The Complete Database to the virus has been uploaded.
Solution also provided within.
http://ankit-cracker.zoomshare.com/files/VM/ino6.zip
Please do leave a comment, and if there are any further queries or bugs then contact us.
Posts Tagged ‘ Virus/Malware/Trojans Database ’
Joint Collaboration Project of Rox Mcduff and Ankit dotCracker
This is the just the Beta Version, therefore the executable has been
password protected, and is free from any such spreading movement.
It is JUST for testing.
Download link :
http://rapidshare.com/files/106586994/my-file.zip.html
If the rapidshare link is dead, please report us, we’ll reupload it on any other
server
Drivemonitor.exe flashguard.exe driveguard.exe
Posted on August 3, 2008 by admin | No Comments
Drivemonitor.exe flashguard.exe driveguard.exe
all are same..invariants of Win32.Worm.Autoit.AL
| Spreading: | low | |
| Damage: | medium | |
| Size: | 212 Kb | |
| Discovered: | 2008 Jul 24 |
The presence of
%programfiles%\FlashGuard\FlashGuard.exe
%windrive%\FlashGuard\ReadMe.txt
%windrive%\FlashGuard\FlashGuard.exe
The presence of autorun.inf on removable drives that contains
[autorun]
open=System\Security\DriveGuard.exe -run
shell\Open=&Open
shell\Open\Command=System\Security\DriveGuard.exe -run
shell\Explore=&Explore
shell\Explore\Command=System\Security\DriveGuard.exe -run
technical description:
This worm tries to impersonate a friendly application one that wants to protect your removable drives from other pieces of malware.
The malicious file would copy itself to %programfiles%\FlashGuard\FlashGuard.exe
It also includes a readme file that reads:
“This tiny software is used to protect removable storage devices from
worms that are spread from one PC to another. ”
It creates the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
with the value “%windrive%\FlashGuard\FlashGuard.exe” -run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FlashGuard
with the value “%windrive%\FlashGuard\FlashGuard.exe” -run
Copies the readme file to %windrive%\FlashGuard\ReadMe.txt
It checks if any of the following processes are running,
iexplore.exe,alg.exe,csrss.exe,cssrs.exe,cssrss.exe,explore.exe,
expIorer.exe,csrss.exe,iexplorer.exe,lexplore.exe,lsass.exe,lssas.exe,
lssass.exe,scshost.exe,scvhost.exe,scvhsot.exe,smss.exe,smsss.exe,
spoolss.exe,spoolsv.exe,spoolvs.exe,ssms.exe,sssms.exe,ssvhost.exe,
svchost.exe,svchsot.exe,serivces.exe,taskmgr.exe,wilnogon.exe,winl0g0n.exe,
winlgoon.exe,winlogno.exe,winlogon.exe,wlnlogon.exe
and if is not one of:
\Program Files\Internet Explorer\iexplore.exe,
\system32\svchost.exe,
\system32\lsass.exe,
\system32\csrss.exe,
\system32\alg.exe,
\system32\winlogon.exe,
\system32\smss.exe,
\system32\spoolsv.exe,
\system32\taskmgr.exe
the process would terminated and the file would get renamed with a “.bak” extension
this worm will remove all files from C:\heap41a that are related to other malicious programs
it enables TaskManager if is disabled
will infect any removable drive writing autorun.inf and a copy of itself
in %drv%\System\Security\DriveGuard.exe with hidden attribute
payload:
will download from http://[removed]/lndexnew.jpg
and http://[removed]/lndexnew.txt
executable files that will be copied to temporary directory with a random name
and reg key HKLM\software\microsoft\windows\currentversion\RunOnce\temp_cleanup
with value “%temp_path%\[random].exe” will be created
All downloaded files are backdoors
Recent Comments