Trojan.Win32.S.PSWMagania.166198
種類
I-Worm
危険度/拡散度
/
発見日
[korea] 2010-03-17 [Foreign] 0000-00-00
Virobot対応
2010-03-17 [Able to detect & repair]

[Symptoms of Infection]

1) It creates files to below path.

(System Folder)\ahnsbsb.exe
(System Folder)\ahnfgss(number).dll
(System Folder)\ahnxsds(number).dll
(System Folder)\drivers\cdaudio.sys (normal)
(Route)\66y01b.cmd
(Route)\autorun.inf
 

2) It adds registry for automatic execution on system boot.

HKCU\Software\Microsoft\Windows\CurrentVersion\run
- ahnsoft : (System Folder)\ahnsbsb.exe
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{AF4DA69B-E1D6-469A-855B-6445294857D4}
- Register (System Folder)\ahnxsds(number).dll file to BHO
 

3) By modifying registry, it hides below files.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Hidden : 2
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- ShowSuperHidden : 0
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Floder\Hidden\SHOWALL
- CheckedValud : 0
 

4) The created ahnfgss(number).dll file runs by injecting to all processes, and it is created for stealing user account. The target processes are like below.

TwelveSky2.exe
Mir3Game.exe
dnf.exe
maplestory.exe
winbaram.exe
GVOnline.bin
pleione.dll
ragexe.exe
InphaseNXD.EXE
aion.bin
wow.exe
 

5) The created ahnxsds(number).dll file runs by injecting to iexplore.exe process, and it is created for stealing user account. The target sites are like below.

12sky2.paran.com
aion.plaync.co.kr
df.nexon.com
dho.netmarble.net
hangame.com
id.hangame.com
lotro.hangame.com
maplestory.nexon.com
pmang.sayclub.com
sp1.nexon.com
wffm.mgame.com
www.champagnemania.co.kr
www.hangame.com
yulgang.mgame.com
 

6) It accesses to http://kxhxcx.nxt (2x2.x1x.x7x.x5x) and downloads certain files, but the website cannot be accessible now.

http://kxhxcx.nxt/xg/xhx.xax

[How to repair]

1. If you are WinXP/ME users, please be inactivate System Recovery Function.

The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
     -Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users
     - Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)

     - Use the trial version of ViRobot products (30days only)

3. How to scan the virus.

a. Run your ViRobot, and choose "all files" in scan option.

- ViRobot Desktop 5.0 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- ViRobot Desktop 5.5 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.

c. If [Auto-repair after rebooting] message shows up, please try to re-scan after rebooting the PC.