Login or Register to Ask a Question and Join Our Community


Cybersecurity

winzip.exe virus attack

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity winzip.exe virus attack
# 1  
Old 01-22-2006
winzip.exe virus attack
HI All,

I am using win 2000 and win 98 system, my system has got attacked with "winzip.exe" virus. please help me in recovering from this problem. I am not able to open any sites which has norton/antivirus/ etc and also not able to run norton anti virus. please help me

thanks
satish
# 2  
Old 02-05-2006
MySQL
This worm spreads via the Internet as an attachment to infected messages and via open network resources.

It sends itself to email addresses harvested from the victim computer.

The worm itself is a PE EXE file written in Visual Basic, packed using UPX. The packed file is approximately 95KB in size, and the unpacked file is approximately 176KB in size.

Installation
Once launched, masking its main functionality, the worm creates and opens a ZIP archive in the Windows system directory. The ZIP archive has the name as the original executable file, e.g.

%System%\Sample.zip
When installing, the worm copies itself to the Windows root, system and start up directories under the following names:

%System%\New WinZip File.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe
%System%\WINZIP_TMP.EXE
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe
%Windir%\rundll16.exe
The worm then registers itself in the system registry, ensuring it will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="scanregw.exe /scan"
The worm also modifies the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"WebView"="0"
"ShowSuperHidden"="0"
Propagation via email
The worm harvests addresses from files with the following extensions:

dbx
eml
htm
imh
mbx
msf
msg
nws
oft
txt
vc
It also scans files if the names contain the following strings:

content
temporary
When sending infected messages, the worm attempts to establish a direct connection to the recipient's SMTP server.

Infected messages
Message subject:
*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny Smilie
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Photos
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
You Must View This Videoclipe!
Message body:
----- forwarded message -----
>> forwarded message
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. Bye
Hot XXX Yahoo Groups
how are you? i send the details.
i attached the details. Thank you.
i just any one see my photos. It's Free Smilie
Note: forwarded message attached. You Must View This Videoclip!
Please see the file.
Re: Sex Video
ready to be FUCKED Smilie
The Best Videoclip Ever
VIDEOS! FREE! (US$ 0,00)
What?
Attachment name:
007.pif
04.pif
3.92315089702606E02.UUE
677.pif
Attachments[001].B64
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
eBook.Uu
image04.pif
New_Document_file.pif
Original Message.B64
photo.pif
School.pif
SeX.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu
Propagation via open network resources
The worm copies itself to the following network resources as Winzip_TMP.exe:

ADMIN$
C$
Other
If the worm detects any of the registry values listed below on the victim machine, it will delete them:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
APVXDWIN
avast!
AVG7_CC
AVG7_EMC
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
BearShare
defwatch
DownloadAccelerator
kaspersky
KAVPersonal50
McAfeeVirusScanService
NAV Agent
OfficeScanNT Monitor
PCCClient.exe
pccguide.exe
PCCIOMON.exe
PccPfw
Pop3trap.exe
rtvscn95
ScanInicio
SSDPSRV
TM Outbreak Agent
tmproxy
Vet Alert
VetTray
vptray
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
The worm also terminates active applications if the application name contains one of the following strings:

kaspersky
mcafee
norton
removal
scan
symantec
trend micro
virus
fix
It will delete all files from the following folders:

%ProgramFiles%\DAP\*.dll
%ProgramFiles%\BearShare\*.dll
%ProgramFiles%\Symantec\LiveUpdate\*.*
%ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
%ProgramFiles%\Norton AntiVirus\*.exe
%ProgramFiles%\Alwil Software\Avast4\*.exe
%ProgramFiles%\McAfee.com\VSO\*.exe
%ProgramFiles%\McAfee.com\Agent\*.*
%ProgramFiles%\McAfee.com\shared\*.*
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
%ProgramFiles%\Trend Micro\Internet Security\*.exe
%ProgramFiles%\NavNT\*.exe
%ProgramFiles%\Morpheus\*.dll
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%ProgramFiles%\Grisoft\AVG7\*.dll
%ProgramFiles%\TREND MICRO\OfficeScan\*.dll
%ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
%ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar
All of this actions make the victim machine more vulnerable to subsequent attacks.

It may also download updates to itself via the Internet, without the knowledge or consent of the user.

It will also block the mouse and the keyboard.

On the 3rd of each month, 30 minutes after the victim computer is rebooted, the worm will rewrite files with the following extensions:

.doc
.xls
.mdb
.mde
.ppt
.pps
.zip
.rar
.pdf
.psd
.dmp
Files corrupted by the worm contain the following text:

DATA Error [47 0F 94 93 F4 F5] Removal instructions

Reboot your computer in Safe Mode - press and hold F8 while the machine is rebooting and choose Safe Mode from the menu when it appears.
In Task Manager, terminate any process with one of the following names:
rundll16.exe
scanregw.exe
Update.exe
Winzip.exe
WINZIP_TMP.EXE
New WinZip File.exe
WinZip Quick Pick.exe

Manually delete the following files from the Windows root and system directories, and the system registry:
%Windir%\rundll16.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe
%System%\WINZIP_TMP.EXE
%System%\New WinZip File.exe
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe
Delete the following value from the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry" = "scanregw.exe /scan"
Reboot your computer and check you have deleted all infected messages from all mail folders.
If any applications have been damanged (in most cases this will be antivirus solutions and firewall programs) you will need to re-install them.
Perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus) AT HERE

http://www.viruslist.com/en/viruses/...virusid=109064
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

.csv.gz file extract errors using Winzip

HI All, Currently, i am working on bash shell. I have generated the csv file via shell script and because of high size , i have zip the csv file and send it to the outlook in windows. filename : viswa.csv.gz i can able to receive the mail successfully , But i am not able to view the... (4 Replies)
Discussion started by: venkatviswa
4 Replies

2. UNIX for Dummies Questions & Answers

Issue: Compress in unix server and FTP to windows and open the compress file using Winzip

Hi All ! We have to compress a big data file in unix server and transfer it to windows and uncompress it using winzip in windows. I have used the utility ZIP like the below. zip -e <newfilename> df2_test_extract.dat but when I compress files greater than 4 gb using zip utility, it... (4 Replies)
Discussion started by: sakthifire
4 Replies

3. UNIX for Dummies Questions & Answers

How to open WinZip file in linux

Hi i am an fresh engineer working in a Embedding company and i am new to linux so any one help me to teach or tell how to open a WinZip file in linux as i use gunzip but hte file suffix is not gz so can any one healp me... urs ... (2 Replies)
Discussion started by: wagmare
2 Replies

4. UNIX for Dummies Questions & Answers

winzip compatible command

Dear friends, I m new to Unix, can anybody please guide me on how to zip and password protect a normal text (or any file) in unix prompt? (1 Reply)
Discussion started by: topgear1000cc
1 Replies

5. Shell Programming and Scripting

gzip compatibility with WinZip/PKZIP

I have 4 files in a dir , A_to_Z.txt Z_to_A.txt 1_to_20.txt 20_to_1.txt I want to create a single gzip file which will contain these 4 text files. This gzip file should be compatible with Windows PKZIP/WinZip. I know you will suggest 'tar' command. But PKZIP/WinZip dont recognize zipped tar... (3 Replies)
Discussion started by: kanu_kanu
3 Replies

6. Shell Programming and Scripting

Calling Winzip from perl script

Hi, I would like to invoke "Winzip" utility from a perl script, input the name of zip file and provide output path for unzipped files. Any pointers will be appreciated. Thanks (5 Replies)
Discussion started by: MobileUser
5 Replies

7. UNIX for Dummies Questions & Answers

Can solaris's Zip/Unzip handle Winzip Version 10.0 Files?

I understand that this version of Winzip allows 129-bit AES encryption and passwords. Can Solaris handle that yet? (2 Replies)
Discussion started by: BCarlson
2 Replies

8. Windows & DOS: Issues & Discussions

Help Virus Attack Windows Oracle Patches.

Hi, Our Network is attacked by Virus. We are currently looking for all Oracle Database/Product (all possible versions) based patches. Kindly let us know from where can we get them. This is a very urgent requirement. With Thanks Vishwa. (3 Replies)
Discussion started by: S.Vishwanath
3 Replies

9. Programming

how To edit exe to insert a serial no wich can be usd by runing exe

At time of installation I have to open the resource. and i have to insert a string serial number in the exe. please provide me code to edit the exe (in solaris) to insert a serial number which can be used by exe at run time. (6 Replies)
Discussion started by: ssahu
6 Replies

10. UNIX for Dummies Questions & Answers

Virus !!!!!!!!!!!!!!!!!!!

can linux get a virus on the boot sec from windows? becuse my buddys computer micro trend cmos virus keeps telling him that there is a boot sec virus on my hdd is that possable or is the box being dumb and looking at the linux boot as a virus? it was set up as a windows box not a linux... (4 Replies)
Discussion started by: amicrawler2000
4 Replies
Login or Register to Ask a Question