Sunday, January 18, 2009

W32/Dloader.HFZC

Do you still remember on article about batosai viruses (viruses that change the background folder windows into Japanese comic background image, Batosai). This time, I want to explain about Maxtrox, the virus creator (Maximum Troxer).

If you are confused with what is meant Maximum Troxer, ask your friend who fans of games. For online game lovers, of course very familiar with the game from Blizzard Entertaiment called World of Warcraft. Whether the relationship between what this game with the virus, most likely the creator of the virus is one of the fans this game.

Norman Security Suite, this category of viruses identified as W32/Dloader.HFZC. (see picture 1)

Changing Wallpaper

One of the main effects of the virus MaxTrox is to change the desktop wallpaper image into MaxTrox (Maximum Troxer), with additional time in the middle of the top and bottom of the comment in the middle and identity in the bottom left. (see image 2)
This wallpaper will be active in each 1 s / d 6 in April, August and December. Time is created by the virus is always changing in accordance with the time on the computer user. To adjust the comment made by the name of the user who is active at this time.

The characteristics File Virus

The characteristics of this virus from the file of which are as follows:
* Using WinRAR icon
* Has the size of 77 KB
* File Type "application" and "screen saver"
* Having main extension "exe" and "scr", with supporters "MSD" and "sysm" (see figure 3)


Changing the background folder WINDOWS

Just like virus batosai, change the display background MaxTrox WINDOWS folder with background MaxTrox. (see figure 4)
How to clean Virus
1.It's better to do cleaning mode in safe mode.
2.Turn off the virus is active in memory. Use the tools of task manager, as itty Bitty Process Manager (you can download at the address below)

http://majorgeeks.com/Itty_Bitty_Process_Manager_d4690.html

Do kill process, the file the virus is active, namely: (see figure 5)
* C: \ Documents and Settings \% username% \ Application Data \ Microsoft \%% dsh. Exe

(name of the random viruses / random, such aizw.exe, scnp.exe, etc.)

3.Delete string registry that has been created by the virus. To facilitate the registry can use the script below.

[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, SOFTWARE\Classes\batfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Classes\comfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Classes\exefile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Classes\piffile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Classes\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, SOFTWARE\Classes\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet003\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden, 0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue, 0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, DefaultValue, 0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ShowFullPath, DefaultValue, 0x00010001,0
[del]
HKCR, exefile, NeverShowExt
HKLM, SOFTWARE\Classes\exefile, NeverShowExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, VisualStyle
HKCU, Control Panel\Desktop, SCRNSAVE.EXE

Use notepad, then save with the name "repair.inf" (use the Save As Type option became All Files to avoid an error occurred).

Repair.inf run with the right-click and select install.

Repair.inf should create a file on a clean computer, so that the virus is not active.

4.Delete mothervirus files that have characteristics as follows:
* Icon "WinRAR"
* the extension *. exe, *. scr, *. MSD, *. sysm
* Size 77 kb

Notes
* We recommend that show hidden files in order to facilitate the search file virus.
* To facilitate the search process should use the "Search Windows" with the file filter *. exe, *. scr, *. MSD, *. sysm that have the size of 77 KB.
* Delete the file that the virus usually have the same date modified. (see picture 6)
5.Delete duplication of virus in the file folder C: \ Program Files (usually a file virus followed the original executable file has been rename EXE files by a virus). For optimal cleaning, you should use the Norman Security Suite is one or antivirus update and can recognize the virus page to facilitate the removal of the virus. You can use the Norman Malware Cleaner to do with the deletion of page download at: (see figure 7)

http://download.norman.no/public/Norman_Malware_Cleaner.exe
6.Rechange executable file extension that has been rename the folders by the virus in the C: \ Program Files. Use software / tool to facilitate the extension rename quickly. (see figure 8)
7.For prevent re-infection of your computer protected with anti-virus that has been able to detect and eradicate this virus.

No comments: