How2:Gut Level Removal of a Malware Program

UPDATE: AVAST AV now properly detects this nasty. :slight_smile:
I have to compliment Avast on their quick response…they had a update to detect it within 8hrs of when I sent the file in for analysis!

I just had the pleasure of having to clean a virus off my child’s computer.
The situation was completely avoidable if the child had remembered the rules regarding MSN messenger CHAT USE. The child received a file transfer request from a friend’s system for a file , “download3849-1.exe” and accepted the transfer without first confirming the transfer with the friend before accepting it.
The questionable file was run to ‘see what it would do’ and nothing seemed to happen.

This malware is new as of the date of this message it is NOT DETECTABLE by AVAST,
Trendmicro HOUSECALL or any of the PC-cillin virus scanners… No other AV scanners were tested.

Here is where the adventure began…Microsoft Messenger Chat Worm !!!
System: AMD Duron 900mhz, 128mb ram, Win2K with SP4, all patches applied.
Symptoms: System started acting weird. I tried to “CTRL-ALT-DEL” to load task manager to investigate. Windows task manager opened and I caught a glimps of an application name “Antix-c” or something…Task manager immediately minimized and closed. Attempt to load Regedit.exe same results… Unable to access native windows tools to attempt to remove this thing…
TroubleShooting Ideas:

  1. Realized that Malware was clever and disabled normal tools.
  2. Cleanup would require 3rd party tools.
  3. Would have to search manually in registry and startup areas for suspicious files.
  4. Disconnect system from rest of network to isolate it for safety.
  5. Save a live copy of malware by renaming it to *.vir so I could forward it to
    the Anti-virus folks for examination and updates for VPS files (avast).
  6. Check AutoStartup areas first as it is much easier to find abnormal entries there.
  7. Search internet for a suitable 3rd party tool (free is good) to search autostart areas.

I searched and found a suitable tool (listed below in cleanup process) and found:

==========================AutoStartup Areas Of Interest===========
*!! HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*!! svshost c:\winnt\system32\hysrvt\svshost.exe

*!! HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*!! svshost c:\winnt\system32\hysrvt\svshost.exe

Note: When searching, I looked to ensure that all files listed in autostartup areas in windows system folders are Microsoft Signed files and found 2 entries that had no
Microsoft Signature (above)
This gave me the file path to the file so I tried to verify the size of the suspicious files by using windows explorer. No such directory… Enabled viewing hidden files/folders in the system directory and suddenly I saw a new directory “hysrvt” under system32!
Attempting to rename the file failed until I restarted in safe mode.

=============CLEANUP================

  1. Creates Hidden folder hysrvt in sys32 dir
    File size: (98,816 bytes) (+H +R -A)
    2.Unable to Unhide file or directory
    3.Minimizes and closes taskmanager.
    4.Used AutoRuns to find the suspicious files in startup and disable them without using regedit or taskmanager. (download from ‘www.sysinternals.com’) FREE.

http://www.sysinternals.com/Utilities/Autoruns.html

  1. Enable view hidden files in system directory.
  2. Ren svshost.exe to svshost.exe.vir
  3. Restart machine and remove file svshost.exe.vir & del directory \system32\hysrvt\
  4. Start task manager and verify that taskmanager stays running and doesnt close.
  5. All clear… Who says you have to wait for a removal tool if you do a little work yourself?
    ;D
    Summary: There is no substitute for the user exercising good judgement and being informed of the dangers of malware. This doesnt mean we should panic but it does mean we should be careful and always ask if a file transfer was intentional or unusual.
    TurtleWax

You can avoid things like this easily by giving the kid a limited account and no install/dl rights.

If you are not getting a virus warning and you believe it is a new or undetected virus, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), assuming you still have it.

Give a brief outline of the problem, the fact that you believe it to be a new or undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.