McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• DummyCom (360Safe)

• Virus.Win32.Xorer.ez (Kaspersky)

• W32.Pagipef (Symantec)

• Win32/Diskgen.A (AhnLab)

Characteristics

The original file's name is "setup.exe" , which is a self-extra rar file.

This malware creat the following files in all drivers:

• AUTORUN.INF
• pagefile.pif
  

Also creat the following files :

• C:\037589.log
• %WinDir%\system32\AntiTool.exe
• %WinDir%\system32\dnsq.dll
• %WinDir%\system32\packet.dll
• %WinDir%\system32\packet.dll
• %WinDir%\system32\wpcap.dll
• %WinDir%\system32\drivers\alg.exe
• %WinDir%\system32\drivers\npf.sys
• %WinDir%\system32\drivers\npf.sys
• %WinDir%\system32\Com\lsass.exe
• %WinDir%\system32\Com\netcfg.000
• %WinDir%\system32\Com\netcfg.dll
• %WinDir%\system32\Com\smss.exe
  (where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Delete the following Registry keys :

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew

Add the following Registry Keys :

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}]
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}

Modify the following Registry keys's value :

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

This malware try to access the following website :

• w.c0{REMOVED}o.com/r.htm
• f.gxlg{REMOVED}x.com/html/dg2.html
• d.gxlg{REMOVED}x.com/html/qb2.html

And download the following file :

• js.k01{REMOVED}2.com/data.gif

It will show some cheat websites :

Symptoms

• indications_of_infection Existence of mentioned files and registry keys

Method of Infection

This may come via malicious link, or it may be spread by its intended method of infected removable drives or network share .

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• DummyCom (360Safe)

• Virus.Win32.Xorer.ez (Kaspersky)

• W32.Pagipef (Symantec)

• Win32/Diskgen.A (AhnLab)

Characteristics

Characteristics -

The original file's name is "setup.exe" , which is a self-extra rar file.

This malware creat the following files in all drivers:

• AUTORUN.INF
• pagefile.pif
  

Also creat the following files :

• C:\037589.log
• %WinDir%\system32\AntiTool.exe
• %WinDir%\system32\dnsq.dll
• %WinDir%\system32\packet.dll
• %WinDir%\system32\packet.dll
• %WinDir%\system32\wpcap.dll
• %WinDir%\system32\drivers\alg.exe
• %WinDir%\system32\drivers\npf.sys
• %WinDir%\system32\drivers\npf.sys
• %WinDir%\system32\Com\lsass.exe
• %WinDir%\system32\Com\netcfg.000
• %WinDir%\system32\Com\netcfg.dll
• %WinDir%\system32\Com\smss.exe
  (where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Delete the following Registry keys :

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew

Add the following Registry Keys :

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}]
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}

Modify the following Registry keys's value :

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

This malware try to access the following website :

• w.c0{REMOVED}o.com/r.htm
• f.gxlg{REMOVED}x.com/html/dg2.html
• d.gxlg{REMOVED}x.com/html/qb2.html

And download the following file :

• js.k01{REMOVED}2.com/data.gif

It will show some cheat websites :

Symptoms

Symptoms -

• indications_of_infection Existence of mentioned files and registry keys

Method of Infection

Method of Infection -

This may come via malicious link, or it may be spread by its intended method of infected removable drives or network share .

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A