Saturday, January 6, 2007
Win32.Whboy.C
[How to repair]
1. If you are WinXP/ME users, please be inactivate System Recovery Function.
The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.
2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.
a. ViRobot products users
-Download the latest engine files via our website (www.hauri.net)
b. Non-ViRobot products users
- Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)
- Use the trial version of ViRobot products (30days only)
3. How to scan the virus.
a. Run your ViRobot, and choose "all files" in scan option.
- ViRobot Expert 4.0 : [Edit] -> [Configuration] -> [Scan] : Check all files
- ViRobot Desktop 5.0 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files
- LiveCall (Free Scan) : [Advanced Scan] : Check
b. Repair all viruses detected.
c. If [Auto-repair after rebooting] message shows up, please try to re-scan after rebooting the PC.
from Hauri
| Aliases | Virus.Win32.Delf.ap(Kaspersky) | ||
| Type | Virus | Platform | Win32 |
| Damage/Distribution |   | Specific date in active | None |
| Route of infection | Security vulnerabilities | ||
| Typical symptoms | Changes registry, File infection, Creates file , Installing Trojan Horse | ||
| Origin | others | Encryption | No |
| Target of infection | File | Memory residence | No |
| Discovered | [Korea] 12/22/2006 [Foreign] not report | Scan engine needed | 12/22/2006 [Able to detect/repair] |
| Description |
| [How it spread] Spread by Network share which is used password vulnerability. [Infection Symptom] 1. It copies itself as below name in drive folder of the infected system. - (Windows System Folder)(drivers)spoclsv.exe 2. Because it is registered in Registry, after rebooting, it is executed automatically. HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun - Name : svcshare - Data : (Windows System folder)(drivers)spoclsv.exe 3. Modify Registry value as like below. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL - Name : CheckedValue - Data : 0 4. End the process which is included as below string. IceSword pjf(ustc) VirusScan NOD32 Duba Symantec AntiVirus System Safety Monitor System Repair Engineer Wrapped gift Killer Winsock Expert 5. End below processes Mcshield.exe VsTskMgr.exe naPrdMgr.exe UpdaterUI.exe TBMon.exe scan32.exe Ravmond.exe CCenter.exe RavTask.exe Rav.exe Ravmon.exe RavmonD.exe RavStub.exe KVXP.kxp KvMonXP.kxp KVCenter.kxp KVSrvXP.exe KRegEx.exe UIHost.exe TrojDie.kxp FrogAgent.exe Logo1_.exe Logo_1.exe 6. End the service which is related with below security. sharedaccess RsCCenter RsRavMon RsCCenter RsRavMon KVWSC KVSrvXP KVWSC KVSrvXP 7. Delete below Registry Key value. SOFTWAREMicrosoftWindowsCurrentVersionRunRavTask SOFTWAREMicrosoftWindowsCurrentVersionRunkav SOFTWAREMicrosoftWindowsCurrentVersionRunKAVPersonsal50 SOFTWAREMicrosoftWindowsCurrentVersionRunKvMonXP HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunMcAfeeUpdaterUI HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunNetwork Associates Error Reporting Service HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunShStatEXE HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunYLive.exe HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunyassistse 8. Access as below site and download malicious code. - www. 9. Scan the vulnerability by TCP 139 and 445 Port. |
| Removal instructions |
1. If you are WinXP/ME users, please be inactivate System Recovery Function.
The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.
2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.
a. ViRobot products users
-Download the latest engine files via our website (www.hauri.net)
b. Non-ViRobot products users
- Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)
- Use the trial version of ViRobot products (30days only)
3. How to scan the virus.
a. Run your ViRobot, and choose "all files" in scan option.
- ViRobot Expert 4.0 : [Edit] -> [Configuration] -> [Scan] : Check all files
- ViRobot Desktop 5.0 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files
- LiveCall (Free Scan) : [Advanced Scan] : Check
b. Repair all viruses detected.
c. If [Auto-repair after rebooting] message shows up, please try to re-scan after rebooting the PC.
from Hauri
Labels: Virus Protection
¶ 11:28 AM
