: : : Piyush Labs : : :

nhatquanglan / SCVHSOT / new folder virus / scvshosts

Virus File Name
~~~~~~~~~~~~

New Folder.exe
Size: 192/196KB
virus file version 1,1,1,1
Icon: Folder
SCVHSOT.exe
Size: 192/196KB
Attributes: Hidden+System
virus file version 1,1,1,1
Icon: Folder

scvshosts.exe
Size: 247/248KB
Attributes: Hidden+System
virus file version 2,2,2,2
Icon: Folder

(added on 5Dec,2007)

File Name :SCVVHSOT
Icon :Folder
Type of file :Application
Size :283KB/288KB
Modified :June 10,2007
Attributes :ReadOnly,Hidden,System,Archive
File version :3.2.2.0
CompiledScript :AutoIt v3 Script : 3, 2, 2, 0
File Version :3, 2, 2, 0

etc.

Symptoms
~~~~~~~~

You will find these files in your Windows folder, Shared Documents, etc.
Tools>Folder Option is disabled.
You are unable to see hidden files.
Task Manager is disabled.
Regedit is disabled.
If you are having a LAN connection you will be unknowingly spamming the chat box.
e.g.:
”http://nhatquanglan.xlphp.net/“
”C:WINDOWShinhem.scr”

Behind the Screen
~~~~~~~~~~~~~~~~~

The following files are created:
C:WINDOWSSCVHSOT.exe

C:WINDOWSSCVVHSOT.exe
C:WINDOWShinhem.scr
C:WINDOWSsystem32SCVHSOT.exe
C:WINDOWSsystem32blastclnnn.exe
C:WINDOWSsystem32autorun.ini
C:Documents and SettingsAll UsersDocumentsSCVHSOT.exe

The virus is copied to other comps on the network in the Shared Docs.
\ABCSharedDocsNew Folder.exe
\ABCSharedDocsscvshosts.exe
\ABCSharedDocsautorun.inf
Modifies some files in the “Documents and settings” folder.
C:Documents and SettingsPiyush ChandraLocal SettingsTemporary Internet FilesContent.IE5index.dat
C:Documents and SettingsPiyush ChandraCookiesindex.dat
C:Documents and SettingsPiyush ChandraLocal SettingsHistoryHistory.IE5index.dat

Modifies some registries at:
SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2{4c4da22e-f800-11db-8de6-806d6172696f}BaseClass ,etc.
REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
SoftwareMicrosoftWindowsCurrentVersionRunYahoo Messengger
SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNofolderOptions
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools
REGISTRYMACHINESYSTEMControlSet001ServicesScheduleAtTaskMaxHours
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCache
REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsCachePaths ,etc.
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCookies
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersHistory
SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap ,etc.
SoftwareMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline
REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShell FoldersCommon AppData
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData
SoftwareMicrosoftWindowsCurrentVersionInternet Settings , etc.
REGISTRYMACHINESYSTEMControlSet001Hardware Profiles001SoftwareMicrosoftwindowsCurrentVersionInternet SettingsProxyEnable
Modifies some system files:
C:Documents and SettingsPiyush ChandraLocal SettingsTemporary Internet FilesContent.IE5index.dat
C:Documents and SettingsPiyush ChandraCookiesindex.dat
C:Documents and SettingsPiyush ChandraLocal SettingsHistoryHistory.IE5index.dat
Runs the following commands under DOS (only by the virus version 1,1,1,1):
C:WINDOWSsystem32cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:WINDOWSsystem32blastclnnn.exe
C:WINDOWSsystem32cmd.exe /C AT /delete /yes

Solution
~~~~~~

End Task(updated on 27/11/2007)
————————
Start> run

taskkill /f /t /im “New Folder.exe”
taskkill /f /t /im “SCVVHSOT.exe”
taskkill /f /t /im “SCVHSOT.exe”
taskkill /f /t /im “scvshosts.exe”
taskkill /f /t /im “hinhem.scr”
taskkill /f /t /im “blastclnnn.exe”

 

Enable Task Manager
——————-
1. Start> run
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f

Enable Regedit
————–
1. Start> run
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

Folder Option & Hidden Files
—————————-
1. Start> run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoFolderOptions /t REG_DWORD /d 0 /f
2. Start> run
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoFolderOptions /t REG_DWORD /d 0 /f
3. Start> run
reg add HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced /v Hidden /t REG_DWORD /d 1 /f
4. Start>run
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL /v CheckedValue /t REG_DWORD /d 1 /f

reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL /v DefaultValue /t REG_DWORD /d 2 /f
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f

reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f

Other steps
——————

Delete the files

C:WINDOWSSCVVHSOT.exe
C:WINDOWSSCVHSOT.exe
C:WINDOWShinhem.scr
C:WINDOWSsystem32SCVHSOT.exe
C:WINDOWSsystem32blastclnnn.exe
C:WINDOWSsystem32autorun.ini
C:Documents and SettingsAll UsersDocumentsSCVHSOT.exe

Modify some registries
REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Shell REG_SZ –> explorer.exe
SoftwareMicrosoftWindowsCurrentVersionRun Yahoo Messengger –>delete

Precaution
~~~~~~~~~

Never double click on such files which look like folders, instead use folder view for navigation.
You may like to disable “Shared Documents”.

DOWNLOAD

Heal for nhatquanglan virus

Download Page for other heals