Wednesday, January 16, 2008

Hakaglan @ RVhost.exe

Yesterday, my whole office was infected with a worm called Hakaglan. Someone in the office accidently “install” the worm and the worm planted every variant to each PC on the Network. There’s a total of 15 PC/Laptops in the office with only 1 person to get rid of it. Its just such a mess. Eventho, the worm is not very dangerous and have been discovered 1 year ago, it still creates a mess out of it. I’ve also discovered that the Free AVG Home Anti-virus and several other free anti-viruses software is unable to detect or clean this worm. The only free anti-virus that can detect & clean this worm is Avast Home Edition. Below are the infos on the worm and methods to clean it:

Risk Level 1: Very Low
Discovered: December 12, 2006
Updated: December 13, 2006 3:26:10 AM
Also Known As: IM-Worm.Win32.Sohanad.t [Kaspersky], W32/Sohana-R [Sophos]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP.
W32.Yautoit.N is a worm that spreads through Yahoo! Instant Messenger.

Worm Info:

It downloads a file from the internet and name it as RVHOST.exe in your System folder. It also creates a file, new folder.exe, on every shared folders.

Removal Methods:

1. Delete the At1.job or Ar2.job under your Scheduled Tasks.

2.Update your anti-virus virus definition and run a full system scan.

3. Navigate and delete the following registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “Explorer.exe ” RVHOST.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Yahoo Messengger” = “%System%\RVHOST.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\”shared” = “[SHARED DRIVE]\New Folder.exe”

4. Navigate and restore the following registry to it’s original value, if required:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableRegistryTools” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NofolderOptions” = “1″
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\”AtTaskMaxHours” = “0″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\”Run” = “BkavFw”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\”Run” = “IEProtection”

Source from: Symantec

© 1998 NINJA20 v2.5, All Rights Reserved. Powered by Blogger

Designed by ScreenWritersArena