|
| Author |
Message |
Myoga- Tomato is the LOOOOOVVEE Fruit!!!11!
Group: Retired Moderators
Joined: 12 Apr 2010
Donor: 
Posts: 1314
Gold: 2375.80
Status:
Warn: 
Reputation: 57
|
 #1 Posted: 22 Sep 2010 12:34 am Post subject: Ugh (Ramnit-B and Exedropper Virus) |
 |
|
Shitty virus destroyed all of my websites *.htm, *.html files, as well as all the help files for my programs like Ventrilo.
Guys, if you visit tvshack.cc often CHECK YOUR COMPUTER! Browse to a folder that contains .html files or .htm files, right click, and click open with Notepad.
Now, my dumbass, wanted to figure some info out on this virus and kept booting instead of trying to fix the problem (I was trying to find out what exactly it was doing). Seems there are 2 parts of it. One part modifies all *.htm and *.html files and the other manifests itself into *.exe and *.dll files.
Source of the *.html file:
Since I'm not allowed to post the link to the source hopefully here's things to look for:
Look for a random header. Every time a new file is written it is given a new header and it's always random characters:
| Code: | �‹� M±nÃ0�D÷|…ÀÝV�´@ÚJ^ºe
Ðü #³¶�[R¤KÐü}#»@:‘w�y�4#æ©Û(3
÷÷ª�<k>A•ì,U¾w9´`�{nƒà®4RziO…ÔÄa¸ð –v|å¯e•:£×#�]¥ê6F¯où��†wˆ�� |
Another thing to look for would be right underneath the header of the file which would be this line of code:
| Code: | | DropFileName = "svchost.exe" |
(Note, if you know what language this is written in and do run this nothing will happen except have the computer restart on you).
Also look for this at the bottom:
| Code: | | Set WSHshell = CreateObject("WScript.Shell") |
DO NOT RUN THE CODE! THIS IS FOR EDUCATIONAL PURPOSES ONLY! ***** I'M NOT KIDDING! *****
What it does is temporarily drop the process tree "svchost.exe", rewrites the file, and then reloads. It then searches for .exe and .dll files and / or .html and .htm files and writes itself into its code.
If you have this virus I really recommend formatting. It is fixable but it will leave you with a lot of errors afterwards. I do not recommend tackling it unless you know what you are doing.
Avast5 will pick up the files that were modified but NOT the original files which is complete bullshit! It will throw all of these files in the chest and then when the chests full they get deleted (which is why I lost a lot of my data).
The tool I used to get rid of the majority of the virus was MRI (Geek Squad) and then cleared the temp files out (this doesn't seem to delete all of it).
If you have some sort of explorer that allows you to browse for / delete files (MRI can do this as well, but safe mode with command prompt works as well).
Once safe mode loads up hit CTRL+ALT+DELETE and click on New Task... and type in "explorer". Click on Start -> My Computer, click on the Address Bar (View -> Toolbars -> Address Bar if it's not showing) and type in "C:\Documents and Settings\$your username$\Local Settings" (switch out $your username$ for your computers username) and open the temp folder, delete EVERYTHING in it, then go back and open the Temporary Internet Files and delete EVERYTHING in there as well.
Tools I used to scan after above removal:
MRI (Great for removing all temp files if you can get your hands on it)
MalwareBytes
Avast
After that I modified the startup items, removing everything that doesn't look correct and removing a lot of the usual start up items, I also deleted (didn't run the uninstaller, just deleted) the folders to a lot of my most used applications (MSN, AIM, Photoshop, Steam, Ventrilo), all applications it seemed to have targeted (I'm not sure if you could just re-download the installers and repair but I wanted to be on the safe side). Make sure you remove almost all programs from the startup! Otherwise it'll just load itself again in one of the infected files (do not edit the startup unless you know what you are doing). You can get to the startup by going to "Start -> Run -> msconfig". Edit both the "Services" and "Startup" tabs.
Good luck! It's one hell of a virus.
Last edited by Myoga- on 22 Sep 2010 08:03 am; edited 6 times in total
_____________________
|
|
| Back to top |
|
 |
Cinemax
Group: Members
Joined: 05 Jul 2008
Donor: 
Posts: 8361
Gold: 12885.33
Clan: HoD II
Status:
Warn:
Reputation: 116
|
| #2 Posted: 22 Sep 2010 02:13 am Post subject: |
|
|
Do not post a link like that again please.
_____________________
|
|
| Back to top |
|
|
Myoga- Tomato is the LOOOOOVVEE Fruit!!!11!
Group: Retired Moderators
Joined: 12 Apr 2010
Donor:
Posts: 1314
Gold: 2375.80
Status:
Warn:
Reputation: 57
|
| #3 Posted: 22 Sep 2010 07:09 am Post subject: |
|
|
| Cinemax wrote: | | Do not post a link like that again please. |
That link will do nothing to you unless you go and copy / paste the code and run it yourself =/ there's no harm in browsing it...
I was trying to post what to look for / how to remove it since I haven't found any help anywhere else on this virus yet, only the stupid "I formatted my computer and everything works again".
Edit: I modified the original post again with snippets of a couple things to look for, nothing that could potentially harm someone if they were stupid enough to run it.
Last edited by Myoga- on 22 Sep 2010 07:14 am; edited 3 times in total
_____________________
|
|
| Back to top |
|
|
Cinemax
Group: Members
Joined: 05 Jul 2008
Donor:
Posts: 8361
Gold: 12885.33
Clan: HoD II
Status:
Warn:
Reputation: 116
|
| #4 Posted: 22 Sep 2010 07:43 am Post subject: |
|
|
It comes down to it being an easy to click link, It's human nature for people to click links that are available to click on, we're all like trained monkeys in some ways.
It's inevitable for someone to click it and have interest in it, run it share it play with it and break their parents pc or lose information or lose a harddrive or have a fit and spam the forums about a link that u posted and now they lost passwords or an account or a swiss bank account, the possibilities are endless.
They could click it, be upset and not be thinking and crash their car into another car down some street, and the person inside they hit could have been the woman of one of our dreams, or our perfect match.... then we would never have a chance to find our soul mate.
Last edited by Cinemax on 22 Sep 2010 07:45 am; edited 1 time in total
_____________________
|
|
| Back to top |
|
|
Myoga- Tomato is the LOOOOOVVEE Fruit!!!11!
Group: Retired Moderators
Joined: 12 Apr 2010
Donor:
Posts: 1314
Gold: 2375.80
Status:
Warn:
Reputation: 57
|
| #5 Posted: 22 Sep 2010 08:05 am Post subject: |
|
|
| Cinemax wrote: | It comes down to it being an easy to click link, It's human nature for people to click links that are available to click on, we're all like trained monkeys in some ways.
It's inevitable for someone to click it and have interest in it, run it share it play with it and break their parents pc or lose information or lose a harddrive or have a fit and spam the forums about a link that u posted and now they lost passwords or an account or a swiss bank account, the possibilities are endless.
They could click it, be upset and not be thinking and crash their car into another car down some street, and the person inside they hit could have been the woman of one of our dreams, or our perfect match.... then we would never have a chance to find our soul mate. |
You have quite the imagination o.O. Although the link is harmless if you know how to run and decide to copy / paste it then it wouldn't be.
None the less I have re-edited the main post with things to look for. Hopefully that can stay. The only reason I posted all of this is because AFAIK there isn't any other site out there offering a viable solution to the problem without formatting.
_____________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
D3jsp is proudly powered by phpBB © 2.0
Theme and Forum by tramway |
RPG
Arcade
FAQ/Rules
Search
Memberlist
Usergroups
Live Chat
Log in
Register
