regsvr.exe / rundll.exe / ‘Microsoft CorpAration’ virus details & heal uploaded

I recently had to face the problem of a particular virus on my PC. This virus was quite a survivor even with it being detected on every scan that i performed. It had made some changes into the registries because of which all my antivirus was able to do was to give me a message that a special removal technique is required to remove this virus and it would be removed at the next reboot. However it was not to be the case and the virus survived every action taken by my anti-virus software. So i thought i have to gear up myself to bring an end to this menace.So i googled the name of the virus and found a very interesting article upon the virus, which i am posting here hoping that it would be of use to someone who might be troubled by its presence as well....

This virus creates a lot of files and make a lot of registry changes. Finding the solution was really challenging. It is built with AutoIt , version unknown. Latest update of kaspersky do not detect this virus, unless it is scanned thoroughly.

not-a-virus:Monitor.Win32.007SpySoft.q -> rundll.exe
Worm.Win32.AutoIt.s -> regsvr.exe

The “Microsoft Corparation” tag is really confusing. Mind it, its Corp’a'ration, not Corp’o'ration … he he

I wont say the heal is totally complete, but still some more work is supposed to be done with it, probably to fix some more registries. But overall this heal will end task the virus files and restore most of the registries.

This virus/Trojan keeps complete look on the system, by taking snap shots every 30 seconds. Suppose u have this virus for 30 days, just think how much space it will eat. lol

Like the recent coming viruses, even this virus makes exe file inside every folder with the name of the parent folder. (BUT only in the removable drives,this is one of its peculiarity). It spreads via pen drives, leaving regsvr.exe, New Folder.exe, autorun.inf files in the root directory of pen drive and other files inside.

So here is the solution…

regsvr.exe / Winhelp.exe / rundll.exe
===========================

File names

———–

Name : regsvr.exe
Name : winhelp.exe
Type of File : Application
Icon : Folder icon
size : 1.06 MB (1,114,588 bytes)
size on disk : 1.07 MB (1,122,304 bytes)
File version : 1.1.2.2
Description : Microsoft Corparation (its Microsoft Corp’a'ration not Microsoft Corporation)
Copyright :
Compiled Script : Microsoft Corporation
File Verion : 1,1,2,2
Language : English (United Kingdom)

Name : rundll.exe
Type of File : Application
Description : Generic Host Process for Win32 Services
Size : 161 KB (164,864 bytes)
size on disk : 168 KB (172,032 bytes)
File version : 3.8.0.7400
Company : Microsoft Corporation
Internal name : svchost-full-org
Language : English (United States)
Original name : svchost-full-org.exe

Other supporting files, created during installation of virus:

Name: MSINET.OCX
Type: ActiveX Control
Size: 60.5 KB (61,952 bytes)
Size on disk: 64.0 KB (65,536 bytes)
File version: 5.1.45.11
Description: Microsoft Internet Transfer Control DLL
Copyright: Copyright © 1987-1997 Microsoft Corp.
Comments: September 11, 1997
Company: Microsoft Corporation
File version: 5.01.4511
Internal name: MSINET.OCX

Name: ijl11pro.dll
Type: Application Extension
Size: 70.0 KB (71,680 bytes)
size on disk : 72.0 KB (73,728 bytes)
File version : 1.1.2.16
Description : Intel® JPEG Library - Retail Version
Copyright : Copyright © 1999
Comments : Intel® JPEG Library
Company : Intel Corporation
File version : 1.1.2
Internal name : Intel® JPEG Library
Original name : ijl11.dll

x—x—x

Recognized by KAV
—————–
not-a-virus:Monitor.Win32.007SpySoft.q rundll.exe
Worm.Win32.AutoIt.s regsvr.exe
x—x—x

Running Process
—————

regsvr.exe 1-30% 2 threads
rundll.exe 0% 4 threads
Winhelp.exe SYSTEM 1-40% 1 thread

x—x—x

Behind the Screen
—————–

Files Created:
…………..
C:\DOCUME~1\JAYDEV\LOCALS~1\Temp\aut3.tmp
C:\DOCUME~1\JAYDEV\LOCALS~1\Temp\aut4.tmp
C:\DOCUME~1\ JAYDEV \LOCALS~1\Temp\aut5.tmp
C:\DOCUME~1\ JAYDEV \LOCALS~1\Temp\aut6.tmp
C:\WINDOWS\winhelp.ini
C:\WINDOWS\system32\rundll.exe
C:\WINDOWS\system32\ijl11pro.dll
C:\WINDOWS\system32\MSINET.OCX
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\regsvr.exe
C:\WINDOWS\system32\winhelp.exe
C:\Documents and Settings\Piyush Chandra\Local Settings\Temp\~DFD5E6.tmp
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
C:\WINDOWS\system32\COMCTL32.OCX
C:\WINDOWS\system32\stdole2.tlb
ModifyFile C:\WINDOWS\winhelp.ini

Regsitries changed:
……………….
ModifyRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79ebb8fd-f8e1-11dc-a1b1-806d6172696f}\BaseClass
etc
ModifyRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messenger
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
CreateRegValue \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours
ModifyRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\system
CreateDir C:\WINNT\system32\ssdata\
CreateDir C:\Recycled\WinLiveUpdate32\scrdata\
CreateDir C:\Recycled\WinLiveUpdate32\
CreateRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Themes
CreateRegKey \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
etc
CreateRegKey \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
etc
CreateRegValue HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User “I:\WINDOWS\system32\rundll.exe”

Registry access:
…………….
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
HKLM\SYSTEM\ControlSet001\Hardware Profiles001
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness

x—x—x

More behind the screen
———————-
The virus gets completely installed only after rebooting two times.

It uses cacls.exe to change some permission setting (not yet discovered)

It saves printscreen images in c:\recycled\WinLiveUpdate32\ at an interval of 30 seconds
so it eats up the space for your c:\ if u are affected by this virus for long time

It saves some processes going on the system in c: recycled\WinLiveUpdate32\scrdata\ in files namely Apps.data, Files.dat, Keys.data, scr.data, lgstat.ini

In simple words: it keeps a complete track about you computer.

Warning Messages
—————–

rundll.exe
Another program is currently using this file.

Kaspersky
Riskware: not-a-virus:Monitor.Win32.007SpySoft.q
File: I:\WINDOWS\system32\rundll.exe

x—x—x

Solution:
———

Start > Run > type the following

(if you have a lappy, then copy taskkill.exe in your c:\windows\system32\ folder)

End task
……..
taskkill /f /im regsvr.exe /t
taskkill /f /im rundll.exe /t
taskkill /f /im winhelp.exe /t

Registries
……….
at /delete /yes
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /f
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v “Yahoo Messengger” /f
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run /v “Yahoo Messengger” /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v System /t REG_SZ /d “” /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v shell /t REG_SZ /d “Explorer.exe” /f
reg delete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “User Themes” /f

Files
…..
cmd /k del “%USERPROFILE%\Local Settings\Temp\aut*” /f
cmd /k del “%USERPROFILE%\Local Settings\Temp\~*” /f
cmd /k del “%WINDIR%\System32\rundll.exe” /f
cmd /k del “%WINDIR%\winhelp.ini” /f
cmd /k del “%WINDIR%\system32\ijl11pro.dll” /f
cmd /k del “%WINDIR%\system32\MSINET.OCX” /f
cmd /k del “%WINDIR%\system32\regsvr.exe” /f
cmd /k del “%WINDIR%\regsvr.exe” /f
cmd /k del “%WINDIR%\system32\winhelp.exe” /f
cmd /k del “C:\WINNT\system32\ssdata\”
cmd /k del “C:\Recycled\WinLiveUpdate32\scrdata\” /f /q
cmd /k del “C:\Recycled\WinLiveUpdate32\” /f /q
(and delete regsvr.exe, New Folder.exe and autorun.inf from pen drives)

Download:
———
Please download the Heal for regsvr.exe from here

http://rapidshare.com/files/103081849/Heal_regsvr1.0.rar