nhatquanglan Virus

nhatquanglan / SCVHSOT / new folder virus / scvshosts

Virus File Name
~~~~~~~~~~~~

New Folder.exe
Size: 192/196KB
virus file version 1,1,1,1
Icon: Folder
SCVHSOT.exe
Size: 192/196KB
Attributes: Hidden+System
virus file version 1,1,1,1
Icon: Folder

scvshosts.exe
Size: 247/248KB
Attributes: Hidden+System
virus file version 2,2,2,2
Icon: Folder

(added on 5Dec,2007)

File Name :SCVVHSOT
Icon :Folder
Type of file :Application
Size :283KB/288KB
Modified :June 10,2007
Attributes :ReadOnly,Hidden,System,Archive
File version :3.2.2.0
CompiledScript :AutoIt v3 Script : 3, 2, 2, 0
File Version :3, 2, 2, 0

etc.

Symptoms
~~~~~~~~

You will find these files in your Windows folder, Shared Documents, etc.
Tools>Folder Option is disabled.
You are unable to see hidden files.
Task Manager is disabled.
Regedit is disabled.
If you are having a LAN connection you will be unknowingly spamming the chat box.
e.g.:
http://nhatquanglan.xlphp.net/
”C:WINDOWShinhem.scr”

Behind the Screen
~~~~~~~~~~~~~~~~~

The following files are created:
C:WINDOWSSCVHSOT.exe

C:WINDOWSSCVVHSOT.exe
C:WINDOWShinhem.scr
C:WINDOWSsystem32SCVHSOT.exe
C:WINDOWSsystem32blastclnnn.exe
C:WINDOWSsystem32autorun.ini
C:Documents and SettingsAll UsersDocumentsSCVHSOT.exe

The virus is copied to other comps on the network in the Shared Docs.
\ABCSharedDocsNew Folder.exe
\ABCSharedDocsscvshosts.exe
\ABCSharedDocsautorun.inf
Modifies some files in the “Documents and settings” folder.
C:Documents and SettingsPiyush ChandraLocal SettingsTemporary Internet FilesContent.IE5index.dat
C:Documents and SettingsPiyush ChandraCookiesindex.dat
C:Documents and SettingsPiyush ChandraLocal SettingsHistoryHistory.IE5index.dat

Modifies some registries at:
SoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2{4c4da22e-f800-11db-8de6-806d6172696f}BaseClass ,etc.
REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
SoftwareMicrosoftWindowsCurrentVersionRunYahoo Messengger
SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNofolderOptions
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools
REGISTRYMACHINESYSTEMControlSet001ServicesScheduleAtTaskMaxHours
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCache
REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsCachePaths ,etc.
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCookies
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersHistory
SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMap ,etc.
SoftwareMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline
REGISTRYMACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShell FoldersCommon AppData
SoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersAppData
SoftwareMicrosoftWindowsCurrentVersionInternet Settings , etc.
REGISTRYMACHINESYSTEMControlSet001Hardware Profiles001SoftwareMicrosoftwindowsCurrentVersionInternet SettingsProxyEnable
Modifies some system files:
C:Documents and SettingsPiyush ChandraLocal SettingsTemporary Internet FilesContent.IE5index.dat
C:Documents and SettingsPiyush ChandraCookiesindex.dat
C:Documents and SettingsPiyush ChandraLocal SettingsHistoryHistory.IE5index.dat
Runs the following commands under DOS (only by the virus version 1,1,1,1):
C:WINDOWSsystem32cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:WINDOWSsystem32blastclnnn.exe
C:WINDOWSsystem32cmd.exe /C AT /delete /yes

Solution
~~~~~~

End Task(updated on 27/11/2007)
————————

Start> run

taskkill /f /t /im “New Folder.exe”
taskkill /f /t /im “SCVVHSOT.exe”
taskkill /f /t /im “SCVHSOT.exe”
taskkill /f /t /im “scvshosts.exe”
taskkill /f /t /im “hinhem.scr”
taskkill /f /t /im “blastclnnn.exe”

 

Enable Task Manager
——————-

1. Start> run
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f

Enable Regedit
————–

1. Start> run
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f

Folder Option & Hidden Files
—————————-

1. Start> run
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoFolderOptions /t REG_DWORD /d 0 /f
2. Start> run
reg add HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v NoFolderOptions /t REG_DWORD /d 0 /f
3. Start> run
reg add HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced /v Hidden /t REG_DWORD /d 1 /f
4. Start>run
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL /v CheckedValue /t REG_DWORD /d 1 /f

reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL /v DefaultValue /t REG_DWORD /d 2 /f
reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f

reg add HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenNOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f

Other steps
——————

Delete the files

C:WINDOWSSCVVHSOT.exe
C:WINDOWSSCVHSOT.exe
C:WINDOWShinhem.scr
C:WINDOWSsystem32SCVHSOT.exe
C:WINDOWSsystem32blastclnnn.exe
C:WINDOWSsystem32autorun.ini
C:Documents and SettingsAll UsersDocumentsSCVHSOT.exe

Modify some registries
REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Shell REG_SZ –> explorer.exe
SoftwareMicrosoftWindowsCurrentVersionRun Yahoo Messengger –>delete

Precaution
~~~~~~~~~

Never double click on such files which look like folders, instead use folder view for navigation.
You may like to disable “Shared Documents”.

DOWNLOAD

Heal for nhatquanglan virus

Download Page for other heals

148 Responses to “nhatquanglan Virus”

  1. Muhammad Hassaan Says:

    when i open any drive in windows xp system Pemtium 4, a dialog box opens and it gives a debug option. how i remove the debugging option and why is it comes?

  2. Dupsyn Says:

    I have this virus on my yahoo messenger, it suddenly appears, shows some things and dissapear and then send rubbish messages like (Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo… http://nhatquanglan.xlphp.net/ ) to everyone on my messenger list and then change my online status from “available” to “Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo… http://nhatquanglan.xlphp.net/ ” sometimes it also minimizes whatever i’m doing at the moment.

    This is really disgusting, don’t know what to about this.

    Please help me.

  3. Egyptian Says:

    Thank you!

  4. Vineet Says:

    Thanks Man.. your tools worked.. !!

  5. dilip kumar Says:

    i have the virus like mauuf.exe which is creating the shortcut files of folder
    and the folder data is not seen and the file showing is kbs

    • Piyush Says:

      Hi dilip,
      You can send me the virus file.
      I will analyse it.
      Looks like, it has created Folder.exe 😦
      The actual folders is hidden and in place of that, there are exe files with the folder name.

  6. Niraj Says:

    But It doesn’t work in my computer. Inside a folder, the same named .exe file is created and in its description nhatquanglan is written.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: