Its being a long time since i have written anything.
Today i have come up with a solution to a new virus problem. This is called Kamsoft.exe :)
Most of the PCs may be infected by this new virus, and the channel for this virus is our all time favourite USB drive.
High Level Symptoms:
1. It creates
2. It disables regedit
3. You can't see hidden files and folders i.e it disables hidden files and folder options in Control Panel.
4. It may disable msconfig.
5. It makes your PC very slow.
6. Attacks all drives and modifies mount points key in registry so that when you double click on drives they open in new window instead of opening in same window
Action performed by the Virus:
1. This malware creates the following entry in the registry :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Kamsoft"=C:\windows\system32\ckvo.exe
2. It creates or may create following files in Root and other drives. C:\, D:\ etc.
uuuq.exe whi.com 39lpji.com ktnquo.exe vxl.exe oq.cmd fe.bat kk3.bat rs.cmd autorun.inf
3. Following files may be found in System32 folder:
ckvo.exe ckvo0.exe ckvo1.exe kamsoft.exe
Vius Removal
1. Start the computer in safe mode by pressing F8 during booting
2. Open Registry Editor (if Registry Editor is disabled Goto step no. 3 else goto 4)
3.
- Hit Windows+R to bring up Run (Start>Run)
- Type in gpedit.msc and click OK
- For regedit : In the Group Policy window, browse to User Configuration>Administrative Templates>System, you will see a small entry named “Prevent access to registry editing tools“. Double click that entry. Check the Disabled option, and click OK. Your regedit.exe has just been enabled.
4. Search for (Ctrl+F) ckvo.exe, delete all entries (Repeat same for Kamsoft.exe, atuorun.inf)
5. Goto HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
delete all the keys starting with {........}
For Example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}
In the above key delete {05ef6149-5e60-11dd-8a88-0003254ecf1b}
6. Open the command prompt go to C:\>
7. type attrib so you can see the hidden files in root drive
8. To clear the attributes of malware files type
attrib -s -h -r filename e.g. attrib -s -h -r autorun.inf
9. Delete the filename by typing
del filename e.g. del autorun.inf
10. repeat steps 8 and 9 for all files of malware.
(Note don't delete the system files)
ntdtect.com ntldr hiberfil.sys io.sys pagefile.sys autoexec.bat boot.ini config.sys msdos.sys etc.
11. look for the files of malware in all other partitions and delete them using steps 7-10.
12. go to c:\windows\system32>
13. type
attrib -s -h -r kamsoft.exe attrib -s -h -r ckvo.exe attrib -s -h -r ckvo.dll attrib -s -h -r ckvo0.dll attrib -s -h -r ckvo1.dll del kamsoft.exe del ckvo.exe del ckvo0.dll del ckvo1.dll del ckvo.dll
14. Some files in system32 may not delete then you should logoff once and logon to delete any files associated with this malware
15. Now open Registry editor go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
Change the DWORD value of Checked Value from 0 to 1.
16. Now go to folder options and change the hidden file attributes and show system files options. You should be able to see all hidden files.
17. Turnoff the system restore and turn it on again so the previous restore points will be deleted
18. Delete all
