ViRobot

Security Info

  • Security Center
    • Virus
  • Security Dictionary
  • Security Service

Threats DB

Trojan.Win32.Chepvil.17920

Aliases  Trojan.Win32.Chepvil.17920
Typical Symptoms  Changes registry,Displays message box,Downloading a particular file,Creates file,Prints screen
Discovered  [korea] 2011-04-29
 [Foreign] 0000-00-00
Type  Trojan Horse ActiveField  Win32
Destory/Distribution
Origin  others Encryption  NO
Location  File Memory residence  YES
Scan engine needed
2011-04-29 [Able to detect & repair]
  • Free scan
  • Free trial download
Description

1.   Trojan.Win32.Chepvil.17920

A.     Infection Route

 

Trojan.Win32.Chepvil.17920 does not spread out as itself, and it seems to be downloaded from hacked site or installed by other malicious codes such as Spyware, Adware, Dropper, etc.
 

B.     Symptom of Infection

 

1)     The malicious code downloads below files.

 

[PIC 1] Downloading malicious code

 

2)     It creates certain files like below.

 

(User Folder) Local Settings\application Data\(Random 3 digits).exe

(User Folder)Local Settings\application Data\p5037ob50a0j51dxuyn6

(User Folder)Local Settings\application Data\GDIPFONTCACHEV1.DAT

(User Folder)Local Setting\temp\p5037ob50a0j51dxuyn6

(User Folder)Templates\p5037ob50a0j51dxuyn6

(All User Folder)application data\p5037ob50a0j51dxuyn6

 

3)     It modifies registry to execute itself with exe typed files.

 

[HKCU\Software\Classes\.exe\shell\open\command]

@="\"C(User Folder Name)\Local Settings\Application Data\Random 3 digits.exe\" -a \"%1\" %*"

"IsolatedCommand"="\"%1\" %*"

[HKCU\Software\Classes\exefile\shell\open\command]

@="\"C:\(User Folder Name)\Local Settings\Application Data\Random 3 digits\" -a \"%1\" %*"

"IsolatedCommand"="\"%1\" %*¡±  

 

4) It deactivates Windows firewall by modifying registry.

 

 

[PIC 3] Deactivating firewall

    

 

5)     If it is executed, it shows fake Anti-Virus, and guides users to the purchasing order page.

 

      

       

 

[PIC 2] Fake Anti-Virus scanning feature

 

 

 

[PIC 3] Inducing users to purchase for fake repair

 

[ Notation ]

 

  -(User Folder) could be different by system, and generally this is C:\Documents and Settings\(User Account)\Local Settings\Application Data(WindowsNT/XP).

 

  -(All User Folder) could be different by system, and generally this is C:\Documents and Settings\All Users\Application Data(WindowsNT/XP).
Removal Instructions

[How to repair]

 

1. If you are WinXP/ME users, please be inactivate System Recovery Function.

The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
     -Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users
     - Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)

     - Use the trial version of ViRobot products (30days only)

3. How to scan the virus.


a. Run your ViRobot, and choose "all files" in scan option.

- ViRobot Desktop 5.0 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- ViRobot Desktop 5.5 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files

- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.

c. If [Auto-repair after rebooting] message shows up, please try to re-scan after rebooting the PC.
List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap