Wednesday, October 10, 2007

Nhatquanglan & Pooh.vbs(W32/DKR.worm) Malwares virus spywares

The Two spywares/malwares/virus i have stumbled upon. Nhatquanglan slows down your pc and disable some fuctions like folder option, taskmanager, regedit etc. while (W32/DKR.worm) pooh.vbs slow pc and spreads it self through USB Drives. i use nod32 anti virus and they by passed it, but i know nod32 will have an update soon to detect this 2 threats...

Ways to remove them you can use system restore and remove the 2 malwares or use a script command to clean them up. i have the script command for the nhatquanglan, but for the pooh.vbs i just used my system restore. here are some instructions and futher information about the 2 new malwares virus or spywares i encountered credit goes to the person who wrote it.

credit goes to: Shrinked Immaculate
Chandigarh, Punjab, India


I recently noticed a spurt in the traffic to my blog which is apparently caused by people looking for answers to the Nhatquanghlan worm. Well, over here in Chandigarh, it seems that this virus is just about in all computers and is being spread by the ubiquitous pen/usb/zip/thumb drive. From my ruminations on the net and frequent tinkering around the ward computer that gets reinfected almost every day, I have made certain observations that seem to make some conclusions about this worm.

1. This worm spreads by USB drives though it is possible that other portable media may be involved too.

2. It causes the task manager, the folder options, registry files to be altered.

3. It can be diagnosed by the above symptoms.

4. There is a crappy looking folder icon that is seen (with same name as the original folder), the file size of which is 282 kb.

5. It makes the computer slow down, and no anti-virus as of now seems to catch hold of it.

6. Inability to stop the USB drive from remove hardware safely option.

7. Inability to format the USB drive.

8. The worm is an autorun .exe file and executes and infects every time a USB drive is plugged in.Cure:

1. Download Hijack this(free), and the task manager fix of the interra group (also free), and a program called spybot killer.

2. Run the hijack this (rename it first or it wont start), and fix all files with scvhost.exe (not svchost.exe), run spybot, and then task manager fix. This should cure it. As u learn more about viruses, hijack this is probably the most useful program to have.

3. Reboot, and should run ok.Prevention:

1. USB hygiene is paramount. Disable autorun (wont happen unless infection is cleared first) using administrative tools.

2. Do not run any program from the USB drive, copy paste on to computer first.

3. Scan USB drive all the times.

4. Format USB drive often.

5. Read about hakaglan on the web.

W32/DKR.worm is a worm that spreads over network or removable drives. Earlier non-propagating variants may be be detected as Backdoor-DKR trojan.

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infecteWhile many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.d systems spread the virus to other systems, which then propagate the virus further.

Ways to remove it

Download startup control Panel at (You're going to use this later)

Go to your Task Manager (Ctrl+Alt+Del)

Terminate the Wscipt.exe process

Terminate the Explorer.exe process

Click New Task and Type "cmd" (without the quotes)

type the following in your command prompt

del c:\pooh.vbs /f/s/q/a

del d:\pooh.vbs /f/s/q/a

(include your other drives and USB drives that have been infected)

del c:\windows\system32\kernell.dll.vbs

del c:\aikelyu.html /f/s/q/a

Use the start-up program from to remove aikelyu.html on windows startup

Go to New Task and type "regedit" (without the quotes)

Go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

and modify it to make the value in Shell to only contain "explorer.exe"

your done

Credits tyo the one who wrote this Peace all

No comments: