New generation malware

Though I don’t like telling stories, this one is really adventurous and I suggest you reading it since its about an encounter with a deadly malware and I am the hero!

As I had described in my previous posts, the conventional way  of zeroing in on a virus, seemed to be really apt to me for all kinds. This was the same until I saw new viruses in my college digital library ( I would rather call it virus vault!). They were a breed apart, unlike normal viruses, they didn’t have any visible process running in task manager. This made it really tough to mark their presence in PCs. For a while I was tricked into believing that they didn’t exist on the PC and it had slowed down because of other issues. When I brought back home my pendrive, I noticed a new file U.COM in it, which didn’t execute thanks to my folder autorun.inf which is always present on my pendrive. Now I was sure the virus was present at college PCs, but didn’t have enough patience and time to go back there to try busting it, the place being public in nature.

A few days ago I was at my friends place, whose system gave a whole lot of problems ranging from slow start up, net getting disconnected, and browser hanging with errors. He was pleading to format his system and repartition it to remove any malwares hiding in other drives. FORMAT!!! The word I hate the most! I sat there with determination that its either the malware or me that’s getting screwed, and was able to ultimately fix it. Here is how I did it…..

  1. Opening task manager didn’t do much help since it showed no presence of any suspicious process.
  2. Upon opening a drive, it opened in a new window. This made me certain that some code was being executed prior to opening the drive, marking presence of an autorun.inf file, which will be super hidden.
  3. Initially I tried restoring registry defaults, but it didn’t worked, indicating malware was active and was monitoring registry changes and re-writing the malicious keys if original entries were restored.
  4. Since the only thing I was certain of was presence of a autorun.inf file, I went for the kill. Using killbox,  wrote address of file as C:\autorun.inf and was able to find the file and deleted it. Since killbox takes backup of deleted file in a folder in C: drive, I accessed the file. Opened it by double clicking it ( don’t be afraid, these files wont eat up your system when opened!). I found code to execute a U.COM file on drive autorun. This made me happy since I got another chance to take my old revenge with this guy!
  5. Using killbox, I gave instruction to delete the file C:\U.COM. I was able to find the file and deleted it. I repeated steps iv and v for all drives.
  6. To be certain to delete all files, I searched internet for details on malware named U.COM and was able to find what all files it creates. I deleted,

c:\windows\system32\drivers\klif.sys

c:\windows\system32\olhrwef.exe

c:\windows\system32\nmdfgds0.dll

and delete the registry key-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cdoosoft C:\WINDOWS\system32\olhrwef.exe

  1. Having cleaned the mess, I restored windows registry defaults, entered each drive, created a dummy autorun.inf folder and deleted suspicious files as well. Also delete all files that killbox had taken backup after deleting. I deleted all files from all temp locations and using ccleaner, deleted the start up entries of U.COM. Search in registry editor for U.COM entries and delete them all. Usually there are other related entries in the same sub key, delete them too. Restart your system and check if every thing is OK.

The malware U.COM comes in the category of CLOAKED MALWARE, the new generation viruses. They run hidden from task manager, inside a back ground service, like svchost, along with other system processes. They write to other programs virtual memory, also called as process hijacking. They are packed and/ or encrypted to be invisible to our eyes. It is added as a Registry auto start to load Program on Boot up. It creates various files inside system32 folder and also in all drives and alters registry to hide its files from user.

PC slow and don’t see any reason why, beware, you could be a victim!!