Re: CSRSS.EXE Virus That Won't Go Away



From: "Swapnesh" <swap_par205@xxxxxxxxxxxxx>

| But CSRSS is a system service.and it uses CSRSS.exe.If u want to varify u
| can press CTRL+ALT+DEL.
| u can see there under PROCESS tab.OK
| And it says its a system service .
|
| Now when window starts it will try to run CSRR.exe and when anything is not
| found it symply tell File not found.
|
| So give it the file it wants. Though file was infected and was removed u
| can give it a fresh one.Its like giving missing DLL. Havent u tried it yet
| ????
| If n then u should try .
| And has "ugetnome" tried to remove registry and seen that it works ??
|

It is a well established methodology to use the name of legitimate MS Windows Kernel files
for the name of viral and non-viral malware. This is designed to lure you into a false
sense of security. You see the name of the excutable running, assume that it is a OS file
and think it is OK. -- WRONG. One must examine WHERE the excutable is being excuted from.
Since replacing a a OS Kernel file could break the OS, it has to be executed from a non OS
standard location.

In the case of this infector; %windir%\SYSTEM32\VIVNUFFTO\CSRSS.EXE
%windir%\SYSTEM32\VIVNUFFTO is not a Windows OS folder. It was created by the infector.

Sample infectors that use the name CSRSS.EXE are...

C:\CSRSS.EXE
W32/Buchon.c@MM -- http://vil.nai.com/vil/content/v_130857.htm

%WinDir%\MSAGENT\WIN32\CSRSS.EXE
W32/Sober.l@MM -- http://vil.nai.com/vil/content/v_131869.htm

%WinDir%\CSRSS.EXE
W32/Melare@MM -- http://vil.nai.com/vil/content/v_100306.htm

%WinDir%\CSRSS.EXE
W32/Netsky.ab@MM -- http://vil.nai.com/vil/content/v_124873.htm

%WinDir%\CSRSS.EXE
MultiDropper-JW -- http://vil.nai.com/vil/content/v_101115.htm

%WinDir%\CSRSS.EXE
Downloader-MC -- http://vil.nai.com/vil/content/v_126644.htm



An example of a file name that is the most often used is; SVCHOST.EXE. There are *many*
viral and non-viral infectors that use this name. If this file is found on a Win9x/ME PC
then you are almost guarateed to be infected. If it is found on a NT based PC then one must
look at the location of where it is being executed. In addition many use variations upon
this name such as; SCVHOST.EXE

Examples:
If SVCHOST.EXE is found in the root of C: (C:\SVCHOST.EXE) then there is a high chance of
this being the CodeBlue worm.
W32/CodeBlue.worm -- http://vil.nai.com/vil/content/v_99202.htm

If SVCHOST.EXE is found in %windir% then there is a high chance of this being the Cozit
worm.
W32/Cozit.worm -- http://vil.nai.com/vil/content/v_99761.htm

If SVCHOST.EXE is found in %windir%\SYSTEM32\DRIVERS then there is a high chance of this
being a nachi worm variant.
W32/Nachi.worm.c -- http://vil.nai.com/vil/content/v_101025.htm




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



.



Relevant Pages

  • Re: AVG Virus program
    ... I did download and run McAfee Stinger following all instructions. ... > Obtain McAfee's virus and worm removal tool, ... > associated with an infector, is found it does not indicate it is indeed ... > | When the worm is launched it copies itself as services.exe in Windows ...
    (microsoft.public.security.virus)
  • Re: Error Code 80070424
    ... firewall other then Windows Firewall. ... infector, not MBAM! ... A Repair Install will NOT help! ... >> Download the free version and do a full scan. ...
    (microsoft.public.windowsupdate)
  • Re: need file
    ... If it is the SDBot here are the removal directions... ... Obtain McAfee's virus and worm removal tool, ... Re-enable System Restore and re-apply any System Restore preferences, ... In any case shutting down one's AV software to remove an infector is CONTRINDICATED for any ...
    (microsoft.public.windowsxp.general)
  • Re: Error Code 80070424
    ... firewall other then Windows Firewall. ... infector, not MBAM! ... A Repair Install will NOT help! ...
    (microsoft.public.windowsupdate)
  • Re: Frankenmalware, parasitism or evolution?
    ... accidentally parasites another e-threat. ... and a worm is an executable file. ... If the virus reaches a PC ...
    (talk.origins)