open folders with names like antivirus, .exe, etc. it opens and suddenly closes.

Behind the Screen
———————
Creates a file: C:\windows\Windows Explorer.exe
Creates a file: C:\Documents and Settings\All Users\Documents\Top Pictures.exe
Creates New Folder.exe in every folder you open

ModifyRegValue: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
ModifyRegValue: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\FullPath
ModifyRegValue: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt

Adds to the startup item
Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
Value: C:\WINDOWS\Windows Explorer.exe

Solution
———-
Thank god it doesnt disables the command prompt ;)

END TASK::
1. Start>Run
taskkill /f /t /im “New Folder.exe”
2. Start>Run
taskkill /f /t /im “Windows Explorer.exe”
3. Start>Run
taskkill /f /t /im “Top Pictures.exe”
(if you get some error like windows cannot find taskkill,.. blah blah…, copy the file taskkill to your X:\windows\system32\ directory)

REGISTRIES::
1. Start>Run
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Explorer
2. Start>Run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /t REG_DWORD /d 0

DELETE FILES::
1. Start>Run>cmd
del /a /f C:\windows\Windows Explorer.exe
2. Start>Run>cmd
del /a /f C:\Documents and Settings\All Users\Documents\Top Pictures.exe
3. now the tough part…
do a search for file “New Folder.exe” in all drives and delete all of them..

Advertisement

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Theme: Banana Smoothie. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.