Re: CSRSS.EXE Virus That Won't Go Away
- From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
- Date: Sun, 28 Aug 2005 18:09:39 -0400
From: "Swapnesh" <swap_par205@xxxxxxxxxxxxx>
| But CSRSS is a system service.and it uses CSRSS.exe.If u want to varify u
| can press CTRL+ALT+DEL.
| u can see there under PROCESS tab.OK
| And it says its a system service .
|
| Now when window starts it will try to run CSRR.exe and when anything is not
| found it symply tell File not found.
|
| So give it the file it wants. Though file was infected and was removed u
| can give it a fresh one.Its like giving missing DLL. Havent u tried it yet
| ????
| If n then u should try .
| And has "ugetnome" tried to remove registry and seen that it works ??
|
It is a well established methodology to use the name of legitimate MS Windows Kernel files
for the name of viral and non-viral malware. This is designed to lure you into a false
sense of security. You see the name of the excutable running, assume that it is a OS file
and think it is OK. -- WRONG. One must examine WHERE the excutable is being excuted from.
Since replacing a a OS Kernel file could break the OS, it has to be executed from a non OS
standard location.
In the case of this infector; %windir%\SYSTEM32\VIVNUFFTO\CSRSS.EXE
%windir%\SYSTEM32\VIVNUFFTO is not a Windows OS folder. It was created by the infector.
Sample infectors that use the name CSRSS.EXE are...
C:\CSRSS.EXE
W32/Buchon.c@MM -- http://vil.nai.com/vil/content/v_130857.htm
%WinDir%\MSAGENT\WIN32\CSRSS.EXE
W32/Sober.l@MM -- http://vil.nai.com/vil/content/v_131869.htm
%WinDir%\CSRSS.EXE
W32/Melare@MM -- http://vil.nai.com/vil/content/v_100306.htm
%WinDir%\CSRSS.EXE
W32/Netsky.ab@MM -- http://vil.nai.com/vil/content/v_124873.htm
%WinDir%\CSRSS.EXE
MultiDropper-JW -- http://vil.nai.com/vil/content/v_101115.htm
%WinDir%\CSRSS.EXE
Downloader-MC -- http://vil.nai.com/vil/content/v_126644.htm
An example of a file name that is the most often used is; SVCHOST.EXE. There are *many*
viral and non-viral infectors that use this name. If this file is found on a Win9x/ME PC
then you are almost guarateed to be infected. If it is found on a NT based PC then one must
look at the location of where it is being executed. In addition many use variations upon
this name such as; SCVHOST.EXE
Examples:
If SVCHOST.EXE is found in the root of C: (C:\SVCHOST.EXE) then there is a high chance of
this being the CodeBlue worm.
W32/CodeBlue.worm -- http://vil.nai.com/vil/content/v_99202.htm
If SVCHOST.EXE is found in %windir% then there is a high chance of this being the Cozit
worm.
W32/Cozit.worm -- http://vil.nai.com/vil/content/v_99761.htm
If SVCHOST.EXE is found in %windir%\SYSTEM32\DRIVERS then there is a high chance of this
being a nachi worm variant.
W32/Nachi.worm.c -- http://vil.nai.com/vil/content/v_101025.htm
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
.
- References:
- CSRSS.EXE Virus That Won't Go Away
- From: uget2nome
- Re: CSRSS.EXE Virus That Won't Go Away
- From: pcbutts1
- Re: CSRSS.EXE Virus That Won't Go Away
- From: uget2nome
- Re: CSRSS.EXE Virus That Won't Go Away
- From: Swapnesh
- Re: CSRSS.EXE Virus That Won't Go Away
- From: David H. Lipman
- Re: CSRSS.EXE Virus That Won't Go Away
- From: Swapnesh
- CSRSS.EXE Virus That Won't Go Away
- Prev by Date: Re: forgot password
- Next by Date: GENERIC HOST....
- Previous by thread: Re: CSRSS.EXE Virus That Won't Go Away
- Next by thread: Re: CSRSS.EXE Virus That Won't Go Away
- Index(es):
Relevant Pages
|
