grift3r74 Posted June 7, 2008 CID Share Posted June 7, 2008 it keeps asking me to run it.. My firewall is blocking it though.. Is this program legit? Tnx!! Quote Link to comment Share on other sites More sharing options...
grift3r74 Posted June 7, 2008 Author CID Share Posted June 7, 2008 OMG.. its a virus When Backdoor.Nibu.G is executed, it does the following: * Copies itself as: %System%Swchost.exe %System%Svohost.exe %Startup%Svchost.exe -------------------------------------------------------------------------------- Notes: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). %Startup% is a variable. The Trojan locates the Windows startup folder and copies itself to that location. For example, this is C:WindowsStart MenuProgramsStartup (Windows 95/98/Me) or C:Documents and Settings<current user>Start MenuProgramsStartup (Windows NT/2000/XP). -------------------------------------------------------------------------------- * Creates the following files: %Windir%Rundlln.sys %Windir%Prntsvr.dll %Windir%Tempfeff35a0.htm %Windir%Tempfe43e701.htm %Windir%Tempfa4537ef.tmp -------------------------------------------------------------------------------- Note: %Windir% is a variable. The Trojan locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and creates files in that location. -------------------------------------------------------------------------------- * Adds the value: "load32"="%System%swchost.exe" to the registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun so that the Trojan runs when you start Windows. * Creates and loads a .dll file to capture keystrokes. Known variants have used %Windir%Prntsvr.dll as the file name. * May create the registry keys: HKEY_LOCAL_MACHINESOFTWARESARS HKEY_USERS.DEFAULTSOFTWARESARS * Modifies the value data of: Shell in the registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon from: "explorer.exe" to: "explorer.exe %System%svohost.exe" so that the worm runs when you start Windows NT/2000/XP. * Modifies the %Windir%System.ini file by changing the value: "Shell"="Explorer.exe" to: "Shell"="explorer.exe %System%svohost.exe" so that the worm runs when you start Windows 95/98/Me. * Looks for windows that have the following string in the title bar: http:/ /www.whatpornsite.com/css/logger.php This Trojan captures the keystrokes that are typed into these window and stores them in a log file. -------------------------------------------------------------------------------- Note: Typically, such windows would be Web browser windows displaying logon screens for financial services or email accounts. -------------------------------------------------------------------------------- * Captures the window title and keystrokes that are typed into open windows. The Trojan stores them in the log file, %Windir%Prntk.log. Other stolen information that may also be stored in this file include the IP address of the infected computer and system information, such as the operating system and Internet Explorer version. It may also try to steal FAR Manager and FTP Commander passwords, and protected storage data. * Launches a thread that monitors the clipboard, saving any data that is found to a log file. This file is named %Windir%Prntc.log. * Periodically checks the size of the files it uses for logging stolen information. When the files reach a certain size, the stolen information will be copied into an email-formatted file using the Trojan's built-in SMTP engine. The Trojan retrieves the details of the registered owner from the registry and uses these details in the file. * The email-formatted file has the following characteristics: From: <registered owner> <[email protected]> To: you * Writes an HTML file containing the stolen data to %Windir%TEMPfeff35a0.htm. * Writes a raw MIME message containing the stolen data to %Windir%TEMPfa4537ef.tmp. * Listens on TCP ports 1001 and 10000 for remote instructions. * Disables access to certain antivirus Web sites by adding the following lines to %System%Driversetchosts: 127.0.0.1 avp.com 127.0.0.1 ca.com 127.0.0.1 customer.symantec.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 mast.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 nai.com 127.0.0.1 networkassociates.com 127.0.0.1 rads.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 sophos.com 127.0.0.1 symantec.com 127.0.0.1 trendmicro.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 viruslist.com 127.0.0.1 www.avp.com 127.0.0.1 www.ca.com 127.0.0.1 www.f-secure.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.nai.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.sophos.com 127.0.0.1 www.symantec.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.viruslist.com Is it really worth your time and money (you could lose all your money in the bank if your password is compromised) to be worrying about these things? It is always better to have a software that can protect your computer and you. Spywares are more dangerous than viruses, coz of the simple reason that they steal your information. Your banking account password is much more worthy to them than your computer. And thats what most of them are after. How to I remove this? I found a registry key.. Is it enough to remove it... Quote Link to comment Share on other sites More sharing options...
tdawnaz Posted June 7, 2008 CID Share Posted June 7, 2008 oh my gosh that's scarey...i'm anxious to read the answer Quote Link to comment Share on other sites More sharing options...
tommie gorman Posted June 7, 2008 CID Share Posted June 7, 2008 Sounds like you may need this one. http://www.grisoft.com/ww.virus-removal.ndi-67751 Quote Link to comment Share on other sites More sharing options...
grift3r74 Posted June 8, 2008 Author CID Share Posted June 8, 2008 This ones hard coz it keeps coming back after AV scans... It also disabled parts of my registry like the startup.. You can access it though by deleting svohost using HijackThis. Gotta delete registry files to silence this one tough POS.. Here's the link... http://service.symantec.com.sg/en/ca/security_response/writeup.jsp?docid=2004-060219-5936-99&tabid=3 Finally removed it completely.. YEAAAHHH!!! Quote Link to comment Share on other sites More sharing options...
grift3r74 Posted June 8, 2008 Author CID Share Posted June 8, 2008 my last question will be how can I enable the "run" key in my registry again? I cant do system restore because it might return again.. tnx!! Quote Link to comment Share on other sites More sharing options...
mudmanc4 Posted June 8, 2008 CID Share Posted June 8, 2008 Have you run " sfc /scannow " ? This will take some time, what it does if your not familiar, is search all windows components and place them back where they are supposed to be. Just open a shell and type " sfc /scannow " Of course close all running programs first. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.