Anti-Virus Leader ViRobot

Trojan.Win32.Downloader.30208.CZ

Aliases
Typical Symptoms	Changes Homepage address,Changes Homepage,Prints screen,Displays a popup windows,Downloading a particular file,Changes registry,Changes system information,Place malicious code
Discovered	[korea] 2009-05-07 [Foreign] 0000-00-00
Type	Trojan Horse	ActiveField	Win32
Destory/Distribution
Origin	China	Encryption
Location	None	Memory residence
Scan engine needed	2009-05-07 [Able to detect & repair]

[Summary]

It spreads itself by using Autorun.inf and interrupts a certain process execution. Also, it downloads the malicious codes.

[Symptom of Infection]

1. Certain process cannot be executed.
2. Internet start page will be modified.
3. Show a certain homepage on periodical time.
4. Firewall service will be paused.

[Detailed Information]

1. If system get infection, the malicious code creates files to below path.

(User Temp Folder) \dll(1 digit number).tmp (Trojan.Win32.AntiAV.11264.G)

(Root Folder) \AUTORUN.INF (INF.Autorun.151.I)

(Root Folder) \GRIL.PIF (Trojan.Win32.DownLoader.30208.CZ)

2. By modifying registries, it interrups process execution like below.

360rpt.EXE	360safe.EXE	360safebox.EXE	360tray.EXE	ANTIARP.EXE
ArSwp.EXE	Ast.EXE	AutoRun.EXE	AutoRunKiller.EXE	AvMonitor.EXE
AVP.COM	AVP.EXE	CCenter.EXE	Frameworkservice.EXE	GFUpd.EXE
GuardField.EXE	HijackThis.EXE	IceSword.EXE	Iparmor.EXE	KASARP.EXE
kav32.EXE	KAVPFW.EXE	kavstart.EXE	kissvc.EXE	kmailmon.EXE
KPfwSvc.EXE	KRegEx.EXE	KVMonxp.KXP	KVSrvXP.EXE	KVWSC.EXE
kwatch.EXE	Mmsk.EXE	Navapsvc.EXE	nod32krn.EXE	Nod32kui.EXE
PFW.EXE	QQDoctor.EXE	RAV.EXE	RavMon.EXE	RavMonD.EXE
Ravservice.EXE	RavStub.EXE	RavTask.EXE	RAVTRAY.EXE	Regedit.EXE
rfwmain.EXE	rfwProxy.EXE	rfwsrv.EXE	Rfwstub.EXE	RsAgent.EXE
Rsaupd.EXE	RsMain.EXE	rsnetsvr.EXE	RSTray.EXE	Runiep.EXE
safeboxTray.exe	ScanFrm.EXE	SREngLdr.EXE	TrojanDetector.EXE	Trojanwall.EXE
TrojDie.KXP	VPC32.EXE	VPTRAY.EXE	WOPTILITIES.EXE

3. It does pause Firewall service.

4. It checks c.xxcx.com/xt.txt and then downloads other malicious codes.

5. It downloads images from c.xxcx.com/xd.jpg and then modifies Internet startpage for showing on periodical time.

[Notation]

- "(User Temp Folder)" can be different by systems, and generally this is "C:\Documents and Settings\Account Name\Local Settings\Temp".

- "(Root Folder)" is the most top lacated Folder in all drives.

[How to repair]

1. If you are WinXP/ME users, please be inactivate System Recovery Function.

The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
     -Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users
     - Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)

     - Use the trial version of ViRobot products (30days only)

3. How to scan the virus.

a. Run your ViRobot, and choose "all files" in scan option.

- ViRobot Expert 4.0 : [Edit] -> [Configuration] -> [Scan] : Check all files

- ViRobot Desktop 5.0 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- ViRobot Desktop 5.5 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.

c. If [Auto-repair after rebooting] message shows up, please try to re-scan after rebooting the PC.

Copyright 2008 @ HAURI Inc. All rights reserved.