Loading ...
Sorry, an error occurred while loading the content.
 

Cross-post from Distillers FYI - New Trojan

Expand Messages
  • Harry
    Got an email last night from a friend worried about a trojan he had picked up. This post may be useful to other members... ... vault. ... turned it ...
    Message 1 of 1 , Oct 29 12:21 PM
      Got an email last night from a friend worried about a trojan he had
      picked up. This post may be useful to other members...

      ________________________________________

      > got a nasty. AVG tells me that I had
      >
      > Fakesvc.B in C:\\Windows\system32\sucinit.exe
      > Backup copy
      > Infected.
      >
      > It tells me that it has been healed and has placed it in the
      vault.
      > My personal email scanner in AVG had been turned off. I have
      turned it
      > back on.
      > Your comment appreciated.
      > regards arbe

      ____________________________________________

      [My Reply]

      Hi Ron,
      It's new. Very little info out there about it. There's a site in
      Spanish that has picked it up. I'll do my best to translate (with
      Google's help). Save this email for reference. Note the detection
      date.

      _____________________________________________________________________
      ______________________________


      VSantivirus no. 1207 Year 7, Monday 27 of October of 2003

      Troj/Fakesvc.C. It attacks servants DNS (TCP/53)
      http://www.vsantivirus.com/fakesvc-c.htm

      Name: Troj/Fakesvc.C
      Type: Trojan horse
      Alias: Fakesvc.B, Win32.Sinit.C, Win32/Fakesvc.C,
      Win-Trojan/Calypso.58880, W32/Calypso.C-tr, BackDoor-BAM,
      BackDoor.Iterator, Backdoor.Sinit
      Platform: Windows 32-bit
      Date: 22/oct/03
      Size: 64.512 bytes

      This trojan will try to connect itself to port TCP/53 of remote
      computers.

      Port 53 is used by service DNS (Domain name server) to communicate.
      The
      trojan maliciously sends to this port, packages with constructed
      requests
      DNS, which can cause a denial of service attack (DOS attack).

      When it is executed, it will try to copy itself in the following
      folder:
      c:\windows\system32\svcinit.exe

      Also it will modify the registry as follows, to replicate itself on
      system restart:

      In Windows NT, 2000, XP, Server 2003:

      HKLM\SOFTWARE\Microsoft\Windows NT
      \CurrentVersion\Winlogon \

      Userinit = c:\windows\system32\userinit.exe,
      c:\windows\system32\svcinit.exe

      In Windows 95, 98, Me:

      HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
      SVC Service = c:\windows\system\svcinit.exe

      NOTE: In all the cases, "c:\windows" and "c:\windows\system" can vary
      according to the installed operating system.
      Default Names:
      in Windows 9x/ME, "c:\windows" and "c:\windows\system"
      in Windows NT/2000, "c:\winnt", and "c:\winnt\system32"
      in Windows XP and Windows Server 2003, "c:\windows" and
      "c:\windows\system32"

      The trojan creates a called process SVCINIT in memory.

      It does not have propagation routine, but an infected file could be
      sent
      deliberately or accidentally, by electronic mail, or you could get
      it off
      malicious sites, or through peer-to-peer connections.


      !!!!MANUAL REPAIR!!!!

      Cleaning of virus in Windows Me and XP

      If the installed operating system is Windows Me or Windows XP, to
      correctly eliminate this virus you will have to disable, BEFORE ANY
      ACTION, the tool "System Restore" as it is indicated in these
      articles:

      Cleaning of virus in Windows Me
      http://www.vsantivirus.com/faq-winme.htm

      Cleaning of virus in Windows XP
      To disable System Restore...

      Click "Start", click "Control Panel", click "Performance and
      Maintenance", and then click "System". In the "System Properties"
      dialog
      box, click the "System Restore" tab.
      Ensure that the "Turn off System Maintenance on all drives" check
      box is
      selected.

      Click "Ok"

      Restart your computer




      Antivirus

      To clean this trojan, run your AV software, execute a scan of all
      drives.
      The following file will be detected as infected, and
      healed/quarantined/deleted (depending on your AV software).

      c:\windows\system32\svcinit.exe


      To edit the registry

      Note: some of the branches in the registry mentioned here, can not be
      present since it depends on which version of Windows is installed.

      1. Execute the registry editor: Click Start, Run, tpe REGEDIT and
      press
      ENTER

      2. In the left panel of the registry editor, open the following
      branch:
      (Note - click the "+" sign beside the keynames to open them).

      HKEY_LOCAL_MACHINE
      \SOFTWARE
      \Microsoft
      \Windows
      \CurrentVersion
      \RunServices

      3. Open the folder "RunServices" and in the panel on the right,
      under the
      column "Name", looks for and erase the following entry:

      SVC Service = c:\windows\system\svcinit.exe

      4. In the left panel of the registry editor, open the following
      branch:
      (Note - click the "+" sign beside the keynames to open them).

      HKEY_LOCAL_MACHINE
      \SOFTWARE
      \Microsoft
      \Windows NT
      \CurrentVersion
      \Winlogon

      5. Open the folder "Winlogon" and in the panel on the right, under
      the
      column "Name", hilite and Edit/modify the following entry:

      Userinit = [ camino]\userinit.exe, [ camino]\svcinit.exe

      So that it is left as:

      Userinit = [ camino]\userinit.exe

      [ way ] is normally "c:\windows\system32"


      6. Exit the registry (File/Exit).

      7. Restart the computer


      Additional information

      To activate Windows XP firewall (Internet Connection Firewall)

      In order to activate ICF in Windows XP, follow these steps:

      1. Select Start, Control Panel, Network and Internet Connections,
      Network
      Connections.

      2. Click with the right mouse button on "LAN or High Speed Internet"
      and
      select Properties.

      3. Click the "Advanced" tab and put a checkmark in the box beside the
      label: "Protect my computer and network by limiting or preventing
      access
      to this computer from Internet".

      4. Click "Ok".

      5. Repeat steps 3 & 4 for your Dial-up Connection (if you have one).


      NOTE:
      Be sure to manually update your antivirus software with the latest
      definition file when you finish killing the trojan.



      Slainte!
      regards Harry
    Your message has been successfully submitted and would be delivered to recipients shortly.