Dropper.Flystud.1397939
| Aliases | |||
|---|---|---|---|
| Typical Symptoms | Place malicious code,Downloading a particular file | ||
| Discovered | [korea] 2009-12-28 [Foreign] 0000-00-00 |
||
| Type | Others | ActiveField | Win32 |
| Destory/Distribution |   |
||
| Origin | China | Encryption | NO |
| Location | None | Memory residence | NO |
| Scan engine needed |
2009-12-28 [Able to detect & repair]
|
||
[Symptom of Infection] (User Temp Folder)\E_N4\cnvpe.fne (User Temp Folder)\E_N4\dp1.fne (User Temp Folder)\E_N4\eAPI.fne (User Temp Folder)\E_N4\HtmlView.fne (User Temp Folder)\E_N4\internet.fne (User Temp Folder)\E_N4\krnln.fnr (User Temp Folder)\E_N4\shell.fne (User Temp Folder)\E_N4\spec.fne (System Folder)\(Random 6-digits)\(Random 6-digits).EXE (System Folder)\(Random 6-digits)\cnvpe.fne (System Folder)\(Random 6-digits)\dp1.fne (System Folder)\(Random 6-digits)\eAPI.fne (System Folder)\(Random 6-digits)\HtmlView.fne (System Folder)\(Random 6-digits)\internet.fne (System Folder)\(Random 6-digits)\krnln.fnr (System Folder)\(Random 6-digits)\RegEx.fnr (System Folder)\(Random 6-digits)\shell.fne (System Folder)\(Random 6-digits)\spec.fne (User Startup Programs)\(Random 6-digits).lnk
2. The malicious code is executed by injecting the created *.fne, *.fnr to its process. *.fne, *.fnr are DLL files that have PE structure. 3. It downloads malicious files by accessing to a certain website. http://www.a.sxixex.cxx (2x0.1x1.x.1x5) http://x-6x.cx (2x8.x.7x.14x) |
[How to repair] 1. If you are WinXP/ME users, please be inactivate System Recovery Function. The reason why being inactivate of the system recovery is to clean the virus completely. - Use the trial version of ViRobot products (30days only) a. Run your ViRobot, and choose "all files" in scan option. - ViRobot Desktop 5.5 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files - LiveCall (Free Scan) : [Advanced Scan] : Check |
