Jump to content

DO I HAVE A VIRUS?><

kirithief

By kirithief
in General Discussion

 Share

Recommended Posts

kirithief New Member

kirithief

Posted
Posted

k well i think i have a virus boys>< umm like as u all know i play ffxi and being an online game i think it requires ports? and i think i hvae a virus contained in this thing called ftpupd.exe i cant delete it in regular windows mode so i open up safe mode and quarantine it with norton then delete it...all is well for a while then it appears again in the system 32 folder..when it re- appears im not able to access ffxi and internet explorer>< someone please help me ^^

Link to comment
Share on other sites
organ_shifter Expert

organ_shifter

Posted
Posted

I hope this helps you...good luck!

Read under "Manual Repair" below to remove.

[The variants]

Worm.Win32.Korgo.10240

Worm.Win32.Korgo.10240.B

Worm.Win32.Korgo.10240.C

Worm.Win32.Korgo.10752

Worm.Win32.Korgo.10752.B

Worm.Win32.Korgo.10879

Worm.Win32.Korgo.10879.B

Worm.Win32.Korgo.9728

[summary]

Worm.Win32.Korgo.10752.C is the variant of Worm.Win32.Korgo.10240. It was found on June 15, 2004.

This worm spreads via Window LSASS (Local Security Authority Subsystem Service) security vulnerability, and it is executed by integrating itself in "explorer.exe".

Upon execution, a copy of the worm is created in the Windows system folder. TCP port 113, 3067 and another random port is opened. In additional, remote port 6667 is opened for connection to IRC channel.

[How it spreads]

It copies itself to system that has LSASS security vulnerability, using TCP port 445, as "ftpupd.exe" and executes.

Your PC may not be infected if the spreading path used by worm is radically intercepted after downloading Windows security patch.

It exploits the following Windows security vulnerability.

- LSASS (Local security Authority Subsystem Service) Vulnerability (MS04-011)

: Vulnerability information

[infection symptoms]

1. The file "ftpupd.exe" is copied to the system. After executing "ftpupd.exe", the worm tries to delete the file but fails.

2. It copies itself to the Windows system folder with the following name. Every time it executes, it copies itself with a new random file name and the existing file is deleted.

- (Random file name).exe (File size : 10,752 bytes)

3. Mutexs are created with the following names to prevent duplicated execution.

- "u8", "u9", "u10", "uterm11"

4. The event named "u11x" is created.

5. It is registered in the registry to be auto-executed whenever the system reboots.

- HKEY_LOCAL_MACHINE

Software

Microsoft

Windows

CurrentVersion

Run

- Name : Windows Update

- Data: (Windows system folder)(random file name).exe

6. The following key value is registered in the registry.

- HKEY_LOCAL_MACHINE

Software

Microsoft

Wireless

- Name : Client

- Data : 1

7. It opens TCP port 113, 3067 and another random port. It also opens remote port 6667 to connect to IRC channel.

- irc.kar.net

- gaspode.zanet.org.za

- lia.zanet.net

- irc.tsk.ru

- london.uk.eu.undernet.org

- washington.dc.us.undernet.org

- los-angeles.ca.us.undernet.org

- brussels.be.eu.undernet.org

- caen.fr.eu.undernet.org

- flanders.be.eu.undernet.org

- graz.at.eu.undernet.org

- moscow-advokat.ru

8. The worm deletes the values that are registered by another worm.

- HKEY_LOCAL_MACHINE

Software

Microsoft

Windows

CurrentVersion

Run

- Windows Security Manager

- Disk Defragmenter

- System Restore Service

- Bot Loader

- SysTray

- WinUpdate

- Windows Update Service

- avserve.exe

- avserve2.exeUpdate Service

- Windows Update

[Additional information]

The worm is produced with Visual C++ and compressed with UPX.

[Other information]

- Windows system folder is generally C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

[Manual Repair]

1. First of all, reboot to safe mode. ( You can reboot to safemode by pressing F8 ).

2. Using Windows Explorer, release "Hide file extensions for known file types".

- [Tools] -> [Folder Options] -> [View] -> Release "Hide file extensions for known file types"

3. Go to [start], [Run] and type "regedit" to execute Registry Editor. Search for the value that exist in the following path and delete it.

- HKEY_LOCAL_MACHINE

Software

Microsoft

Windows

CurrentVersion

Run

- Name : Windows Update

- Data : (Windows system folder)(random file name).exe

- HKEY_LOCAL_MACHINE

Software

Microsoft

Wireless

4. Close the Registry Editor.

5. Search for "(Random file name).exe" (File size : 10,752 bytes) in the Windows system folder and delete it.

6. Press "Ctrl+Alt+Delete" key and reboot system.

*Using Kaspersky (IMO) to repair is recommended to prevent any error that may occur during manual repair.

[Windows security vulnerability patch]

Go to [start] -> [Windows Update], or Internet Explorer -> 'Tools' -> 'Windows Update' to link to 'http://windowsupdate.microsoft.com' and download the patch.

Note: "shutdown -a" should be executed in the command window to prevent rebooting phenomenon.

[security vulnerability detection]

System vulnerability can be detected via Microsoft Baseline Security Analyzer (MBSA).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...